Jump to content

svchost.exe, causing computer to reboot continually


Recommended Posts

MWB says svchost.exe found, but cannot remove when prompted to do so. I guess I need some help on this one (I'm not the best at this stuff).

System is going through a boot up, run for about 20 seconds, then reboots. I'm now working in safe mode. I'm hoping the logs in safe mode give you everything you need, as I don't see how I'm going to be able to generate them in the normal mode. I'm on Windows 7 Ultimate, if that helps.

DDS log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK

Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.5.1

Run by Owner at 5:34:01 on 2012-12-07

AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files (x86)\Swag_Bucks\prxtbSwag.dll

mURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files (x86)\Swag_Bucks\prxtbSwag.dll

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: ALOT Appbar Helper: {85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} - C:\Program Files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll

BHO: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files (x86)\Swag_Bucks\prxtbSwag.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Constant Guard Protection Suite: {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.12.1012.1\NativeBHO.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

TB: Swag Bucks Toolbar: {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - C:\Program Files (x86)\Swag_Bucks\prxtbSwag.dll

TB: ALOT Appbar: {A531D99C-5A22-449b-83DA-872725C6D0ED} - C:\Program Files (x86)\alotappbar\bin\ALOTHelper.dll

TB: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files (x86)\Swag_Bucks\prxtbSwag.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [Plex Media Server] "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"

uRun: [ALconnect] C:\Users\Owner\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe

uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex

mRun: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized

mRun: [GIDDesktop] C:\Program Files (x86)\SFT\GuardedID\gidd.exe /s

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONSTA~1.LNK - C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:0

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - hxxp://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab

DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

TCP: NameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{CBA3489C-AD48-4555-8998-78B17FA61185} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{F739A9EF-000E-4B9C-BC2A-AD7FEF9EBDBF} : DHCPNameServer = 75.75.75.75 75.75.76.76

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - C:\Program Files (x86)\SFT\GuardedID\gidi.exe /v

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [atchk] "C:\Program Files (x86)\Intel\AMT\atchk.exe"

x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-12-07 00:21:02 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B052969C-BCE4-44AA-8574-3027E8867719}\mpengine.dll

2012-12-07 00:17:10 20480 ----a-w- C:\Windows\svchost.exe

2012-12-06 22:53:38 5632 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\854C.tmp

2012-12-06 22:53:38 5632 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\854B.tmp

2012-12-04 05:05:12 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-29 03:06:38 -------- d-----w- C:\Windows\rescache

2012-11-28 07:27:56 972264 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{05B2817D-A486-4161-B818-642882DD2456}\gapaengine.dll

2012-11-26 01:15:56 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes

2012-11-26 01:15:38 -------- d-----w- C:\ProgramData\Malwarebytes

2012-11-26 01:15:35 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-11-26 01:15:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-17 12:55:09 -------- dc-h--w- C:\Users\Owner\AppData\Local\{38C7A478-EB20-4C67-9E29-437DE547273F}

2012-11-17 12:55:07 -------- d-----w- C:\Users\Owner\AppData\Roaming\DirectLife

2012-11-17 12:55:00 -------- d-----w- C:\Users\Owner\AppData\Local\PackageAware

2012-11-15 17:14:20 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-11-15 17:14:20 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-11-15 17:14:20 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-11-15 17:14:20 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-11-15 17:02:48 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-11-15 17:02:48 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-11-15 17:02:48 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-11-15 17:02:47 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-11-15 17:02:46 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-11-15 17:02:46 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-11-15 17:02:46 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-11-14 10:42:01 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-11-14 10:42:01 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-11-14 10:42:00 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-11-14 10:42:00 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-11-14 10:40:11 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-11-14 10:40:11 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

.

==================== Find3M ====================

.

2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll

2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

.

============= FINISH: 5:34:56.98 ===============

Attach log

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

.

==== Disk Partitions =========================

.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

ActiveLink Connect

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.2)

ALOT Appbar

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

CCleaner

CDBurnerXP

Constant Guard Protection Suite

Coupon Printer for Windows

Defraggler

Garmin Lifetime Updater

Google Toolbar for Internet Explorer

Google Update Helper

GuardedID

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Interface

Intel® Active Management Technology

iTunes

Java Auto Updater

Java 6 Update 22

Java 7 Update 5

JavaFX 2.1.1

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 4 Client Profile

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

OpenOffice.org 3.3

Picasa 3

Plex Media Server

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Skype™ 5.10

SoundMAX

Swag Bucks Toolbar

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Link to post
Share on other sites

Thanks for the quick response.

Here's the log as requested.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-12-2012

Ran by SYSTEM at 08-12-2012 10:32:42

Running from F:\

Windows 7 Ultimate (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [atchk] "C:\Program Files (x86)\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)

HKLM-x32\...\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1282048 2007-08-01] (Analog Devices, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)

HKLM-x32\...\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446760 2012-01-06] (Garmin)

HKLM-x32\...\Run: [GIDDesktop] C:\Program Files (x86)\SFT\GuardedID\gidd.exe /s [395528 2011-07-05] (StrikeForce Technologies Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)

HKU\Owner\...\Run: [Plex Media Server] "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe" [2709584 2012-02-27] (Plex, Inc.)

HKU\Owner\...\Run: [ALconnect] C:\Users\Owner\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe [716424 2012-09-03] (Koninklijke Philips Electronics N.V.)

HKU\Owner\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex [686280 2012-06-10] (Adobe Systems Incorporated)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Constant Guard.lnk

ShortcutTarget: Constant Guard.lnk -> C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe (White Sky, Inc.)

==================== Services (Whitelisted) ===================

2 atchksrv; C:\Program Files (x86)\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation)

2 IDVaultSvc; "C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe" [61552 2012-10-16] (White Sky, Inc.)

2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

2 UNS; C:\Program Files (x86)\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel)

==================== Drivers (Whitelisted) =====================

3 e1express; C:\Windows\System32\DRIVERS\e1e6232e.sys [286936 2009-06-05] (Intel Corporation)

1 GIDv2; C:\Windows\System32\Drivers\GIDv2.sys [29288 2011-07-05] (StrikeForce Technologies, Inc.)

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-08 07:05 - 2012-12-08 07:05 - 00000000 ____D C:\FRST

2012-12-08 07:01 - 2012-12-08 07:02 - 00000958 ____A C:\Users\Public\Desktop\7-zip.lnk

2012-12-08 07:01 - 2012-12-08 07:01 - 00000000 ____D C:\Program Files (x86)\7-zip

2012-12-08 07:00 - 2012-12-08 07:00 - 01650880 ____A (W3i, LLC) C:\Users\Owner\Downloads\7zip_installer_d793198.exe

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Yahoo!

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Users\All Users\Yahoo! Companion

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Users\All Users\Yahoo!

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Program Files (x86)\Yahoo!

2012-12-07 03:21 - 2012-12-07 03:21 - 00000000 ____D C:\Windows\Sun

2012-12-07 02:35 - 2012-12-07 02:35 - 00002609 ____A C:\Users\Owner\Desktop\attach.txt

2012-12-07 02:35 - 2012-12-07 02:34 - 00010243 ____A C:\Users\Owner\Desktop\dds.txt

2012-12-07 02:33 - 2012-12-07 02:32 - 00688992 ____R (Swearware) C:\Users\Owner\Desktop\dds.com

2012-12-06 16:17 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-12-05 08:57 - 2012-12-05 09:07 - 00015767 ____A C:\Users\Owner\Documents\Christmas Show 2013 Schedule.odt

2012-12-01 06:58 - 2012-12-01 06:58 - 00000017 ____A C:\Users\Owner\AppData\Local\resmon.resmoncfg

2012-11-28 19:06 - 2012-11-28 19:07 - 00000000 ____D C:\Windows\rescache

2012-11-25 17:15 - 2012-12-06 16:14 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes

2012-11-25 17:15 - 2012-11-25 17:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-25 17:15 - 2012-11-25 17:15 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-11-25 17:15 - 2012-11-25 17:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-25 17:15 - 2012-09-29 16:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-11-17 04:55 - 2012-11-17 04:55 - 00000000 __HDC C:\Users\Owner\AppData\Local\{38C7A478-EB20-4C67-9E29-437DE547273F}

2012-11-17 04:55 - 2012-11-17 04:55 - 00000000 ____D C:\Users\Owner\AppData\Roaming\DirectLife

2012-11-17 04:55 - 2012-11-17 04:55 - 00000000 ____D C:\Users\Owner\AppData\Local\PackageAware

2012-11-15 09:14 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-15 09:14 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-15 09:14 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-15 09:14 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-15 09:07 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-15 09:07 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-15 09:07 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-15 09:07 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-15 09:07 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-15 09:07 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-15 09:07 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-15 09:07 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-15 09:07 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-15 09:07 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-15 09:07 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-15 09:07 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-15 09:07 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-15 09:07 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-15 09:07 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-15 09:07 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-15 09:07 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-15 09:07 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-15 09:07 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-15 09:07 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-15 09:07 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-15 09:07 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-15 09:07 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-15 09:07 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-15 09:07 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-15 09:07 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-15 09:07 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-15 09:07 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-15 09:07 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-15 09:07 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-15 09:07 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-15 09:07 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-15 09:02 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-15 09:02 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-15 09:02 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-15 09:02 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-15 09:02 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-15 09:02 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-15 09:02 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-15 09:02 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-11-14 02:42 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll

2012-11-14 02:42 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll

2012-11-14 02:62 - 2012-11-09 09:40 - 00±9353¶(____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll

2012-15-14 02:42 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation© C:\Windows\SysWOW64\dicqcsvc6.dll

2012-11-14 02:41 - 2012-10-18 10:²5 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012/31-1< 02:41 - 2012-10-03 09:µ6 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-11-14 02:41 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll

2012-11-14 02:41 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll

2012-11-14 02:41 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll

2012-11-14 02:41 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll

2012-11-14 02:41 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll

2012-11-14 02:41 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll

2012-11-14 02:41 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll

2012-11-14 02:41 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll

2012-11-14 02:41 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll

2012-11-14 02:41 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-11-14 02:41 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

2012-11-14 02:40 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll

2012-11-14 02:40 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll

2012-11-10 04:42 - 2012-11-10 04:42 - 00017270 ____A C:\Users\Owner\Documents\Katie Pirate Script.odt

==================== One Month Modified Files and Folders =======

2012-12-08 07:05 - 2012-12-08 07:05 - 00000000 ____D C:\FRST

2012-12-08 07:02 - 2012-12-08 07:01 - 00000958 ____A C:\Users\Public\Desktop\7-zip.lnk

2012-12-08 07:01 - 2012-12-08 07:01 - 00000000 ____D C:\Program Files (x86)\7-zip

2012-12-08 07:00 - 2012-12-08 07:00 - 01650880 ____A (W3i, LLC) C:\Users\Owner\Downloads\7zip_installer_d793198.exe

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Yahoo!

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Users\All Users\Yahoo! Companion

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Users\All Users\Yahoo!

2012-12-08 06:59 - 2012-12-08 06:59 - 00000000 ____D C:\Program Files (x86)\Yahoo!

2012-12-08 06:59 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-08 06:39 - 2012-01-28 00:30 - 01379836 ____A C:\Windows\WindowsUpdate.log

2012-12-07 03:21 - 2012-12-07 03:21 - 00000000 ____D C:\Windows\Sun

2012-12-07 02:35 - 2012-12-07 02:35 - 00002609 ____A C:\Users\Owner\Desktop\attach.txt

2012-12-07 02:34 - 2012-12-07 02:35 - 00010243 ____A C:\Users\Owner\Desktop\dds.txt

2012-12-07 02:32 - 2012-12-07 02:33 - 00688992 ____R (Swearware) C:\Users\Owner\Desktop\dds.com

2012-12-07 02:32 - 2012-02-13 17:14 - 00000000 ____D C:\Users\Owner\Documents\Budget Data

2012-12-06 18:38 - 2012-02-28 15:04 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-06 18:38 - 2012-02-06 14:56 - 00008634 ____A C:\Windows\setupact.log

2012-12-06 18:38 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-06 18:36 - 2012-02-07 17:05 - 00000000 ____D C:\Users\Owner\AppData\Roaming\ID Vault

2012-12-06 16:16 - 2012-01-27 11:11 - 00000000 ____D C:\users\Owner

2012-12-06 16:14 - 2012-11-25 17:15 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes

2012-12-06 16:14 - 2009-07-13 23:45 - 00000000 ___RD C:\Users\Public\Recorded TV

2012-12-06 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep

2012-12-06 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2012-12-06 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2012-12-05 09:07 - 2012-12-05 08:57 - 00015767 ____A C:\Users\Owner\Documents\Christmas Show 2013 Schedule.odt

2012-12-04 22:37 - 2012-02-28 15:04 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-01 07:05 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-01 07:05 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-01 06:58 - 2012-12-01 06:58 - 00000017 ____A C:\Users\Owner\AppData\Local\resmon.resmoncfg

2012-11-28 19:07 - 2012-11-28 19:06 - 00000000 ____D C:\Windows\rescache

2012-11-25 17:15 - 2012-11-25 17:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-25 17:15 - 2012-11-25 17:15 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-11-25 17:15 - 2012-11-25 17:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-20 09:24 - 2012-03-26 17:01 - 00024064 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-11-18 18:09 - 2012-02-13 18:21 - 00000000 ____D C:\Users\Owner\Documents\Massage Work

2012-11-17 04:55 - 2012-11-17 04:55 - 00000000 __HDC C:\Users\Owner\AppData\Local\{38C7A478-EB20-4C67-9E29-437DE547273F}

2012-11-17 04:55 - 2012-11-17 04:55 - 00000000 ____D C:\Users\Owner\AppData\Roaming\DirectLife

2012-11-17 04:55 - 2012-11-17 04:55 - 00000000 ____D C:\Users\Owner\AppData\Local\PackageAware

2012-11-15 16:55 - 2012-02-07 14:40 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype

2012-11-15 09:40 - 2012-02-03 13:50 - 00064152 ____A C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-15 09:39 - 2012-02-06 14:55 - 00294200 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-15 09:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2012-11-15 09:05 - 2012-01-27 16:09 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-11-10 16:46 - 2012-02-07 17:04 - 00002189 ____A C:\Users\Public\Desktop\Constant Guard.lnk

2012-11-10 16:46 - 2012-02-07 17:04 - 00000000 ____D C:\Program Files (x86)\Constant Guard Protection Suite

2012-11-10 04:42 - 2012-11-10 04:42 - 00017270 ____A C:\Users\Owner\Documents\Katie Pirate Script.odt

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 23%

Total physical RAM: 2020.59 MB

Available physical RAM: 1546.51 MB

Total Pagefile: 2020.59 MB

Available Pagefile: 1535.2 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:74.41 GB) (Free:5.63 GB) NTFS

3 Drive f: () (Removable) (Total:0.96 GB) (Free:0.29 GB) FAT32

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 74 GB 0 B

Disk 1 Online 982 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 74 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 74 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 981 MB 64 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 981 MB Healthy

=========================================================

Last Boot: 2012-12-04 21:58

==================== End Of Log =============================

Link to post
Share on other sites

  • Staff

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

NEXT

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Here's the log from the FRST:

lt of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-12-2012

Ran by SYSTEM at 2012-12-08 11:50:00 Run:1

Running from F:\

==============================================

C:\Windows\svchost.exe moved successfully.

==== End of Fixlog ====

I then downloaded Combofix, mid run the screen went blank... shortly thereafter, blue screen crash, system rebooted. I'm back in safe mode right now. Should I give Combofix another shot?

Link to post
Share on other sites

  • Staff

yes, try running ComboFix in safe mode

if it still wont run, then try the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

Combofix log:

ComboFix 12-12-07.01 - Owner 12/08/2012 12:40:07.1.2 - x64 NETWORK

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\alotappbar

c:\program files (x86)\alotappbar\alotUninst.exe

c:\program files (x86)\alotappbar\bin\alotappbar.dll

c:\program files (x86)\alotappbar\bin\alothelper.dll

c:\program files (x86)\alotappbar\bin\ALOTSettings.exe

c:\program files (x86)\alotappbar\bin\alotwidgets.exe

c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll

c:\programdata\Microsoft\Windows\DRM\854B.tmp

c:\programdata\Microsoft\Windows\DRM\854C.tmp

c:\windows\svchost.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-11-08 to 2012-12-08 )))))))))))))))))))))))))))))))

.

.

2012-12-08 17:44 . 2012-12-08 17:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-08 15:05 . 2012-12-08 15:05 -------- d-----w- C:\FRST

2012-12-08 15:01 . 2012-12-08 15:01 -------- d-----w- c:\program files (x86)\7-zip

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\programdata\Yahoo!

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\programdata\Yahoo! Companion

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\program files (x86)\Yahoo!

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\users\Owner\AppData\Roaming\Yahoo!

2012-12-07 11:21 . 2012-12-07 11:21 -------- d-----w- c:\windows\Sun

2012-12-07 00:21 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B052969C-BCE4-44AA-8574-3027E8867719}\mpengine.dll

2012-12-04 05:05 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-29 03:06 . 2012-11-29 03:07 -------- d-----w- c:\windows\rescache

2012-11-28 07:27 . 2012-11-28 07:27 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05B2817D-A486-4161-B818-642882DD2456}\gapaengine.dll

2012-11-26 01:15 . 2012-12-07 00:14 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes

2012-11-26 01:15 . 2012-11-26 01:15 -------- d-----w- c:\programdata\Malwarebytes

2012-11-26 01:15 . 2012-11-26 01:15 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-11-26 01:15 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-17 12:55 . 2012-11-17 12:55 -------- dc-h--w- c:\users\Owner\AppData\Local\{38C7A478-EB20-4C67-9E29-437DE547273F}

2012-11-17 12:55 . 2012-11-17 12:55 -------- d-----w- c:\users\Owner\AppData\Roaming\DirectLife

2012-11-17 12:55 . 2012-11-17 12:55 -------- d-----w- c:\users\Owner\AppData\Local\PackageAware

2012-11-15 17:14 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-15 17:14 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-15 17:14 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-15 17:14 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-15 17:02 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-15 17:02 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-15 17:02 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-15 17:02 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-15 17:02 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-15 17:02 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-15 17:02 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-11-14 10:42 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2012-11-14 10:42 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2012-11-14 10:42 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-11-14 10:42 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

2012-11-14 10:40 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-14 10:40 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-15 17:05 . 2012-01-28 00:09 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-16 08:38 . 2012-11-28 01:54 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-28 01:54 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-28 01:54 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-03 07:13 . 2012-02-10 11:17 972192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2012-09-14 19:19 . 2012-10-10 04:43 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-10 04:43 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Swag_Bucks\prxtbSwag.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Plex Media Server"="c:\program files (x86)\Plex\Plex Media Server\Plex Media Server.exe" [2012-02-27 2709584]

"ALconnect"="c:\users\Owner\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe" [2012-09-04 716424]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1282048]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]

"GIDDesktop"="c:\program files (x86)\SFT\GuardedID\gidd.exe" [2011-07-05 395528]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Constant Guard.lnk - c:\program files (x86)\Constant Guard Protection Suite\IDVault.exe [2012-10-16 5958256]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 IDVaultSvc;CGPS Service;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2012-10-16 61552]

R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files (x86)\Intel\AMT\UNS.exe [2009-12-01 2519040]

R3 dmvsc;dmvsc;c:\windows\system32\DRIVERS\dmvsc.sys [2011-01-30 71168]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-01-30 20992]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2011-01-30 88960]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\DRIVERS\terminpt.sys [2011-01-30 34816]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2011-01-30 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\DRIVERS\TsUsbGD.sys [2011-01-30 31232]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-01-30 117248]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-28 1255736]

S1 GIDv2;GIDv2; [x]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-18 70168]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]

2011-07-05 15:26 435976 ----a-w- c:\program files (x86)\SFT\GuardedID\GIDI.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-28 23:04]

.

2012-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-28 23:04]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 165912]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 385560]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 363544]

"atchk"="c:\program files (x86)\Intel\AMT\atchk.exe" [2009-12-01 401408]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} - c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll

Toolbar-{A531D99C-5A22-449b-83DA-872725C6D0ED} - c:\program files (x86)\alotappbar\bin\ALOTHelper.dll

WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)

AddRemove-alotAppbar - c:\program files (x86)\alotappbar\alotUninst.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{A531D99C-5A22-449B-83DA-872725C6D0ED}"=hex:51,66,7a,6c,4c,1d,38,12,f2,da,22,

a1,10,14,f5,01,fc,cc,c4,67,20,98,94,f9

"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"=hex:51,66,7a,6c,4c,1d,38,12,b8,aa,cd,

8f,50,21,85,00,f1,ff,c9,c1,aa,53,6b,80

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{85F5CF95-EC8F-49FC-BB3F-38C79455CBA2}"=hex:51,66,7a,6c,4c,1d,38,12,fb,cc,e6,

81,bd,a2,92,0c,c4,29,7b,87,91,0b,8f,b6

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{B84CDBE7-1B46-494B-A188-01D4C52DEB61}"=hex:51,66,7a,6c,4c,1d,38,12,89,d8,5f,

bc,74,55,25,0c,de,9e,42,94,c0,73,af,75

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:b7,29,7b,0c,30,d4,cd,01

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-08 12:45:41

ComboFix-quarantined-files.txt 2012-12-08 17:45

.

Pre-Run: 7,125,782,528 bytes free

Post-Run: 7,471,009,792 bytes free

.

- - End Of File - - 497C47B61E17780E47D4067E6DFAB5C4

Link to post
Share on other sites

MBAR found 3 remaining items. I ran the cleanup and things are running deliciously well! Booted back up normally, looks great (and seems to be running even faster than usual).

I think I'd need to go back to Safe mode to find the logs - I don't see them in the regular folder - still need them at this point?

Link to post
Share on other sites

  • Staff

there should be a Malwarebytes Anti-Rootkit folder, perhaps it is in your downloads folder? or on your C:\ drive.

The logs will be in that folder.

Let's sweep for any leftover junk files,

please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

Found the logs. I was looking in the wrong folder. :)

system-log

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_22

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.325000 GHz

Memory total: 2118746112, free: 179298304

------------ Kernel report ------------

12/08/2012 13:05:08

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\DRIVERS\ACPI.sys

\SystemRoot\system32\DRIVERS\WMILIB.SYS

\SystemRoot\system32\DRIVERS\msisadrv.sys

\SystemRoot\system32\DRIVERS\pci.sys

\SystemRoot\system32\DRIVERS\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\DRIVERS\pciide.sys

\SystemRoot\system32\DRIVERS\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\atapi.sys

\SystemRoot\system32\DRIVERS\ataport.SYS

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\DRIVERS\vmstorfl.sys

\SystemRoot\system32\DRIVERS\volsnap.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\e1e6232e.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\framebuf.dll

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\Drivers\GIDv2.SYS

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\clbcatq.dll

\Windows\System32\normaliz.dll

\Windows\System32\msctf.dll

\Windows\System32\lpk.dll

\Windows\System32\msvcrt.dll

\Windows\System32\usp10.dll

\Windows\System32\user32.dll

\Windows\System32\nsi.dll

\Windows\System32\imagehlp.dll

\Windows\System32\sechost.dll

\Windows\System32\oleaut32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\shell32.dll

\Windows\System32\psapi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\advapi32.dll

\Windows\System32\imm32.dll

\Windows\System32\wininet.dll

\Windows\System32\ws2_32.dll

\Windows\System32\urlmon.dll

\Windows\System32\Wldap32.dll

\Windows\System32\setupapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\iertutil.dll

\Windows\System32\kernel32.dll

\Windows\System32\ole32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\difxapi.dll

\Windows\System32\comctl32.dll

\Windows\System32\wintrust.dll

\Windows\System32\crypt32.dll

\Windows\System32\devobj.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa8002ff1790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000005c\

Lower Device Object: 0xfffffa8002fef340

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800233d6c0

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-4\

Lower Device Object: 0xfffffa8001858060

Lower Device Driver Name: \00001195\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.08.06

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800233d6c0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800233e040, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800233d6c0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8001858060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-4\, DriverName: \00001195\

------------ End ----------

Upper DeviceData: 0xfffff8a008564530, 0xfffffa800233d6c0, 0xfffffa8003abb090

Lower DeviceData: 0xfffff8a008b2b560, 0xfffffa8001858060, 0xfffffa80039f47e0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2C163F7C

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 42 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 156039168

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 80000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-41-156230000-156250000)...

Sector 156249734 --> [Forged physical sector]

Sector 156249735 --> [Forged physical sector]

Sector 156249736 --> [Forged physical sector]

Sector 156249737 --> [Forged physical sector]

Sector 156249738 --> [Forged physical sector]

Sector 156249739 --> [Forged physical sector]

Sector 156249740 --> [Forged physical sector]

Sector 156249741 --> [Forged physical sector]

Sector 156249742 --> [Forged physical sector]

Sector 156249743 --> [Forged physical sector]

Sector 156249744 --> [Forged physical sector]

Sector 156249745 --> [Forged physical sector]

Sector 156249746 --> [Forged physical sector]

Sector 156249747 --> [Forged physical sector]

Sector 156249748 --> [Forged physical sector]

Sector 156249749 --> [Forged physical sector]

Sector 156249750 --> [Forged physical sector]

Sector 156249751 --> [Forged physical sector]

Sector 156249752 --> [Forged physical sector]

Sector 156249753 --> [Forged physical sector]

Sector 156249754 --> [Forged physical sector]

Sector 156249755 --> [Forged physical sector]

Sector 156249756 --> [Forged physical sector]

Sector 156249757 --> [Forged physical sector]

Sector 156249758 --> [Forged physical sector]

Sector 156249759 --> [Forged physical sector]

Sector 156249760 --> [Forged physical sector]

Sector 156249761 --> [Forged physical sector]

Sector 156249762 --> [Forged physical sector]

Sector 156249763 --> [Forged physical sector]

Sector 156249764 --> [Forged physical sector]

Sector 156249765 --> [Forged physical sector]

Sector 156249766 --> [Forged physical sector]

Sector 156249767 --> [Forged physical sector]

Sector 156249768 --> [Forged physical sector]

Sector 156249769 --> [Forged physical sector]

Sector 156249770 --> [Forged physical sector]

Sector 156249771 --> [Forged physical sector]

Sector 156249772 --> [Forged physical sector]

Sector 156249773 --> [Forged physical sector]

Sector 156249774 --> [Forged physical sector]

Sector 156249775 --> [Forged physical sector]

Sector 156249776 --> [Forged physical sector]

Sector 156249777 --> [Forged physical sector]

Sector 156249778 --> [Forged physical sector]

Sector 156249779 --> [Forged physical sector]

Sector 156249780 --> [Forged physical sector]

Sector 156249781 --> [Forged physical sector]

Sector 156249782 --> [Forged physical sector]

Sector 156249783 --> [Forged physical sector]

Sector 156249784 --> [Forged physical sector]

Sector 156249785 --> [Forged physical sector]

Sector 156249786 --> [Forged physical sector]

Sector 156249787 --> [Forged physical sector]

Sector 156249788 --> [Forged physical sector]

Sector 156249789 --> [Forged physical sector]

Sector 156249790 --> [Forged physical sector]

Sector 156249791 --> [Forged physical sector]

Sector 156249792 --> [Forged physical sector]

Sector 156249793 --> [Forged physical sector]

Sector 156249794 --> [Forged physical sector]

Sector 156249795 --> [Forged physical sector]

Sector 156249796 --> [Forged physical sector]

Sector 156249797 --> [Forged physical sector]

Sector 156249798 --> [Forged physical sector]

Sector 156249799 --> [Forged physical sector]

Sector 156249800 --> [Forged physical sector]

Sector 156249801 --> [Forged physical sector]

Sector 156249802 --> [Forged physical sector]

Sector 156249803 --> [Forged physical sector]

Sector 156249804 --> [Forged physical sector]

Sector 156249805 --> [Forged physical sector]

Sector 156249806 --> [Forged physical sector]

Sector 156249807 --> [Forged physical sector]

Sector 156249808 --> [Forged physical sector]

Sector 156249809 --> [Forged physical sector]

Sector 156249810 --> [Forged physical sector]

Sector 156249811 --> [Forged physical sector]

Sector 156249812 --> [Forged physical sector]

Sector 156249813 --> [Forged physical sector]

Sector 156249814 --> [Forged physical sector]

Sector 156249815 --> [Forged physical sector]

Sector 156249816 --> [Forged physical sector]

Sector 156249817 --> [Forged physical sector]

Sector 156249818 --> [Forged physical sector]

Sector 156249819 --> [Forged physical sector]

Sector 156249820 --> [Forged physical sector]

Sector 156249821 --> [Forged physical sector]

Sector 156249822 --> [Forged physical sector]

Sector 156249823 --> [Forged physical sector]

Sector 156249824 --> [Forged physical sector]

Sector 156249825 --> [Forged physical sector]

Sector 156249826 --> [Forged physical sector]

Sector 156249827 --> [Forged physical sector]

Sector 156249828 --> [Forged physical sector]

Sector 156249829 --> [Forged physical sector]

Sector 156249830 --> [Forged physical sector]

Sector 156249831 --> [Forged physical sector]

Sector 156249832 --> [Forged physical sector]

Sector 156249833 --> [Forged physical sector]

Sector 156249834 --> [Forged physical sector]

Sector 156249835 --> [Forged physical sector]

Sector 156249836 --> [Forged physical sector]

Sector 156249837 --> [Forged physical sector]

Sector 156249838 --> [Forged physical sector]

Sector 156249839 --> [Forged physical sector]

Sector 156249840 --> [Forged physical sector]

Sector 156249841 --> [Forged physical sector]

Sector 156249842 --> [Forged physical sector]

Sector 156249843 --> [Forged physical sector]

Sector 156249844 --> [Forged physical sector]

Sector 156249845 --> [Forged physical sector]

Sector 156249846 --> [Forged physical sector]

Sector 156249847 --> [Forged physical sector]

Sector 156249848 --> [Forged physical sector]

Sector 156249849 --> [Forged physical sector]

Sector 156249850 --> [Forged physical sector]

Sector 156249851 --> [Forged physical sector]

Sector 156249852 --> [Forged physical sector]

Sector 156249853 --> [Forged physical sector]

Sector 156249854 --> [Forged physical sector]

Sector 156249855 --> [Forged physical sector]

Sector 156249856 --> [Forged physical sector]

Sector 156249857 --> [Forged physical sector]

Sector 156249858 --> [Forged physical sector]

Sector 156249859 --> [Forged physical sector]

Sector 156249860 --> [Forged physical sector]

Sector 156249861 --> [Forged physical sector]

Sector 156249862 --> [Forged physical sector]

Sector 156249863 --> [Forged physical sector]

Sector 156249864 --> [Forged physical sector]

Sector 156249865 --> [Forged physical sector]

Sector 156249866 --> [Forged physical sector]

Sector 156249867 --> [Forged physical sector]

Sector 156249868 --> [Forged physical sector]

Sector 156249869 --> [Forged physical sector]

Sector 156249870 --> [Forged physical sector]

Sector 156249871 --> [Forged physical sector]

Sector 156249872 --> [Forged physical sector]

Sector 156249873 --> [Forged physical sector]

Sector 156249874 --> [Forged physical sector]

Sector 156249875 --> [Forged physical sector]

Sector 156249876 --> [Forged physical sector]

Sector 156249877 --> [Forged physical sector]

Sector 156249878 --> [Forged physical sector]

Sector 156249879 --> [Forged physical sector]

Sector 156249880 --> [Forged physical sector]

Sector 156249881 --> [Forged physical sector]

Sector 156249882 --> [Forged physical sector]

Sector 156249883 --> [Forged physical sector]

Sector 156249884 --> [Forged physical sector]

Sector 156249885 --> [Forged physical sector]

Sector 156249886 --> [Forged physical sector]

Sector 156249887 --> [Forged physical sector]

Sector 156249888 --> [Forged physical sector]

Sector 156249889 --> [Forged physical sector]

Sector 156249890 --> [Forged physical sector]

Sector 156249891 --> [Forged physical sector]

Sector 156249892 --> [Forged physical sector]

Sector 156249893 --> [Forged physical sector]

Sector 156249894 --> [Forged physical sector]

Sector 156249895 --> [Forged physical sector]

Sector 156249896 --> [Forged physical sector]

Sector 156249897 --> [Forged physical sector]

Sector 156249898 --> [Forged physical sector]

Sector 156249899 --> [Forged physical sector]

Sector 156249900 --> [Forged physical sector]

Sector 156249901 --> [Forged physical sector]

Sector 156249902 --> [Forged physical sector]

Sector 156249903 --> [Forged physical sector]

Sector 156249904 --> [Forged physical sector]

Sector 156249905 --> [Forged physical sector]

Sector 156249906 --> [Forged physical sector]

Sector 156249907 --> [Forged physical sector]

Sector 156249908 --> [Forged physical sector]

Sector 156249909 --> [Forged physical sector]

Sector 156249910 --> [Forged physical sector]

Sector 156249911 --> [Forged physical sector]

Sector 156249912 --> [Forged physical sector]

Sector 156249913 --> [Forged physical sector]

Sector 156249914 --> [Forged physical sector]

Sector 156249915 --> [Forged physical sector]

Sector 156249916 --> [Forged physical sector]

Sector 156249917 --> [Forged physical sector]

Sector 156249918 --> [Forged physical sector]

Sector 156249919 --> [Forged physical sector]

Sector 156249920 --> [Forged physical sector]

Sector 156249921 --> [Forged physical sector]

Sector 156249922 --> [Forged physical sector]

Sector 156249923 --> [Forged physical sector]

Sector 156249924 --> [Forged physical sector]

Sector 156249925 --> [Forged physical sector]

Sector 156249926 --> [Forged physical sector]

Sector 156249927 --> [Forged physical sector]

Sector 156249928 --> [Forged physical sector]

Sector 156249929 --> [Forged physical sector]

Sector 156249930 --> [Forged physical sector]

Sector 156249931 --> [Forged physical sector]

Sector 156249932 --> [Forged physical sector]

Sector 156249933 --> [Forged physical sector]

Sector 156249934 --> [Forged physical sector]

Sector 156249935 --> [Forged physical sector]

Sector 156249936 --> [Forged physical sector]

Sector 156249937 --> [Forged physical sector]

Sector 156249938 --> [Forged physical sector]

Sector 156249939 --> [Forged physical sector]

Sector 156249940 --> [Forged physical sector]

Sector 156249941 --> [Forged physical sector]

Sector 156249942 --> [Forged physical sector]

Sector 156249943 --> [Forged physical sector]

Sector 156249944 --> [Forged physical sector]

Sector 156249945 --> [Forged physical sector]

Sector 156249946 --> [Forged physical sector]

Sector 156249947 --> [Forged physical sector]

Sector 156249948 --> [Forged physical sector]

Sector 156249949 --> [Forged physical sector]

Sector 156249950 --> [Forged physical sector]

Sector 156249951 --> [Forged physical sector]

Sector 156249952 --> [Forged physical sector]

Sector 156249953 --> [Forged physical sector]

Sector 156249954 --> [Forged physical sector]

Sector 156249955 --> [Forged physical sector]

Sector 156249956 --> [Forged physical sector]

Sector 156249957 --> [Forged physical sector]

Sector 156249958 --> [Forged physical sector]

Sector 156249959 --> [Forged physical sector]

Sector 156249960 --> [Forged physical sector]

Sector 156249961 --> [Forged physical sector]

Sector 156249962 --> [Forged physical sector]

Sector 156249963 --> [Forged physical sector]

Sector 156249964 --> [Forged physical sector]

Sector 156249965 --> [Forged physical sector]

Sector 156249966 --> [Forged physical sector]

Sector 156249967 --> [Forged physical sector]

Sector 156249968 --> [Forged physical sector]

Sector 156249969 --> [Forged physical sector]

Sector 156249970 --> [Forged physical sector]

Sector 156249971 --> [Forged physical sector]

Sector 156249972 --> [Forged physical sector]

Sector 156249973 --> [Forged physical sector]

Sector 156249974 --> [Forged physical sector]

Sector 156249975 --> [Forged physical sector]

Sector 156249976 --> [Forged physical sector]

Sector 156249977 --> [Forged physical sector]

Sector 156249978 --> [Forged physical sector]

Sector 156249979 --> [Forged physical sector]

Sector 156249980 --> [Forged physical sector]

Sector 156249981 --> [Forged physical sector]

Sector 156249982 --> [Forged physical sector]

Sector 156249983 --> [Forged physical sector]

Sector 156249984 --> [Forged physical sector]

Sector 156249985 --> [Forged physical sector]

Sector 156249986 --> [Forged physical sector]

Sector 156249987 --> [Forged physical sector]

Sector 156249988 --> [Forged physical sector]

Sector 156249989 --> [Forged physical sector]

Sector 156249990 --> [Forged physical sector]

Sector 156249991 --> [Forged physical sector]

Sector 156249992 --> [Forged physical sector]

Sector 156249993 --> [Forged physical sector]

Sector 156249994 --> [Forged physical sector]

Sector 156249995 --> [Forged physical sector]

Sector 156249996 --> [Forged physical sector]

Sector 156249997 --> [Forged physical sector]

Sector 156249998 --> [Forged physical sector]

Sector 156249999 --> [Forged physical sector]

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa8002ff1790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8002fea040, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8002ff1790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8002fef340, DeviceName: \Device\0000005c\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xfffff8a003da7b10, 0xfffffa8002ff1790, 0xfffffa8003402640

Lower DeviceData: 0xfffff8a0037c5f80, 0xfffffa8002fef340, 0xfffffa80024e5090

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 0

Partition information:

Partition 0 type is Other (0xb)

Partition is ACTIVE.

Partition starts at LBA: 128 Numsec = 2011008

Partition file system is FAT32

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1029701632 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Done!

Scan finished

Creating System Restore point...

Could not create restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_22

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.325000 GHz

Memory total: 2118762496, free: 1125158912

mbar-log-2012-12-08

------------------------------------------------

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.08.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Owner :: OPTI755 [administrator]

12/8/2012 1:20:27 PM

mbar-log-2012-12-08 (13-20-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 26890

Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_42_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_156249734_user.mbam (Forged physical sector) -> Delete on reboot.

(end)

Now that I've gotten the bootup thing clear, I won't be running the next steps in safe mode any longer (huzzah!)...

Link to post
Share on other sites

JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 3.9.9 (12.08.2012:3)

OS: Windows 7 Ultimate x64

Ran by Owner on Sat 12/08/2012 at 15:47:24.88

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\urlsearchhooks\\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{a531d99c-5a22-449b-83da-872725c6d0ed}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\conduit"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\conduitsearchscopes"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\smartbar"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\toolbar"

Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{85f5cf95-ec8f-49fc-bb3f-38c79455cba2}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{85f5cf95-ec8f-49fc-bb3f-38c79455cba2}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a531d99c-5a22-449b-83da-872725c6d0ed}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{a531d99c-5a22-449b-83da-872725c6d0ed}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

~~~ Files

~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"

Successfully deleted: [Folder] "C:\Users\Owner\appdata\local\conduit"

Successfully deleted: [Folder] "C:\Users\Owner\appdata\locallow\alotappbar"

Successfully deleted: [Folder] "C:\Users\Owner\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Owner\appdata\locallow\swag_bucks"

Failed to delete: [Folder] "C:\Program Files (x86)\conduit"

Failed to delete: [Folder] "C:\Program Files (x86)\coupons"

Failed to delete: [Folder] "C:\Program Files (x86)\swag_bucks"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 12/08/2012 at 15:50:55.10

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adware Removal log:

# AdwCleaner v2.011 - Logfile created 12/08/2012 at 16:13:21

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : Owner - OPTI755

# Boot Mode : Normal

# Running from : C:\Users\Owner\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\boost_interprocess

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Swag_Bucks

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2260173

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{85675E8E-5807-456E-8005-29ECDFB5AA98}

Key Deleted : HKLM\Software\Swag_Bucks

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{85675E8E-5807-456E-8005-29ECDFB5AA98}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21848D95-AE10-4E76-87B9-D2983B89C3D8}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D25C2995-CFF2-4259-A335-1D618E72EDFF}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Swag_Bucks Toolbar

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1633 octets] - [08/12/2012 16:01:00]

AdwCleaner[s1].txt - [1586 octets] - [08/12/2012 16:13:21]

########## EOF - C:\AdwCleaner[s1].txt - [1646 octets] ##########

More logs to follow later...

Link to post
Share on other sites

ESET scan log.

C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\854B.tmp.vir Win64/Olmarik.AO trojan

C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\854C.tmp.vir Win64/Olmarik.AO trojan

C:\Users\Owner\Downloads\7zip_installer_d793198.exe probably a variant of Win32/InstallIQ application

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm HTML/Iframe.B.Gen virus

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm HTML/Iframe.B.Gen virus

I think that's the last of the logs....

Link to post
Share on other sites

  • Staff

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Press the WinKey + R to open a run box, type Notepad > click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


File::
C:\Users\Owner\Downloads\7zip_installer_d793198.exe
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version XI)

Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version
  • Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Link to post
Share on other sites

Got through the combofix - log below. Combofix pushed me through a reboot, and after trying to run anything on the computer gives me a warning "Illegal operation on a registry key that has been marked for deletion"

I had to go to a spare computer to post this. I'm naturally VERY concerned. Help?

Combofix log:

ComboFix 12-12-07.01 - Owner 12/08/2012 20:03:28.2.2 - x64

Running from: c:\users\Owner\Desktop\ComboFix.exe

Command switches used :: c:\users\Owner\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

.

FILE ::

"c:\users\Owner\Downloads\7zip_installer_d793198.exe"

"c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm"

"c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Owner\AppData\Local\Temp\{A7234B96-06FB-485B-8A66-98C8AB7D82F0}\fpb.tmp

c:\users\Owner\Downloads\7zip_installer_d793198.exe

c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\submit-a-video[1].htm

.

.

((((((((((((((((((((((((( Files Created from 2012-11-09 to 2012-12-09 )))))))))))))))))))))))))))))))

.

.

2012-12-09 01:08 . 2012-12-09 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-08 21:22 . 2012-12-08 21:22 -------- d-----w- c:\program files (x86)\ESET

2012-12-08 21:16 . 2012-12-08 21:16 -------- d-----w- c:\programdata\boost_interprocess

2012-12-08 20:47 . 2012-12-08 20:47 -------- d-----w- c:\windows\ERUNT

2012-12-08 20:45 . 2012-12-08 20:47 -------- d-----w- C:\JRT

2012-12-08 18:37 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EAA86C00-20F9-40FD-ACA0-FCCBA9F448DA}\mpengine.dll

2012-12-08 15:05 . 2012-12-08 15:05 -------- d-----w- C:\FRST

2012-12-08 15:01 . 2012-12-08 15:01 -------- d-----w- c:\program files (x86)\7-zip

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\programdata\Yahoo!

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\programdata\Yahoo! Companion

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\program files (x86)\Yahoo!

2012-12-08 14:59 . 2012-12-08 14:59 -------- d-----w- c:\users\Owner\AppData\Roaming\Yahoo!

2012-12-07 11:21 . 2012-12-07 11:21 -------- d-----w- c:\windows\Sun

2012-12-07 00:21 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-29 03:06 . 2012-11-29 03:07 -------- d-----w- c:\windows\rescache

2012-11-28 07:27 . 2012-11-28 07:27 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05B2817D-A486-4161-B818-642882DD2456}\gapaengine.dll

2012-11-26 01:15 . 2012-12-07 00:14 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes

2012-11-26 01:15 . 2012-11-26 01:15 -------- d-----w- c:\programdata\Malwarebytes

2012-11-26 01:15 . 2012-11-26 01:15 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-11-26 01:15 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-17 12:55 . 2012-11-17 12:55 -------- dc-h--w- c:\users\Owner\AppData\Local\{38C7A478-EB20-4C67-9E29-437DE547273F}

2012-11-17 12:55 . 2012-11-17 12:55 -------- d-----w- c:\users\Owner\AppData\Roaming\DirectLife

2012-11-17 12:55 . 2012-11-17 12:55 -------- d-----w- c:\users\Owner\AppData\Local\PackageAware

2012-11-15 17:14 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-15 17:14 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-15 17:14 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-15 17:14 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-15 17:02 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-15 17:02 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-15 17:02 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-15 17:02 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-15 17:02 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-15 17:02 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-15 17:02 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-11-14 10:42 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2012-11-14 10:42 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2012-11-14 10:42 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-11-14 10:42 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

2012-11-14 10:40 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-14 10:40 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-15 17:05 . 2012-01-28 00:09 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-16 08:38 . 2012-11-28 01:54 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-28 01:54 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-28 01:54 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-03 07:13 . 2012-02-10 11:17 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2012-09-14 19:19 . 2012-10-10 04:43 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-10 04:43 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Plex Media Server"="c:\program files (x86)\Plex\Plex Media Server\Plex Media Server.exe" [2012-02-27 2709584]

"ALconnect"="c:\users\Owner\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe" [2012-09-04 716424]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1282048]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]

"GIDDesktop"="c:\program files (x86)\SFT\GuardedID\gidd.exe" [2011-07-05 395528]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Constant Guard.lnk - c:\program files (x86)\Constant Guard Protection Suite\IDVault.exe [2012-10-16 5958256]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

R3 dmvsc;dmvsc;c:\windows\system32\DRIVERS\dmvsc.sys [2011-01-30 71168]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-01-30 20992]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2011-01-30 88960]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\DRIVERS\terminpt.sys [2011-01-30 34816]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2011-01-30 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\DRIVERS\TsUsbGD.sys [2011-01-30 31232]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-01-30 117248]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-28 1255736]

S1 GIDv2;GIDv2; [x]

S2 IDVaultSvc;CGPS Service;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2012-10-16 61552]

S2 UNS;Intel® Active Management Technology User Notification Service;c:\program files (x86)\Intel\AMT\UNS.exe [2009-12-01 2519040]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-18 70168]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]

2011-07-05 15:26 435976 ----a-w- c:\program files (x86)\SFT\GuardedID\GIDI.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-28 23:04]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-28 23:04]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 165912]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 385560]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 363544]

"atchk"="c:\program files (x86)\Intel\AMT\atchk.exe" [2009-12-01 401408]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-alotAppbar - c:\program files (x86)\alotappbar\alotUninst.exe

AddRemove-Coupon Printer for Windows5.0.0.1 - c:\program files (x86)\Coupons\uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{A531D99C-5A22-449B-83DA-872725C6D0ED}"=hex:51,66,7a,6c,4c,1d,38,12,f2,da,22,

a1,10,14,f5,01,fc,cc,c4,67,20,98,94,f9

"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"=hex:51,66,7a,6c,4c,1d,38,12,b8,aa,cd,

8f,50,21,85,00,f1,ff,c9,c1,aa,53,6b,80

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{85F5CF95-EC8F-49FC-BB3F-38C79455CBA2}"=hex:51,66,7a,6c,4c,1d,38,12,fb,cc,e6,

81,bd,a2,92,0c,c4,29,7b,87,91,0b,8f,b6

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{B84CDBE7-1B46-494B-A188-01D4C52DEB61}"=hex:51,66,7a,6c,4c,1d,38,12,89,d8,5f,

bc,74,55,25,0c,de,9e,42,94,c0,73,af,75

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:b7,29,7b,0c,30,d4,cd,01

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Intel\AMT\atchksrv.exe

c:\program files (x86)\Intel\AMT\LMS.exe

c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

.

**************************************************************************

.

Completion time: 2012-12-08 20:14:02 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-09 01:14

ComboFix2.txt 2012-12-08 17:45

.

Pre-Run: 6,789,890,048 bytes free

Post-Run: 6,739,738,624 bytes free

.

- - End Of File - - 3F79B233BAE48012E29E47135F0A31AD

Link to post
Share on other sites

  • Staff

just reboot and that error will go away,

I'll check over the log and give you further instructions shortly, but I wanted you to know that error is nothing to be concerned about

(the warning is in my original instructions for running ComboFix that this may occur)

Link to post
Share on other sites

  • Staff

We just have some housekeeping to do now,

Please do the following:

You can delete the DDS, MBAR, JRT and the Farbar logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

    PC Safety and Security--What Do I Need?.

    [*]Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.