Jump to content

Stolen Data MWB deleted files rebooted reran scan more files found


Dadlsj

Recommended Posts

Ok im running win 7 64bit

also running microsoft security essentials both are updated with the latest updates.

MWB's found the files. On c:User\(logged on windows user name)\AppData\Roaming\dclogs each file was named 2012-month-day-a number 1 thru 20. seems as if the number grows by one each time a new file is made. I changed the ext from .dc to .txt so i could read the file. Windows did not know what application to use to read the file.

Here is a sample of what i found:

:: (8:47:45 AM)

:: Yahoo! Mail: The best web-based email! - Windows Internet Explorer (8:53:52 AM)

(( My email address)) HayYAHY[<-][<-][<-][<-][<-][<-][<-][<-][<-][<-] (( my email address username and password))

:: dclogs (10:04:39 AM)

(( second file))

[<-][<-]txtu

:: Microsoft Support - Windows Internet Explorer (10:08:18 AM)

dclogs

:: Search The Knowledge Base - Windows Internet Explorer (10:21:58 AM)

how to check the [<-][<-][<-][<-]file[<-][<-][<-]ile axx[<-][<-]cc[<-][<-]ssociations in windows t7[<-][<-]67[<-][<-]7

:: Start menu (10:42:45 AM)

regeditregeregedit

:: Problems with "File Association" in Windows 7 64-bit - Microsoft Community - Windows Internet Explorer (10:44:32 AM)

dc log file[<-]es

:: dc log files - Microsoft Community - Windows Internet Explorer (10:44:51 AM)

[<-]

s folder[DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL]

:: dclogs folder - Microsoft Community - Windows Internet Explorer (10:45:02 AM)

[DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL][DEL]

:: dclogs - Microsoft Community - Windows Internet Explorer (10:56:05 AM)

[<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-][<-]

:: Google - Windows Internet Explorer (11:09:44 AM)

keylogger

So this looks like a key logger too me. When i used the (On Screen Keyboard) it recorded what was typed.

I was going to buy a keylogger cleaner. Then I thought MWBs should have cleaned the logger and if not then Win. Sec. Ess. should have removed it.

I havent run MWBs in safe mode yet but i will after i hear your comments. Now that i know the logger is here I cant be hurt by it.

Awaiting your reply

Dad

Link to post
Share on other sites

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the Update completes, select Next

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

13. Select "Exit" to close down.

14. Copy and paste the two following logs from the mbar folder:

System - log

Mbar - log Date and time of scan will also be shown

Image10.png

Post those two logs in your reply.

Kevin

Link to post
Share on other sites

Thanks for your support.

Had a few problems. Final result was. Im still being logged.

Here are the steps of me attempt.

unzipped MBAR

launched .exe file

did not get the error box

DDA driver was not installed which may be caused by rootkit activity...

instead i got another error box roughly stating the same. My guess is the version of Windows your instructions were written in differ from my version of Windows ( which is Win7 64bit ultra ). I clicked yes as directed but nothing happened. Clicked No and the install proceeded to the next step.

The rootkit installed updated scaned then hung. no indication of what the scan found. I looked for the log files and only found one.

Log file Name system-log.txt

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 17161666560, free: 12802854912

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 17161666560, free: 13053706240

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 17161666560, free: 13059661824

------------ Kernel report ------------

12/14/2012 14:20:24

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\System32\Drivers\sptd.sys

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\DRIVERS\mv91cons.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\DRIVERS\mv91xx.sys

\SystemRoot\system32\DRIVERS\SCSIPORT.SYS

\SystemRoot\system32\DRIVERS\mvxxmm.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\DRIVERS\MpFilter.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\dtsoftbus01.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\ctxusbm.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\drivers\usbehci.sys

\SystemRoot\system32\drivers\USBPORT.SYS

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\1394ohci.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\drivers\wmiacpi.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\drivers\MBfilt64.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\drivers\usbaudio.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\netr28ux.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\drivers\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\drivers\WudfPf.sys

\??\C:\Program Files\Sandboxie\SbieDrv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\DRIVERS\TurboB.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys

\??\C:\Windows\system32\drivers\LMIRfsDriver.sys

\SystemRoot\system32\DRIVERS\NisDrvWFP.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk9\DR9

Upper Device Object: 0xfffffa8011015060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000009a\

Lower Device Object: 0xfffffa8010405660

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk8\DR8

Upper Device Object: 0xfffffa8011014060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000099\

Lower Device Object: 0xfffffa8010feeb60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk7\DR7

Upper Device Object: 0xfffffa8011013060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000098\

Lower Device Object: 0xfffffa8010405b60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk6\DR6

Upper Device Object: 0xfffffa8011000060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000097\

Lower Device Object: 0xfffffa8010fd6750

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR5

Upper Device Object: 0xfffffa800df44060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa800db5c060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xfffffa800df43060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP5T0L0-7\

Lower Device Object: 0xfffffa800db74680

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xfffffa800df42060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T1L0-4\

Lower Device Object: 0xfffffa800db70680

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa800de30060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa800db6c060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa800de2f060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP2T1L0-6\

Lower Device Object: 0xfffffa800db7a060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800de2e060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\

Lower Device Object: 0xfffffa800db60060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Downloaded database version: v2012.12.14.12

Initializing...

Done!

<<<2>>>

Device number: 3, partition: 1

Physical Sector Size: 512

Drive: 3, DevicePointer: 0xfffffa800df42060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800df42b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800df42060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800db6a580, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800db70680, DeviceName: \Device\Ide\IdeDeviceP3T1L0-4\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a0a8095180, 0xfffffa800df42060, 0xfffffa8015a24090

Lower DeviceData: 0xfffff8a0a90d5ac0, 0xfffffa800db70680, 0xfffffa8013fe78d0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800de2e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800de2eb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800de2e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800db5f580, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800db60060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a023b69360, 0xfffffa800de2e060, 0xfffffa801c8db280

Lower DeviceData: 0xfffff8a0a5b6b4e0, 0xfffffa800db60060, 0xfffffa8016567530

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

This drive is a GPT Drive.

MBR Signature: 55AA

Disk Signature: D4BB4F11

GPT Protective MBR Partition information:

Partition 0 type is Other (0xee)

Partition is NOT ACTIVE.

Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GptHeader Signature 4546492050415254

GptHeader Revision 65536 Size 92 CRC 84435621

GptHeader CurrentLba = 1 BackupLba 5860533167

GptHeader FirstUsableLba 34 LastUsableLba 5860533134

GptHeader Guid 818a32b0-5ece-4940-9ae8-d4fdd4ca76c2

GptHeader 128 Partitions starting at LBA 2

GptHeader Partition entry size = 128

Backup GptHeader Signature f5efe9cc90515cec

Backup GptHeader Revision 2410213636 Size 1064916482 CRC 3523033353

Backup GptHeader CurrentLba = 6784505461793305372 BackupLba 15399504941144083452

Backup GptHeader FirstUsableLba 16919074674219090897 LastUsableLba 15260458605071593567

Backup GptHeader Guid 3be5a33f-566e-692d-d566-7f1ec3d28397

Backup GptHeader 656470262 Partitions starting at LBA 10786266267620801067

Backup GptHeader Partition entry size = 347945541

GptHeader and Backup header have conflicting data

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 17161666560, free: 13044834304

------------ Kernel report ------------

12/14/2012 14:23:42

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\System32\Drivers\sptd.sys

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\DRIVERS\mv91cons.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\DRIVERS\mv91xx.sys

\SystemRoot\system32\DRIVERS\SCSIPORT.SYS

\SystemRoot\system32\DRIVERS\mvxxmm.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\DRIVERS\MpFilter.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\dtsoftbus01.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\ctxusbm.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\drivers\usbehci.sys

\SystemRoot\system32\drivers\USBPORT.SYS

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\1394ohci.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\drivers\wmiacpi.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\drivers\MBfilt64.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\drivers\usbaudio.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\netr28ux.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\drivers\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\drivers\WudfPf.sys

\??\C:\Program Files\Sandboxie\SbieDrv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\DRIVERS\TurboB.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys

\??\C:\Windows\system32\drivers\LMIRfsDriver.sys

\SystemRoot\system32\DRIVERS\NisDrvWFP.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk9\DR9

Upper Device Object: 0xfffffa8011015060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000009a\

Lower Device Object: 0xfffffa8010405660

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa801dfcf9d0

<<<1>>>

Upper Device Name: \Device\Harddisk8\DR8

Upper Device Object: 0xfffffa8011014060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000099\

Lower Device Object: 0xfffffa8010feeb60

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa801e3cde40

<<<1>>>

Upper Device Name: \Device\Harddisk7\DR7

Upper Device Object: 0xfffffa8011013060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000098\

Lower Device Object: 0xfffffa8010405b60

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa801627ab70

<<<1>>>

Upper Device Name: \Device\Harddisk6\DR6

Upper Device Object: 0xfffffa8011000060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000097\

Lower Device Object: 0xfffffa8010fd6750

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa801e4037d0

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR5

Upper Device Object: 0xfffffa800df44060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa800db5c060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa801e169090

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xfffffa800df43060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP5T0L0-7\

Lower Device Object: 0xfffffa800db74680

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa801e170ab0

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xfffffa800df42060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T1L0-4\

Lower Device Object: 0xfffffa800db70680

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa8013fe78d0

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa800de30060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa800db6c060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa800d846090

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa800de2f060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP2T1L0-6\

Lower Device Object: 0xfffffa800db7a060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa801cb4c2a0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800de2e060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\

Lower Device Object: 0xfffffa800db60060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa8016567530

Initializing...

Done!

<<<2>>>

Device number: 3, partition: 1

Physical Sector Size: 512

Drive: 3, DevicePointer: 0xfffffa800df42060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800df42b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800df42060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800db6a580, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800db70680, DeviceName: \Device\Ide\IdeDeviceP3T1L0-4\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a05d4be850, 0xfffffa800df42060, 0xfffffa8015a24090

Lower DeviceData: 0xfffff8a01822a5b0, 0xfffffa800db70680, 0xfffffa8013fe78d0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800de2e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800de2eb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800de2e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800db5f580, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800db60060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a09224ab60, 0xfffffa800de2e060, 0xfffffa801c8db280

Lower DeviceData: 0xfffff8a0690dfd80, 0xfffffa800db60060, 0xfffffa8016567530

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

This drive is a GPT Drive.

MBR Signature: 55AA

Disk Signature: D4BB4F11

GPT Protective MBR Partition information:

Partition 0 type is Other (0xee)

Partition is NOT ACTIVE.

Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GptHeader Signature 4546492050415254

GptHeader Revision 65536 Size 92 CRC 84435621

GptHeader CurrentLba = 1 BackupLba 5860533167

GptHeader FirstUsableLba 34 LastUsableLba 5860533134

GptHeader Guid 818a32b0-5ece-4940-9ae8-d4fdd4ca76c2

GptHeader 128 Partitions starting at LBA 2

GptHeader Partition entry size = 128

Backup GptHeader Signature f5efe9cc90515cec

Backup GptHeader Revision 2410213636 Size 1064916482 CRC 3523033353

Backup GptHeader CurrentLba = 6784505461793305372 BackupLba 15399504941144083452

Backup GptHeader FirstUsableLba 16919074674219090897 LastUsableLba 15260458605071593567

Backup GptHeader Guid 3be5a33f-566e-692d-d566-7f1ec3d28397

Backup GptHeader 656470262 Partitions starting at LBA 10786266267620801067

Backup GptHeader Partition entry size = 347945541

GptHeader and Backup header have conflicting data

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 3.093000 GHz

Memory total: 17161666560, free: 15210659840

Wondering if i should try the dds option but i will wait until i hear from you.

system-log.txt

Link to post
Share on other sites

MBAR is designed to run on all versions of windows from XP upwards 32 bit and 64 bit, your system should have been OK, obviously rootkits are not always predictable and can have an adverse effect on tools...

See if this will run:

download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • 1. Wait until Prescan has finished...
  • The following EULA will appear, please select accept
    RKLicence.png
  • 2. Ensure MBR scan, Check faked and AntiRootkit are checked
  • 3. Select Scan
    RK1A.png
  • When the scan completes select Report, copy and paste that to your reply.

RK2A.png

Link to post
Share on other sites

RogueKiller completed

RogueKiller V8.4.0 [Dec 14 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : dad [Admin rights]

Mode : Scan -- Date : 12/14/2012 18:37:30

¤¤¤ Bad processes : 6 ¤¤¤

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] vbc.exe -- C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe -> KILLED [TermProc]

[sUSP PATH] CurseClient.exe -- C:\Users\dad\AppData\Local\Apps\2.0\A5HZHV7E.49E\EPJR92MJ.OX5\curs..tion_9e9e83ddf3ed3ead_0005.0001_dafeadaaa30c70ac\CurseClient.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 10 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : tmpF2D4.tmp ("C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : tmp218B.tmp ("C:\Users\dad\AppData\Local\Temp\tmp218B.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : SABnzb ("C:\Users\dad\AppData\Roaming\spotnet\Sab.Exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-4097097530-1195289049-4146929262-1000[...]\Run : tmpF2D4.tmp ("C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-4097097530-1195289049-4146929262-1000[...]\Run : tmp218B.tmp ("C:\Users\dad\AppData\Local\Temp\tmp218B.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-4097097530-1195289049-4146929262-1000[...]\Run : SABnzb ("C:\Users\dad\AppData\Roaming\spotnet\Sab.Exe") -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : CitrixReceiver ("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk") -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[RUN][sUSP PATH] [ON_G:net]HKCU[...]\Run : system tool (C:\WINDOWS\sysguard.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\Documents and Settings\Default\NTUSER.DAT

-> D:\Documents and Settings\Default User\NTUSER.DAT

-> G:\windows\system32\config\SOFTWARE

-> G:\Documents and Settings\Administrator\NTUSER.DAT

-> G:\Documents and Settings\All Users\NTUSER.DAT

-> G:\Documents and Settings\Default User\NTUSER.DAT

-> G:\Documents and Settings\LocalService\NTUSER.DAT

-> G:\Documents and Settings\net\NTUSER.DAT

-> G:\Documents and Settings\NetworkService\NTUSER.DAT

-> G:\Documents and Settings\UpdatusUser\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS723030ALA640 ATA Device +++++

--- User ---

[MBR] 94802f0a71a3f3518ae7165a83cff9f1

[bSP] 0e08c53246899d50e6e390b9724ed5f8 : MBR Code unknown

Partition table:

0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD10EACS-00D6B0 ATA Device +++++

--- User ---

[MBR] 7cd6b1ee4e3f2541dfc5adf5030cbc49

[bSP] 5d5b1cf4df0585cfc0f62a70e8830f0b : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953868 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: WDC WD10EACS-00C7B0 ATA Device +++++

--- User ---

[MBR] 9de79cdc22447db2d5328b0b90c48807

[bSP] 1bf30be330fe4f834892945fdd368eca : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 949772 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: ST32000542AS ATA Device +++++

--- User ---

[MBR] 297732d830503dd60ff5deeb0efad2f9

[bSP] 9d00ef3261701e8e5c6068bf3290a8cd : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive4: WDC WD1600JD-00HBB0 ATA Device +++++

--- User ---

[MBR] 1bb90e4ea7b2c3dc98f74fde12c6142e

[bSP] 6c70628380ce842f6c6db91c2bccda7d : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 6650910 | Size: 144373 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12142012_02d1837.txt >>

RKreport[1]_S_12142012_02d1837.txt

Link to post
Share on other sites

Re-run RogueKiller, Select the scan button, when that finishes select the Delete button. When that compltes post its log.

Next,

Re-open MalwareBytes, check for updates. Run a Full scan, deal with anything it finds, post that log...

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Thanks,

Kevin

Link to post
Share on other sites

Wow am I disheartened at this point im considering wiping the os and starting over.

I thought I was winning the war on a key logger virus. Then I saw the results of the eset scan. MWB’s and MS security essentials and Rogue Killer all showed signs of fewer items found. Then Eset found a boat load of items. So the questions is?

Is eset believable and if so is it that much better then the others?

I will attach the files and place the screen shots here also. I will place them in the order I acquired them.

////// First RogueKiller scans clean and scan again. //////

RogueKiller V8.4.0 [Dec 14 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : dad [Admin rights]

Mode : Scan -- Date : 12/14/2012 18:37:30

¤¤¤ Bad processes : 6 ¤¤¤

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] vbc.exe -- C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe -> KILLED [TermProc]

[sUSP PATH] CurseClient.exe -- C:\Users\dad\AppData\Local\Apps\2.0\A5HZHV7E.49E\EPJR92MJ.OX5\curs..tion_9e9e83ddf3ed3ead_0005.0001_dafeadaaa30c70ac\CurseClient.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 10 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : tmpF2D4.tmp ("C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : tmp218B.tmp ("C:\Users\dad\AppData\Local\Temp\tmp218B.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : SABnzb ("C:\Users\dad\AppData\Roaming\spotnet\Sab.Exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-4097097530-1195289049-4146929262-1000[...]\Run : tmpF2D4.tmp ("C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-4097097530-1195289049-4146929262-1000[...]\Run : tmp218B.tmp ("C:\Users\dad\AppData\Local\Temp\tmp218B.tmp.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-4097097530-1195289049-4146929262-1000[...]\Run : SABnzb ("C:\Users\dad\AppData\Roaming\spotnet\Sab.Exe") -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : CitrixReceiver ("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk") -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[RUN][sUSP PATH] [ON_G:net]HKCU[...]\Run : system tool (C:\WINDOWS\sysguard.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\Documents and Settings\Default\NTUSER.DAT

-> D:\Documents and Settings\Default User\NTUSER.DAT

-> G:\windows\system32\config\SOFTWARE

-> G:\Documents and Settings\Administrator\NTUSER.DAT

-> G:\Documents and Settings\All Users\NTUSER.DAT

-> G:\Documents and Settings\Default User\NTUSER.DAT

-> G:\Documents and Settings\LocalService\NTUSER.DAT

-> G:\Documents and Settings\net\NTUSER.DAT

-> G:\Documents and Settings\NetworkService\NTUSER.DAT

-> G:\Documents and Settings\UpdatusUser\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS723030ALA640 ATA Device +++++

--- User ---

[MBR] 94802f0a71a3f3518ae7165a83cff9f1

[bSP] 0e08c53246899d50e6e390b9724ed5f8 : MBR Code unknown

Partition table:

0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD10EACS-00D6B0 ATA Device +++++

--- User ---

[MBR] 7cd6b1ee4e3f2541dfc5adf5030cbc49

[bSP] 5d5b1cf4df0585cfc0f62a70e8830f0b : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953868 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: WDC WD10EACS-00C7B0 ATA Device +++++

--- User ---

[MBR] 9de79cdc22447db2d5328b0b90c48807

[bSP] 1bf30be330fe4f834892945fdd368eca : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 949772 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: ST32000542AS ATA Device +++++

--- User ---

[MBR] 297732d830503dd60ff5deeb0efad2f9

[bSP] 9d00ef3261701e8e5c6068bf3290a8cd : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive4: WDC WD1600JD-00HBB0 ATA Device +++++

--- User ---

[MBR] 1bb90e4ea7b2c3dc98f74fde12c6142e

[bSP] 6c70628380ce842f6c6db91c2bccda7d : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 6650910 | Size: 144373 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12142012_02d1837.txt >>

RKreport[1]_S_12142012_02d1837.txt

//////// Second scan ///////

RogueKiller V8.4.0 [Dec 14 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : dad [Admin rights]

Mode : Remove -- Date : 12/14/2012 19:47:29

¤¤¤ Bad processes : 8 ¤¤¤

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] vbc.exe -- C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe -> KILLED [TermProc]

[sUSP PATH] CurseClient.exe -- C:\Users\dad\AppData\Local\Apps\2.0\A5HZHV7E.49E\EPJR92MJ.OX5\curs..tion_9e9e83ddf3ed3ead_0005.0001_dafeadaaa30c70ac\CurseClient.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : tmpF2D4.tmp ("C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe") -> DELETED

[RUN][sUSP PATH] HKCU\[...]\Run : tmp218B.tmp ("C:\Users\dad\AppData\Local\Temp\tmp218B.tmp.exe") -> DELETED

[RUN][sUSP PATH] HKCU\[...]\Run : SABnzb ("C:\Users\dad\AppData\Roaming\spotnet\Sab.Exe") -> DELETED

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : CitrixReceiver ("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk") -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[RUN][sUSP PATH] [ON_G:net]HKCU[...]\Run : system tool (C:\WINDOWS\sysguard.exe) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\Documents and Settings\Default\NTUSER.DAT

-> D:\Documents and Settings\Default User\NTUSER.DAT

-> G:\windows\system32\config\SOFTWARE

-> G:\Documents and Settings\Administrator\NTUSER.DAT

-> G:\Documents and Settings\All Users\NTUSER.DAT

-> G:\Documents and Settings\Default User\NTUSER.DAT

-> G:\Documents and Settings\LocalService\NTUSER.DAT

-> G:\Documents and Settings\net\NTUSER.DAT

-> G:\Documents and Settings\NetworkService\NTUSER.DAT

-> G:\Documents and Settings\UpdatusUser\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS723030ALA640 ATA Device +++++

--- User ---

[MBR] 94802f0a71a3f3518ae7165a83cff9f1

[bSP] 0e08c53246899d50e6e390b9724ed5f8 : MBR Code unknown

Partition table:

0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD10EACS-00D6B0 ATA Device +++++

--- User ---

[MBR] 7cd6b1ee4e3f2541dfc5adf5030cbc49

[bSP] 5d5b1cf4df0585cfc0f62a70e8830f0b : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953868 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: WDC WD10EACS-00C7B0 ATA Device +++++

--- User ---

[MBR] 9de79cdc22447db2d5328b0b90c48807

[bSP] 1bf30be330fe4f834892945fdd368eca : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 949772 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: ST32000542AS ATA Device +++++

--- User ---

[MBR] 297732d830503dd60ff5deeb0efad2f9

[bSP] 9d00ef3261701e8e5c6068bf3290a8cd : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive4: WDC WD1600JD-00HBB0 ATA Device +++++

--- User ---

[MBR] 1bb90e4ea7b2c3dc98f74fde12c6142e

[bSP] 6c70628380ce842f6c6db91c2bccda7d : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 6650910 | Size: 144373 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_12142012_02d1947.txt >>

RKreport[1]_S_12142012_02d1837.txt ; RKreport[2]_D_12142012_02d1947.txt

///// Third Scan /////

RogueKiller V8.4.0 [Dec 14 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : dad [Admin rights]

Mode : Scan -- Date : 12/14/2012 19:49:47

¤¤¤ Bad processes : 10 ¤¤¤

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[sUSP PATH] vbc.exe -- C:\Users\dad\AppData\Local\Temp\tmpF2D4.tmp.exe -> KILLED [TermProc]

[sUSP PATH] CurseClient.exe -- C:\Users\dad\AppData\Local\Apps\2.0\A5HZHV7E.49E\EPJR92MJ.OX5\curs..tion_9e9e83ddf3ed3ead_0005.0001_dafeadaaa30c70ac\CurseClient.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

[RESIDUE] browsemngr.exe -- C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\Documents and Settings\Default\NTUSER.DAT

-> D:\Documents and Settings\Default User\NTUSER.DAT

-> G:\windows\system32\config\SOFTWARE

-> G:\Documents and Settings\Administrator\NTUSER.DAT

-> G:\Documents and Settings\All Users\NTUSER.DAT

-> G:\Documents and Settings\Default User\NTUSER.DAT

-> G:\Documents and Settings\LocalService\NTUSER.DAT

-> G:\Documents and Settings\net\NTUSER.DAT

-> G:\Documents and Settings\NetworkService\NTUSER.DAT

-> G:\Documents and Settings\UpdatusUser\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS723030ALA640 ATA Device +++++

--- User ---

[MBR] 94802f0a71a3f3518ae7165a83cff9f1

[bSP] 0e08c53246899d50e6e390b9724ed5f8 : MBR Code unknown

Partition table:

0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD10EACS-00D6B0 ATA Device +++++

--- User ---

[MBR] 7cd6b1ee4e3f2541dfc5adf5030cbc49

[bSP] 5d5b1cf4df0585cfc0f62a70e8830f0b : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953868 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: WDC WD10EACS-00C7B0 ATA Device +++++

--- User ---

[MBR] 9de79cdc22447db2d5328b0b90c48807

[bSP] 1bf30be330fe4f834892945fdd368eca : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 949772 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: ST32000542AS ATA Device +++++

--- User ---

[MBR] 297732d830503dd60ff5deeb0efad2f9

[bSP] 9d00ef3261701e8e5c6068bf3290a8cd : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive4: WDC WD1600JD-00HBB0 ATA Device +++++

--- User ---

[MBR] 1bb90e4ea7b2c3dc98f74fde12c6142e

[bSP] 6c70628380ce842f6c6db91c2bccda7d : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 6650910 | Size: 144373 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3]_S_12142012_02d1949.txt >>

RKreport[1]_S_12142012_02d1837.txt ; RKreport[2]_D_12142012_02d1947.txt ; RKreport[3]_S_12142012_02d1949.txt

/////// Malwarebytes first //////////

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.15.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

dad :: DADSPC [administrator]

Protection: Enabled

12/14/2012 7:52:27 PM

mbam-log-2012-12-14 (21-55-54)2.txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 736294

Time elapsed: 2 hour(s), 2 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

/////// Malwarebytes Second //////////

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.15.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

dad :: DADSPC [administrator]

Protection: Enabled

12/14/2012 9:58:29 PM

mbam-log-2012-12-14 (21-58-29).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 736726

Time elapsed: 1 hour(s), 48 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

/////// Eset First //////////

C:\Games_josh\Titans Quest\TITAN.QUEST.V1.30.ALL.ATOTIK.NOCD\Titan.Quest.v1.30.No-Cd~DvD.Patch.exe a variant of Win32/HackTool.Patcher.A application

C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll a variant of Win32/bProtector.A application

C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe a variant of Win32/bProtector.A application

C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\uninstall.exe a variant of Win32/bProtector.A application

C:\ProgramData\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension\content\browsemngr.js Win32/bProtector.C application

C:\Users\All Users\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll a variant of Win32/bProtector.A application

C:\Users\All Users\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe a variant of Win32/bProtector.A application

C:\Users\All Users\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\uninstall.exe a variant of Win32/bProtector.A application

C:\Users\All Users\Browser Manager\2.3.787.43\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension\content\browsemngr.js Win32/bProtector.C application

C:\Users\dad\AppData\Local\Temp\airA5B5.exe Win32/Toolbar.Babylon application

C:\Users\dad\AppData\Local\Temp\dlziF.vbs VBS/Reger.C trojan

C:\Users\dad\AppData\Local\Temp\hDzIi.vbs VBS/Reger.C trojan

C:\Users\dad\AppData\Local\Temp\QmdbJ.vbs VBS/Reger.C trojan

C:\Users\dad\AppData\Local\Temp\VgIpy.vbs VBS/Reger.C trojan

C:\Users\dad\AppData\Local\Temp\SABnzbd\SAbnzbd.Exe a variant of MSIL/Kryptik.FC trojan

C:\Users\dad\AppData\Local\Temp\Spotnet\sabnzb.Exe a variant of MSIL/Injector.AOX trojan

C:\Users\dad\AppData\Roaming\itrpR.vbs VBS/Reger.C trojan

C:\Users\dad\AppData\Roaming\spotnet6.exe a variant of MSIL/Injector.AOX trojan

C:\Users\dad\AppData\Roaming\spotnet8.exe a variant of MSIL/Injector.AQU trojan

C:\Users\dad\AppData\Roaming\spotnet9.exe a variant of MSIL/Injector.AQU trojan

C:\Users\dad\AppData\Roaming\Zdxle.vbs VBS/Reger.C trojan

C:\Users\dad\AppData\Roaming\sabnzbd\sabdnzbd.Exe a variant of MSIL/Injector.AQU trojan

C:\Users\dad\AppData\Roaming\spotnet\Sab.Exe a variant of MSIL/Injector.AQU trojan

C:\Users\dad\Desktop\Files\Adobe PageMaker X3\Adobe_Pagemaker_7_0_1_rar\Adobe Pagemaker 7.0.1.exe a variant of MSIL/Injector.ARG trojan

C:\Windows.old.000\$Recycle.Bin\S-1-5-21-1609333858-3218370772-1294020140-1000\$RT2U4FI\backup-20050615-171941-941.dll a variant of Win32/Adware.Toolbar.Visicom.AB

application

C:\Windows.old.000\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B

application

C:\Windows.old.000\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B

application

C:\Windows.old.000\Documents and Settings\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Documents and Settings\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Documents and Settings\Annette\Desktop\Nets Desktop off old PC\Desktop Stuff\cnet2_J4E_Setup_exe.exe a variant of Win32/InstallCore.D application

C:\Windows.old.000\Documents and Settings\Dad\AppData\Local\Application Data\Temp\YontooSetup-Silent.exe multiple threats

C:\Windows.old.000\Documents and Settings\Dad\AppData\Local\Temp\YontooSetup-Silent.exe multiple threats

C:\Windows.old.000\Documents and Settings\Dad\Local Settings\Temp\YontooSetup-Silent.exe multiple threats

C:\Windows.old.000\Program Files (x86)\THQ\Titan Quest\Titan.Quest.v1.30.No-Cd~DvD.Patch.exe a variant of Win32/HackTool.Patcher.A application

C:\Windows.old.000\Program Files (x86)\THQ\Titan Questlsj\Titan.Quest.v1.30.No-Cd~DvD.Patch.exe a variant of Win32/HackTool.Patcher.A application

C:\Windows.old.000\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Users\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Users\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Windows.old.000\Users\Annette\Desktop\Nets Desktop off old PC\Desktop Stuff\cnet2_J4E_Setup_exe.exe a variant of Win32/InstallCore.D application

C:\Windows.old.000\Users\Dad\AppData\Local\Temp\YontooSetup-Silent.exe multiple threats

C:\Windows.old.000\Users\Dad\Local Settings\Temp\YontooSetup-Silent.exe multiple threats

Operating memory multiple threats

I blow it when i setup for the eset scan. I only scanned my c: and not all my drives. Guess i'll have to start over. I'm so sorry. all the scanning and all the hours spent. Guess im just tired. been at this for three days.

RKreport1_S_12142012_02d1837.txt

RKreport2_D_12142012_02d1947.txt

RKreport3_S_12142012_02d1949.txt

mbam-log-2012-12-14 (21-55-54)2.txt

mbam-log-2012-12-14 (21-58-29)3.txt

esetscan1.txt

Link to post
Share on other sites

Hey, don`t give up. ESET is a very thorough scanner, usually will miss nothing. OK the best way forward now is to re-run ESET one more time, on this occasion make sure the option to Remove found threats is ticked

Let ESET remove all of the bad entries this time, when complete save the log. Now re-boot your system, open Malwarebytes and check for updates, run a Quick scan and kill anything it finds...

Post the logs from ESET and Malwarebytes, also give an update on any current issues or concerns....

Kevin...

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.