Jump to content

Trojan.agent Svchost.exe Problem


Recommended Posts

So I have been getting blue screens alot whenever i start up my pc, well maybe 1 out of 3 times i start up my pc i get blue screen, anyways its been going on for 4 months ever since Malware Bytes started finding a trojan agent called svchost.eve. I asked my friend and he said it was a false positive since svchost is a microsoft dll file that all dll run under the name of. So I ignored it, and my computer for the exact amount of time has been getting a chinese error when going to google.com, however google.ru/googles ip still worked. So I've been doing school and didn't have time to care. Now I do have time and looked it up. Appearantly its a trojan that uses svchost to hide. I keep scanning with malware bytes, superantispyware, and trajan killer, but everytime they say theyll remove it on start up, it keeps coming back. Any help to remove this trjan would be appriciated. Thanks.

Link to post
Share on other sites

  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

  • Staff

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012

Ran by SYSTEM at 14-12-2012 15:55:32

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8312352 2009-10-28] (Realtek Semiconductor)

HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-09-30] (Microsoft Corporation)

HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873256 2011-08-10] (Microsoft Corporation)

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-09-25] (NEC Electronics Corporation)

HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)

HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273544 2011-07-31] (RealNetworks, Inc.)

HKLM-x32\...\Run: [WD Drive Unlocker] C:\Program Files (x86)\Western Digital\WD Apps\WDDriveAutoUnlock.exe [1687968 2011-12-16] (Western Digital)

HKLM-x32\...\Run: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini" [381 2012-12-14] ()

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKU\Shadowsdabom\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2011-06-05] (Acresso Corporation)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)

2 CrossLoopService; "C:\Users\Shadowsdabom\AppData\Local\CrossLoop\CrossLoopService.exe" --service [560848 2010-08-17] (CrossLoop Inc)

2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)

2 N360; "C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)

2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-09-20] ()

3 tvnserver; "C:\Users\Shadowsdabom\AppData\Local\CrossLoop\tvnserver.exe" -service [814080 2010-07-21] (GlavSoft LLC.)

2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [451072 2009-07-13] (Microsoft Corporation)

2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [396288 2009-07-13] (Microsoft Corporation)

2 WDDriveService; "C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe" [246688 2011-12-16] (Western Digital)

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-15] (Symantec Corporation)

3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation)

1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20121212.001\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)

3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.003\ENG64.SYS [126112 2012-11-21] (Symantec Corporation)

3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.003\EX64.SYS [2084000 2012-11-21] (Symantec Corporation)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-12-31] (Duplex Secure Ltd.)

1 SRTSP; C:\Windows\System32\Drivers\N360x64\0502020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)

1 SRTSPX; C:\Windows\system32\drivers\N360x64\0502020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)

0 SymDS; C:\Windows\System32\drivers\N360x64\0502020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)

0 SymEFA; C:\Windows\System32\drivers\N360x64\0502020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)

3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-07-27] (Symantec Corporation)

1 SymIRON; C:\Windows\system32\drivers\N360x64\0502020.003\Ironx64.SYS [171128 2010-11-15] (Symantec Corporation)

1 SymNetS; C:\Windows\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

3 TrojanKillerDriver; C:\Windows\System32\DRIVERS\gtkdrv.sys [16640 2012-01-04] (Windows ® Win 7 DDK provider)

3 ALSysIO; \??\C:\Users\SHADOW~1\AppData\Local\Temp\ALSysIO64.sys [x]

3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\safedrv.sys [x]

3 X6va005; \??\C:\Users\SHADOW~1\AppData\Local\Temp\0052E81.tmp [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-14 15:54 - 2012-12-14 15:54 - 00000000 ____D C:\FRST

2012-12-13 18:13 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-12-11 19:14 - 2012-12-11 19:14 - 00010508 ____A C:\Users\Shadowsdabom\Documents\cc_20121211_201413.reg

2012-12-11 19:11 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-12-11 19:11 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-12-11 19:11 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-12-11 19:11 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-12-11 19:11 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-12-11 19:11 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-12-11 19:11 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-12-11 19:11 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-12-11 19:11 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-12-11 19:11 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-12-11 19:11 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-12-11 19:11 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-12-11 19:11 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-12-11 19:11 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-12-11 19:11 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-12-11 19:11 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-12-11 19:11 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-12-11 19:11 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-12-11 19:11 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-12-11 19:11 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-12-11 19:11 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-12-11 19:11 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-12-11 19:11 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-12-11 19:11 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-12-11 19:11 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-12-11 19:11 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-12-11 19:11 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-12-11 19:11 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-12-11 19:11 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-12-11 19:11 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-12-11 19:11 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-12-11 19:11 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-12-11 19:09 - 2012-11-22 00:20 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-12-11 19:09 - 2012-11-08 21:34 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-12-11 19:09 - 2012-11-08 20:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

2012-12-11 19:09 - 2012-11-05 08:25 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-11 19:09 - 2012-11-05 06:17 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-11 19:09 - 2012-11-05 06:03 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-11 19:09 - 2012-11-05 06:03 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-11 18:50 - 2012-10-04 09:38 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2012-12-11 18:50 - 2012-10-04 09:38 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2012-12-11 18:50 - 2012-10-04 09:38 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2012-12-11 18:50 - 2012-10-04 09:38 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2012-12-11 18:50 - 2012-10-04 09:35 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2012-12-11 18:50 - 2012-10-04 09:32 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2012-12-11 18:50 - 2012-10-04 09:32 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:54 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2012-12-11 18:50 - 2012-10-04 08:54 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2012-12-11 18:50 - 2012-10-04 08:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 07:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2012-12-11 18:50 - 2012-10-04 06:49 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2012-12-11 18:50 - 2012-10-04 06:49 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2012-12-11 18:50 - 2012-10-04 06:49 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2012-12-11 18:50 - 2012-10-04 06:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2012-12-11 18:50 - 2012-10-04 06:44 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 06:44 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 06:44 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2012-12-11 18:50 - 2012-10-04 06:44 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2012-12-11 18:49 - 2012-11-01 21:27 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll

2012-12-11 18:49 - 2012-11-01 20:48 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll

2012-12-11 18:49 - 2012-09-06 09:38 - 00295792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys

2012-12-11 09:53 - 2012-12-11 09:53 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi

2012-12-11 00:56 - 2012-12-11 19:39 - 00000644 ____A C:\Windows\PFRO.log

2012-12-11 00:03 - 2012-12-11 00:06 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-12-11 00:03 - 2012-12-11 00:03 - 00001815 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2012-12-11 00:03 - 2012-12-11 00:03 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Roaming\SUPERAntiSpyware.com

2012-12-11 00:03 - 2012-12-11 00:03 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com

2012-12-11 00:00 - 2012-12-12 18:14 - 00000000 ____D C:\Program Files (x86)\GridinSoft Trojan Killer

2012-12-11 00:00 - 2012-12-11 00:00 - 00001146 ____A C:\Users\Public\Desktop\Trojan Killer.lnk

2012-12-10 22:03 - 2012-12-10 22:04 - 00000033 ____A C:\Users\Shadowsdabom\Desktop\programs.txt

2012-12-09 15:21 - 2012-12-09 15:22 - 00017627 ____A C:\Windows\DirectX.log

2012-12-09 15:13 - 2012-12-09 15:14 - 00002480 ____A C:\Users\Shadowsdabom\Desktop\error google.txt

2012-12-09 14:30 - 2012-12-09 14:31 - 00000000 ____D C:\Users\Shadowsdabom\Desktop\google error

2012-12-09 14:24 - 2012-12-09 14:25 - 00006102 ____A C:\Users\Shadowsdabom\Documents\cc_20121209_152456.reg

2012-12-08 12:23 - 2012-12-14 14:34 - 01149922 ____A C:\Windows\WindowsUpdate.log

2012-12-08 12:20 - 2012-12-14 14:37 - 00002028 ____A C:\Windows\setupact.log

2012-12-08 12:20 - 2012-12-08 12:20 - 00000000 ____A C:\Windows\setuperr.log

2012-12-07 23:47 - 2012-12-07 23:47 - 00000000 ____D C:\Windows\pss

2012-12-07 23:18 - 2012-12-07 23:18 - 00015564 ____A C:\Users\Shadowsdabom\Documents\cc_20121208_001818.reg

2012-12-07 23:06 - 2012-12-07 23:06 - 00000000 ____D C:\Program Files (x86)\InfoAtoms

2012-12-06 09:31 - 2012-12-07 23:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-03 21:41 - 2012-12-04 00:56 - 00010893 ____A C:\Users\Shadowsdabom\Documents\lastlab.xlsx

2012-12-02 14:43 - 2012-12-06 19:11 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\PixelTail

2012-12-02 14:43 - 2012-12-02 14:43 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Roaming\Subversion

2012-12-02 14:40 - 2012-12-02 14:40 - 02373224 ____A C:\Users\Shadowsdabom\Downloads\GMTUpdater_1.2.6.zip

2012-12-01 22:26 - 2012-12-01 22:28 - 155298482 ____A C:\Users\Shadowsdabom\Downloads\PKMN Black 2.zip

2012-11-29 23:07 - 2012-11-29 23:07 - 00005017 ____A C:\Users\Shadowsdabom\Downloads\Addon Fixer.rar

2012-11-24 23:28 - 2012-11-24 23:28 - 00000000 ____D C:\Users\Shadowsdabom\Documents\Eidos

2012-11-23 02:37 - 2012-11-23 02:37 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\Sony Online Entertainment

2012-11-23 02:28 - 2012-11-23 02:28 - 00000000 ____D C:\Users\Shadowsdabom\Documents\NBGI

2012-11-23 02:27 - 2012-11-23 02:27 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\NBGI

2012-11-21 12:52 - 2012-11-21 12:52 - 00000000 ____D C:\Users\Shadowsdabom\Documents\Wizards of the Coast

2012-11-16 01:51 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-16 01:51 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-16 01:51 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-16 01:51 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-16 01:21 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-16 01:21 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-16 01:21 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-16 01:21 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-16 01:21 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-16 01:21 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-16 01:21 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-16 01:21 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-11-16 01:10 - 2012-09-25 14:39 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll

2012-11-16 01:10 - 2012-09-25 13:55 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll

2012-11-16 01:10 - 2012-05-31 21:17 - 00014848 ____A (Microsoft Corporation) C:\Windows\System32\wamregps.dll

2012-11-16 01:10 - 2012-05-31 21:16 - 00191488 ____A (Microsoft Corporation) C:\Windows\System32\iisRtl.dll

2012-11-16 01:10 - 2012-05-31 21:16 - 00011264 ____A (Microsoft Corporation) C:\Windows\System32\iisrstap.dll

2012-11-16 01:10 - 2012-05-31 21:15 - 00060928 ____A (Microsoft Corporation) C:\Windows\System32\ahadmin.dll

2012-11-16 01:10 - 2012-05-31 21:15 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\admwprox.dll

2012-11-16 01:10 - 2012-05-31 21:14 - 00016896 ____A (Microsoft Corporation) C:\Windows\System32\iisreset.exe

2012-11-16 01:10 - 2012-05-31 20:47 - 00010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wamregps.dll

2012-11-16 01:10 - 2012-05-31 20:44 - 00154624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iisRtl.dll

2012-11-16 01:10 - 2012-05-31 20:44 - 00008192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iisrstap.dll

2012-11-16 01:10 - 2012-05-31 20:43 - 00050688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admwprox.dll

2012-11-16 01:10 - 2012-05-31 20:43 - 00026624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ahadmin.dll

2012-11-16 01:10 - 2012-05-31 20:42 - 00015360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iisreset.exe

2012-11-16 00:02 - 2012-11-16 00:02 - 00007744 ____A C:\Users\Shadowsdabom\Documents\cc_20121116_010247.reg

==================== One Month Modified Files and Folders =======

2012-12-14 15:54 - 2012-12-14 15:54 - 00000000 ____D C:\FRST

2012-12-14 14:37 - 2012-12-08 12:20 - 00002028 ____A C:\Windows\setupact.log

2012-12-14 14:37 - 2010-12-08 11:56 - 00000000 ____D C:\Users\All Users\NVIDIA

2012-12-14 14:37 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-14 14:34 - 2012-12-08 12:23 - 01149922 ____A C:\Windows\WindowsUpdate.log

2012-12-14 14:31 - 2009-07-13 21:13 - 00990098 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-14 14:06 - 2012-11-10 18:26 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-14 12:48 - 2010-12-15 22:28 - 00000000 ____D C:\Program Files (x86)\World of Warcraft

2012-12-14 08:25 - 2010-12-25 13:50 - 00000000 ____D C:\Program Files (x86)\Steam

2012-12-14 08:22 - 2009-07-13 20:45 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-14 08:22 - 2009-07-13 20:45 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-12 18:14 - 2012-12-11 00:00 - 00000000 ____D C:\Program Files (x86)\GridinSoft Trojan Killer

2012-12-11 23:22 - 2012-02-20 15:35 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-12-11 21:02 - 2012-02-20 15:38 - 00000039 ____A C:\Windows\vbaddin.ini

2012-12-11 19:39 - 2012-12-11 00:56 - 00000644 ____A C:\Windows\PFRO.log

2012-12-11 19:39 - 2009-07-13 20:45 - 00319224 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-11 19:14 - 2012-12-11 19:14 - 00010508 ____A C:\Users\Shadowsdabom\Documents\cc_20121211_201413.reg

2012-12-11 19:13 - 2012-10-30 13:15 - 67413224 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-12-11 18:35 - 2011-03-02 00:30 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\CrashDumps

2012-12-11 18:06 - 2012-07-18 13:07 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-11 18:06 - 2011-08-16 23:03 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-11 17:09 - 2011-04-25 14:43 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\LogMeIn Hamachi

2012-12-11 09:53 - 2012-12-11 09:53 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi

2012-12-11 00:52 - 2011-12-13 09:04 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Roaming\SoftGrid Client

2012-12-11 00:36 - 2011-10-26 15:56 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\PMB Files

2012-12-11 00:06 - 2012-12-11 00:03 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-12-11 00:03 - 2012-12-11 00:03 - 00001815 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2012-12-11 00:03 - 2012-12-11 00:03 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Roaming\SUPERAntiSpyware.com

2012-12-11 00:03 - 2012-12-11 00:03 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com

2012-12-11 00:00 - 2012-12-11 00:00 - 00001146 ____A C:\Users\Public\Desktop\Trojan Killer.lnk

2012-12-10 22:04 - 2012-12-10 22:03 - 00000033 ____A C:\Users\Shadowsdabom\Desktop\programs.txt

2012-12-10 20:06 - 2012-08-21 14:16 - 00000000 ____D C:\Users\Shadowsdabom\Desktop\Important Storys and scripts

2012-12-10 20:04 - 2011-10-06 16:51 - 00000000 ____D C:\Users\Shadowsdabom\Desktop\misc

2012-12-09 15:22 - 2012-12-09 15:21 - 00017627 ____A C:\Windows\DirectX.log

2012-12-09 15:14 - 2012-12-09 15:13 - 00002480 ____A C:\Users\Shadowsdabom\Desktop\error google.txt

2012-12-09 14:31 - 2012-12-09 14:30 - 00000000 ____D C:\Users\Shadowsdabom\Desktop\google error

2012-12-09 14:31 - 2012-06-23 01:26 - 00000000 ____D C:\Users\Shadowsdabom\Documents\Bandicam

2012-12-09 14:25 - 2012-12-09 14:24 - 00006102 ____A C:\Users\Shadowsdabom\Documents\cc_20121209_152456.reg

2012-12-09 13:33 - 2011-05-16 19:33 - 00000000 ____D C:\Users\All Users\Adobe

2012-12-09 01:19 - 2012-06-11 15:50 - 00001875 ____A C:\Users\Shadowsdabom\AppData\Roaming\SAS7_000.DAT

2012-12-08 12:20 - 2012-12-08 12:20 - 00000000 ____A C:\Windows\setuperr.log

2012-12-08 11:27 - 2012-04-04 19:51 - 00000000 ____D C:\Windows\Minidump

2012-12-07 23:47 - 2012-12-07 23:47 - 00000000 ____D C:\Windows\pss

2012-12-07 23:23 - 2011-07-06 11:13 - 00000481 ____A C:\Users\Shadowsdabom\Documents\Kalebsdebt.txt

2012-12-07 23:18 - 2012-12-07 23:18 - 00015564 ____A C:\Users\Shadowsdabom\Documents\cc_20121208_001818.reg

2012-12-07 23:06 - 2012-12-07 23:06 - 00000000 ____D C:\Program Files (x86)\InfoAtoms

2012-12-07 23:06 - 2012-12-06 09:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-06 19:11 - 2012-12-02 14:43 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\PixelTail

2012-12-06 19:11 - 2010-12-15 22:26 - 00071432 ____A C:\Users\Shadowsdabom\AppData\Local\GDIPFONTCACHEV1.DAT

2012-12-06 16:35 - 2012-05-03 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-12-05 21:34 - 2011-02-22 23:02 - 00000000 ____D C:\Users\Shadowsdabom\Documents\My Games

2012-12-04 01:25 - 2010-12-15 22:03 - 00000000 ____D C:\users\Shadowsdabom

2012-12-04 00:56 - 2012-12-03 21:41 - 00010893 ____A C:\Users\Shadowsdabom\Documents\lastlab.xlsx

2012-12-02 14:43 - 2012-12-02 14:43 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Roaming\Subversion

2012-12-02 14:40 - 2012-12-02 14:40 - 02373224 ____A C:\Users\Shadowsdabom\Downloads\GMTUpdater_1.2.6.zip

2012-12-02 13:05 - 2010-12-23 01:24 - 00000000 ____D C:\Program Files (x86)\StarCraft II

2012-12-02 02:00 - 2011-05-06 10:58 - 00000308 ____A C:\Windows\Tasks\Crysis Wars® Updates.job

2012-12-02 02:00 - 2011-05-06 10:54 - 00000000 __HDC C:\Users\All Users\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}

2012-12-01 22:28 - 2012-12-01 22:26 - 155298482 ____A C:\Users\Shadowsdabom\Downloads\PKMN Black 2.zip

2012-11-30 16:32 - 2012-08-17 15:55 - 00001413 ____A C:\Users\Public\Desktop\DayZ Commander.lnk

2012-11-29 23:07 - 2012-11-29 23:07 - 00005017 ____A C:\Users\Shadowsdabom\Downloads\Addon Fixer.rar

2012-11-26 23:21 - 2012-08-23 12:38 - 00071432 ____A C:\Users\Shadowsdabom\AppData\Roaming\GDIPFONTCACHEV1.DAT

2012-11-25 15:05 - 2009-07-13 21:08 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-11-24 23:28 - 2012-11-24 23:28 - 00000000 ____D C:\Users\Shadowsdabom\Documents\Eidos

2012-11-23 02:37 - 2012-11-23 02:37 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\Sony Online Entertainment

2012-11-23 02:28 - 2012-11-23 02:28 - 00000000 ____D C:\Users\Shadowsdabom\Documents\NBGI

2012-11-23 02:27 - 2012-11-23 02:27 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\NBGI

2012-11-22 00:20 - 2012-12-11 19:09 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-11-21 12:52 - 2012-11-21 12:52 - 00000000 ____D C:\Users\Shadowsdabom\Documents\Wizards of the Coast

2012-11-18 14:44 - 2012-11-03 22:34 - 00000551 ____A C:\Users\Shadowsdabom\Desktop\funny book intro.txt

2012-11-17 21:14 - 2011-10-26 15:56 - 00000000 ____D C:\Users\All Users\PMB Files

2012-11-16 19:31 - 2012-07-21 20:30 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Roaming\Skype

2012-11-16 15:57 - 2011-01-10 21:59 - 00000000 ____D C:\Users\Shadowsdabom\AppData\Local\CrossLoop

2012-11-16 12:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv

2012-11-16 12:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv

2012-11-16 00:02 - 2012-11-16 00:02 - 00007744 ____A C:\Users\Shadowsdabom\Documents\cc_20121116_010247.reg

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-11 18:49] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-09 15:21:15

Restore point made on: 2012-12-09 19:03:59

Restore point made on: 2012-12-09 23:28:43

Restore point made on: 2012-12-11 00:29:26

Restore point made on: 2012-12-11 01:03:54

Restore point made on: 2012-12-11 10:22:22

Restore point made on: 2012-12-11 19:10:54

Restore point made on: 2012-12-11 21:01:41

Restore point made on: 2012-12-11 23:20:11

Restore point made on: 2012-12-13 00:18:29

Restore point made on: 2012-12-13 11:36:50

Restore point made on: 2012-12-13 20:01:50

==================== Memory info ===========================

Percentage of memory in use: 8%

Total physical RAM: 12285.55 MB

Available physical RAM: 11264.96 MB

Total Pagefile: 12283.7 MB

Available Pagefile: 11256.57 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

2 Drive c: (Windows) (Fixed) (Total:931.41 GB) (Free:111.61 GB) NTFS

3 Drive d: (Secondary) (Fixed) (Total:1863.01 GB) (Free:1463.24 GB) NTFS

5 Drive g: () (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (System) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 1863 GB 0 B

Disk 2 Online 3862 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Windows NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1863 GB 1024 KB

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D Secondary NTFS Partition 1863 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 3862 MB 0 B

==================================================================================

Disk: 2

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2012-10-08 06:30

==================== End Of Log =============================

Link to post
Share on other sites

  • Staff

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2012-12-13 18:13 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
TDL4: custom:26000022 <===== ATTENTION!
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

NEXT

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012

Ran by SYSTEM at 2012-12-14 18:09:47 Run:1

Running from G:\

==============================================

C:\Windows\svchost.exe moved successfully.

The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.14.12

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Shadowsdabom :: SHADOWSDABOM-PC [administrator]

12/14/2012 6:58:44 PM

mbar-log-2012-12-14 (18-58-44).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 32780

Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 4880 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Bootkit.TDL4.B.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_1953524470_user.mbam (Forged physical sector) -> Delete on reboot.

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

Link to post
Share on other sites

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.14.12

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Shadowsdabom :: SHADOWSDABOM-PC [administrator]

12/14/2012 7:17:28 PM

mbar-log-2012-12-14 (19-17-28).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 32715

Time elapsed: 10 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 3.016000 GHz

Memory total: 12882337792, free: 9685790720

------------ Kernel report ------------

12/14/2012 18:48:17

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\System32\Drivers\spvg.sys

\SystemRoot\System32\Drivers\WMILIB.SYS

\SystemRoot\System32\Drivers\SCSIPORT.SYS

\SystemRoot\system32\DRIVERS\ACPI.sys

\SystemRoot\system32\DRIVERS\msisadrv.sys

\SystemRoot\system32\DRIVERS\vdrvroot.sys

\SystemRoot\system32\DRIVERS\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\DRIVERS\pciide.sys

\SystemRoot\system32\DRIVERS\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\atapi.sys

\SystemRoot\system32\DRIVERS\ataport.SYS

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\N360x64\0502020.003\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\N360x64\0502020.003\SRTSP64.SYS

\SystemRoot\system32\drivers\N360x64\0502020.003\Ironx64.SYS

\SystemRoot\system32\drivers\N360x64\0502020.003\SRTSPX64.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20121130.005\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\System32\Drivers\a6hzm7y0.SYS

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\drivers\ScreamingBAudio64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\hamachi.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\MarvinBus64.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.008\EX64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.008\ENG64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20121214.001\IDSvia64.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\Wldap32.dll

\Windows\System32\imm32.dll

\Windows\System32\shell32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\msvcrt.dll

\Windows\System32\msctf.dll

\Windows\System32\kernel32.dll

\Windows\System32\gdi32.dll

\Windows\System32\setupapi.dll

\Windows\System32\psapi.dll

\Windows\System32\ws2_32.dll

\Windows\System32\wininet.dll

\Windows\System32\comdlg32.dll

\Windows\System32\user32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\ole32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\nsi.dll

\Windows\System32\normaliz.dll

\Windows\System32\urlmon.dll

\Windows\System32\lpk.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa800bbb2060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000091\

Lower Device Object: 0xfffffa800bbcf560

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa800aabb790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T1L0-3\

Lower Device Object: 0xfffffa800a8af060

Lower Device Driver Name: \Driver\atapi\

Extracting driver name by original object failed

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800aaba410

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-1\

Lower Device Object: 0xfffffa800a8a5060

Lower Device Driver Name: \00000552\

Driver name found: atapi

Downloaded database version: v2012.12.14.12

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800aaba410, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800aabb040, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800aaba410, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800a8a3580, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800a8a5060, DeviceName: \Device\Ide\IdeDeviceP1T0L0-1\, DriverName: \00000552\

------------ End ----------

Upper DeviceData: 0xfffff8a026e8d580, 0xfffffa800aaba410, 0xfffffa801138a090

Lower DeviceData: 0xfffff8a026ea9260, 0xfffffa800a8a5060, 0xfffffa8011404600

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

File user open failed: C:\Windows\system32\drivers\sptd.sys (0x00000020)

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [4e914bd9d254ae24ccca9b120a2b5099]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 12FCF55E

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Infected: MBR on Drive 0 --> [bootkit.TDL4.B.MBR]

Replacement MBR for a drive 0 found

MBR infection found on drive 0

Disk Size: 1000204886016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...

Sector 1953524470 --> [Forged physical sector]

Sector 1953524471 --> [Forged physical sector]

Sector 1953524472 --> [Forged physical sector]

Sector 1953524473 --> [Forged physical sector]

Sector 1953524474 --> [Forged physical sector]

Sector 1953524475 --> [Forged physical sector]

Sector 1953524476 --> [Forged physical sector]

Sector 1953524477 --> [Forged physical sector]

Sector 1953524478 --> [Forged physical sector]

Sector 1953524479 --> [Forged physical sector]

Sector 1953524480 --> [Forged physical sector]

Sector 1953524481 --> [Forged physical sector]

Sector 1953524482 --> [Forged physical sector]

Sector 1953524483 --> [Forged physical sector]

Sector 1953524484 --> [Forged physical sector]

Sector 1953524485 --> [Forged physical sector]

Sector 1953524486 --> [Forged physical sector]

Sector 1953524487 --> [Forged physical sector]

Sector 1953524488 --> [Forged physical sector]

Sector 1953524489 --> [Forged physical sector]

Sector 1953524490 --> [Forged physical sector]

Sector 1953524491 --> [Forged physical sector]

Sector 1953524492 --> [Forged physical sector]

Sector 1953524493 --> [Forged physical sector]

Sector 1953524494 --> [Forged physical sector]

Sector 1953524495 --> [Forged physical sector]

Sector 1953524496 --> [Forged physical sector]

Sector 1953524497 --> [Forged physical sector]

Sector 1953524498 --> [Forged physical sector]

Sector 1953524499 --> [Forged physical sector]

Sector 1953524500 --> [Forged physical sector]

Sector 1953524501 --> [Forged physical sector]

Sector 1953524502 --> [Forged physical sector]

Sector 1953524503 --> [Forged physical sector]

Sector 1953524504 --> [Forged physical sector]

Sector 1953524505 --> [Forged physical sector]

Sector 1953524506 --> [Forged physical sector]

Sector 1953524507 --> [Forged physical sector]

Sector 1953524508 --> [Forged physical sector]

Sector 1953524509 --> [Forged physical sector]

Sector 1953524510 --> [Forged physical sector]

Sector 1953524511 --> [Forged physical sector]

Sector 1953524512 --> [Forged physical sector]

Sector 1953524513 --> [Forged physical sector]

Sector 1953524514 --> [Forged physical sector]

Sector 1953524515 --> [Forged physical sector]

Sector 1953524516 --> [Forged physical sector]

Sector 1953524517 --> [Forged physical sector]

Sector 1953524518 --> [Forged physical sector]

Sector 1953524519 --> [Forged physical sector]

Sector 1953524520 --> [Forged physical sector]

Sector 1953524521 --> [Forged physical sector]

Sector 1953524522 --> [Forged physical sector]

Sector 1953524523 --> [Forged physical sector]

Sector 1953524524 --> [Forged physical sector]

Sector 1953524525 --> [Forged physical sector]

Sector 1953524526 --> [Forged physical sector]

Sector 1953524527 --> [Forged physical sector]

Sector 1953524528 --> [Forged physical sector]

Sector 1953524529 --> [Forged physical sector]

Sector 1953524530 --> [Forged physical sector]

Sector 1953524531 --> [Forged physical sector]

Sector 1953524532 --> [Forged physical sector]

Sector 1953524533 --> [Forged physical sector]

Sector 1953524534 --> [Forged physical sector]

Sector 1953524535 --> [Forged physical sector]

Sector 1953524536 --> [Forged physical sector]

Sector 1953524537 --> [Forged physical sector]

Sector 1953524538 --> [Forged physical sector]

Sector 1953524539 --> [Forged physical sector]

Sector 1953524540 --> [Forged physical sector]

Sector 1953524541 --> [Forged physical sector]

Sector 1953524542 --> [Forged physical sector]

Sector 1953524543 --> [Forged physical sector]

Sector 1953524544 --> [Forged physical sector]

Sector 1953524545 --> [Forged physical sector]

Sector 1953524546 --> [Forged physical sector]

Sector 1953524547 --> [Forged physical sector]

Sector 1953524548 --> [Forged physical sector]

Sector 1953524549 --> [Forged physical sector]

Sector 1953524550 --> [Forged physical sector]

Sector 1953524551 --> [Forged physical sector]

Sector 1953524552 --> [Forged physical sector]

Sector 1953524553 --> [Forged physical sector]

Sector 1953524554 --> [Forged physical sector]

Sector 1953524555 --> [Forged physical sector]

Sector 1953524556 --> [Forged physical sector]

Sector 1953524557 --> [Forged physical sector]

Sector 1953524558 --> [Forged physical sector]

Sector 1953524559 --> [Forged physical sector]

Sector 1953524560 --> [Forged physical sector]

Sector 1953524561 --> [Forged physical sector]

Sector 1953524562 --> [Forged physical sector]

Sector 1953524563 --> [Forged physical sector]

Sector 1953524564 --> [Forged physical sector]

Sector 1953524565 --> [Forged physical sector]

Sector 1953524566 --> [Forged physical sector]

Sector 1953524567 --> [Forged physical sector]

Sector 1953524568 --> [Forged physical sector]

Sector 1953524569 --> [Forged physical sector]

Sector 1953524570 --> [Forged physical sector]

Sector 1953524571 --> [Forged physical sector]

Sector 1953524572 --> [Forged physical sector]

Sector 1953524573 --> [Forged physical sector]

Sector 1953524574 --> [Forged physical sector]

Sector 1953524575 --> [Forged physical sector]

Sector 1953524576 --> [Forged physical sector]

Sector 1953524577 --> [Forged physical sector]

Sector 1953524578 --> [Forged physical sector]

Sector 1953524579 --> [Forged physical sector]

Sector 1953524580 --> [Forged physical sector]

Sector 1953524581 --> [Forged physical sector]

Sector 1953524582 --> [Forged physical sector]

Sector 1953524583 --> [Forged physical sector]

Sector 1953524584 --> [Forged physical sector]

Sector 1953524585 --> [Forged physical sector]

Sector 1953524586 --> [Forged physical sector]

Sector 1953524587 --> [Forged physical sector]

Sector 1953524588 --> [Forged physical sector]

Sector 1953524589 --> [Forged physical sector]

Sector 1953524590 --> [Forged physical sector]

Sector 1953524591 --> [Forged physical sector]

Sector 1953524592 --> [Forged physical sector]

Sector 1953524593 --> [Forged physical sector]

Sector 1953524594 --> [Forged physical sector]

Sector 1953524595 --> [Forged physical sector]

Sector 1953524596 --> [Forged physical sector]

Sector 1953524597 --> [Forged physical sector]

Sector 1953524598 --> [Forged physical sector]

Sector 1953524599 --> [Forged physical sector]

Sector 1953524600 --> [Forged physical sector]

Sector 1953524601 --> [Forged physical sector]

Sector 1953524602 --> [Forged physical sector]

Sector 1953524603 --> [Forged physical sector]

Sector 1953524604 --> [Forged physical sector]

Sector 1953524605 --> [Forged physical sector]

Sector 1953524606 --> [Forged physical sector]

Sector 1953524607 --> [Forged physical sector]

Sector 1953524608 --> [Forged physical sector]

Sector 1953524609 --> [Forged physical sector]

Sector 1953524610 --> [Forged physical sector]

Sector 1953524611 --> [Forged physical sector]

Sector 1953524612 --> [Forged physical sector]

Sector 1953524613 --> [Forged physical sector]

Sector 1953524614 --> [Forged physical sector]

Sector 1953524615 --> [Forged physical sector]

Sector 1953524616 --> [Forged physical sector]

Sector 1953524617 --> [Forged physical sector]

Sector 1953524618 --> [Forged physical sector]

Sector 1953524619 --> [Forged physical sector]

Sector 1953524620 --> [Forged physical sector]

Sector 1953524621 --> [Forged physical sector]

Sector 1953524622 --> [Forged physical sector]

Sector 1953524623 --> [Forged physical sector]

Sector 1953524624 --> [Forged physical sector]

Sector 1953524625 --> [Forged physical sector]

Sector 1953524626 --> [Forged physical sector]

Sector 1953524627 --> [Forged physical sector]

Sector 1953524628 --> [Forged physical sector]

Sector 1953524629 --> [Forged physical sector]

Sector 1953524630 --> [Forged physical sector]

Sector 1953524631 --> [Forged physical sector]

Sector 1953524632 --> [Forged physical sector]

Sector 1953524633 --> [Forged physical sector]

Sector 1953524634 --> [Forged physical sector]

Sector 1953524635 --> [Forged physical sector]

Sector 1953524636 --> [Forged physical sector]

Sector 1953524637 --> [Forged physical sector]

Sector 1953524638 --> [Forged physical sector]

Sector 1953524639 --> [Forged physical sector]

Sector 1953524640 --> [Forged physical sector]

Sector 1953524641 --> [Forged physical sector]

Sector 1953524642 --> [Forged physical sector]

Sector 1953524643 --> [Forged physical sector]

Sector 1953524644 --> [Forged physical sector]

Sector 1953524645 --> [Forged physical sector]

Sector 1953524646 --> [Forged physical sector]

Sector 1953524647 --> [Forged physical sector]

Sector 1953524648 --> [Forged physical sector]

Sector 1953524649 --> [Forged physical sector]

Sector 1953524650 --> [Forged physical sector]

Sector 1953524651 --> [Forged physical sector]

Sector 1953524652 --> [Forged physical sector]

Sector 1953524653 --> [Forged physical sector]

Sector 1953524654 --> [Forged physical sector]

Sector 1953524655 --> [Forged physical sector]

Sector 1953524656 --> [Forged physical sector]

Sector 1953524657 --> [Forged physical sector]

Sector 1953524658 --> [Forged physical sector]

Sector 1953524659 --> [Forged physical sector]

Sector 1953524660 --> [Forged physical sector]

Sector 1953524661 --> [Forged physical sector]

Sector 1953524662 --> [Forged physical sector]

Sector 1953524663 --> [Forged physical sector]

Sector 1953524664 --> [Forged physical sector]

Sector 1953524665 --> [Forged physical sector]

Sector 1953524666 --> [Forged physical sector]

Sector 1953524667 --> [Forged physical sector]

Sector 1953524668 --> [Forged physical sector]

Sector 1953524669 --> [Forged physical sector]

Sector 1953524670 --> [Forged physical sector]

Sector 1953524671 --> [Forged physical sector]

Sector 1953524672 --> [Forged physical sector]

Sector 1953524673 --> [Forged physical sector]

Sector 1953524674 --> [Forged physical sector]

Sector 1953524675 --> [Forged physical sector]

Sector 1953524676 --> [Forged physical sector]

Sector 1953524677 --> [Forged physical sector]

Sector 1953524678 --> [Forged physical sector]

Sector 1953524679 --> [Forged physical sector]

Sector 1953524680 --> [Forged physical sector]

Sector 1953524681 --> [Forged physical sector]

Sector 1953524682 --> [Forged physical sector]

Sector 1953524683 --> [Forged physical sector]

Sector 1953524684 --> [Forged physical sector]

Sector 1953524685 --> [Forged physical sector]

Sector 1953524686 --> [Forged physical sector]

Sector 1953524687 --> [Forged physical sector]

Sector 1953524688 --> [Forged physical sector]

Sector 1953524689 --> [Forged physical sector]

Sector 1953524690 --> [Forged physical sector]

Sector 1953524691 --> [Forged physical sector]

Sector 1953524692 --> [Forged physical sector]

Sector 1953524693 --> [Forged physical sector]

Sector 1953524694 --> [Forged physical sector]

Sector 1953524695 --> [Forged physical sector]

Sector 1953524696 --> [Forged physical sector]

Sector 1953524697 --> [Forged physical sector]

Sector 1953524698 --> [Forged physical sector]

Sector 1953524699 --> [Forged physical sector]

Sector 1953524700 --> [Forged physical sector]

Sector 1953524701 --> [Forged physical sector]

Sector 1953524702 --> [Forged physical sector]

Sector 1953524703 --> [Forged physical sector]

Sector 1953524704 --> [Forged physical sector]

Sector 1953524705 --> [Forged physical sector]

Sector 1953524706 --> [Forged physical sector]

Sector 1953524707 --> [Forged physical sector]

Sector 1953524708 --> [Forged physical sector]

Sector 1953524709 --> [Forged physical sector]

Sector 1953524710 --> [Forged physical sector]

Sector 1953524711 --> [Forged physical sector]

Sector 1953524712 --> [Forged physical sector]

Sector 1953524713 --> [Forged physical sector]

Sector 1953524714 --> [Forged physical sector]

Sector 1953524715 --> [Forged physical sector]

Sector 1953524716 --> [Forged physical sector]

Sector 1953524717 --> [Forged physical sector]

Sector 1953524718 --> [Forged physical sector]

Sector 1953524719 --> [Forged physical sector]

Sector 1953524720 --> [Forged physical sector]

Sector 1953524721 --> [Forged physical sector]

Sector 1953524722 --> [Forged physical sector]

Sector 1953524723 --> [Forged physical sector]

Sector 1953524724 --> [Forged physical sector]

Sector 1953524725 --> [Forged physical sector]

Sector 1953524726 --> [Forged physical sector]

Sector 1953524727 --> [Forged physical sector]

Sector 1953524728 --> [Forged physical sector]

Sector 1953524729 --> [Forged physical sector]

Sector 1953524730 --> [Forged physical sector]

Sector 1953524731 --> [Forged physical sector]

Sector 1953524732 --> [Forged physical sector]

Sector 1953524733 --> [Forged physical sector]

Sector 1953524734 --> [Forged physical sector]

Sector 1953524735 --> [Forged physical sector]

Sector 1953524736 --> [Forged physical sector]

Sector 1953524737 --> [Forged physical sector]

Sector 1953524738 --> [Forged physical sector]

Sector 1953524739 --> [Forged physical sector]

Sector 1953524740 --> [Forged physical sector]

Sector 1953524741 --> [Forged physical sector]

Sector 1953524742 --> [Forged physical sector]

Sector 1953524743 --> [Forged physical sector]

Sector 1953524744 --> [Forged physical sector]

Sector 1953524745 --> [Forged physical sector]

Sector 1953524746 --> [Forged physical sector]

Sector 1953524747 --> [Forged physical sector]

Sector 1953524748 --> [Forged physical sector]

Sector 1953524749 --> [Forged physical sector]

Sector 1953524750 --> [Forged physical sector]

Sector 1953524751 --> [Forged physical sector]

Sector 1953524752 --> [Forged physical sector]

Sector 1953524753 --> [Forged physical sector]

Sector 1953524754 --> [Forged physical sector]

Sector 1953524755 --> [Forged physical sector]

Sector 1953524756 --> [Forged physical sector]

Sector 1953524757 --> [Forged physical sector]

Sector 1953524758 --> [Forged physical sector]

Sector 1953524759 --> [Forged physical sector]

Sector 1953524760 --> [Forged physical sector]

Sector 1953524761 --> [Forged physical sector]

Sector 1953524762 --> [Forged physical sector]

Sector 1953524763 --> [Forged physical sector]

Sector 1953524764 --> [Forged physical sector]

Sector 1953524765 --> [Forged physical sector]

Sector 1953524766 --> [Forged physical sector]

Sector 1953524767 --> [Forged physical sector]

Sector 1953524768 --> [Forged physical sector]

Sector 1953524769 --> [Forged physical sector]

Sector 1953524770 --> [Forged physical sector]

Sector 1953524771 --> [Forged physical sector]

Sector 1953524772 --> [Forged physical sector]

Sector 1953524773 --> [Forged physical sector]

Sector 1953524774 --> [Forged physical sector]

Sector 1953524775 --> [Forged physical sector]

Sector 1953524776 --> [Forged physical sector]

Sector 1953524777 --> [Forged physical sector]

Sector 1953524778 --> [Forged physical sector]

Sector 1953524779 --> [Forged physical sector]

Sector 1953524780 --> [Forged physical sector]

Sector 1953524781 --> [Forged physical sector]

Sector 1953524782 --> [Forged physical sector]

Sector 1953524783 --> [Forged physical sector]

Sector 1953524784 --> [Forged physical sector]

Sector 1953524785 --> [Forged physical sector]

Sector 1953524786 --> [Forged physical sector]

Sector 1953524787 --> [Forged physical sector]

Sector 1953524788 --> [Forged physical sector]

Sector 1953524789 --> [Forged physical sector]

Sector 1953524790 --> [Forged physical sector]

Sector 1953524791 --> [Forged physical sector]

Sector 1953524792 --> [Forged physical sector]

Sector 1953524793 --> [Forged physical sector]

Sector 1953524794 --> [Forged physical sector]

Sector 1953524795 --> [Forged physical sector]

Sector 1953524796 --> [Forged physical sector]

Sector 1953524797 --> [Forged physical sector]

Sector 1953524798 --> [Forged physical sector]

Sector 1953524799 --> [Forged physical sector]

Sector 1953524800 --> [Forged physical sector]

Sector 1953524801 --> [Forged physical sector]

Sector 1953524802 --> [Forged physical sector]

Sector 1953524803 --> [Forged physical sector]

Sector 1953524804 --> [Forged physical sector]

Sector 1953524805 --> [Forged physical sector]

Sector 1953524806 --> [Forged physical sector]

Sector 1953524807 --> [Forged physical sector]

Sector 1953524808 --> [Forged physical sector]

Sector 1953524809 --> [Forged physical sector]

Sector 1953524810 --> [Forged physical sector]

Sector 1953524811 --> [Forged physical sector]

Sector 1953524812 --> [Forged physical sector]

Sector 1953524813 --> [Forged physical sector]

Sector 1953524814 --> [Forged physical sector]

Sector 1953524815 --> [Forged physical sector]

Sector 1953524816 --> [Forged physical sector]

Sector 1953524817 --> [Forged physical sector]

Sector 1953524818 --> [Forged physical sector]

Sector 1953524819 --> [Forged physical sector]

Sector 1953524820 --> [Forged physical sector]

Sector 1953524821 --> [Forged physical sector]

Sector 1953524822 --> [Forged physical sector]

Sector 1953524823 --> [Forged physical sector]

Sector 1953524824 --> [Forged physical sector]

Sector 1953524825 --> [Forged physical sector]

Sector 1953524826 --> [Forged physical sector]

Sector 1953524827 --> [Forged physical sector]

Sector 1953524828 --> [Forged physical sector]

Sector 1953524829 --> [Forged physical sector]

Sector 1953524830 --> [Forged physical sector]

Sector 1953524831 --> [Forged physical sector]

Sector 1953524832 --> [Forged physical sector]

Sector 1953524833 --> [Forged physical sector]

Sector 1953524834 --> [Forged physical sector]

Sector 1953524835 --> [Forged physical sector]

Sector 1953524836 --> [Forged physical sector]

Sector 1953524837 --> [Forged physical sector]

Sector 1953524838 --> [Forged physical sector]

Sector 1953524839 --> [Forged physical sector]

Sector 1953524840 --> [Forged physical sector]

Sector 1953524841 --> [Forged physical sector]

Sector 1953524842 --> [Forged physical sector]

Sector 1953524843 --> [Forged physical sector]

Sector 1953524844 --> [Forged physical sector]

Sector 1953524845 --> [Forged physical sector]

Sector 1953524846 --> [Forged physical sector]

Sector 1953524847 --> [Forged physical sector]

Sector 1953524848 --> [Forged physical sector]

Sector 1953524849 --> [Forged physical sector]

Sector 1953524850 --> [Forged physical sector]

Sector 1953524851 --> [Forged physical sector]

Sector 1953524852 --> [Forged physical sector]

Sector 1953524853 --> [Forged physical sector]

Sector 1953524854 --> [Forged physical sector]

Sector 1953524855 --> [Forged physical sector]

Sector 1953524856 --> [Forged physical sector]

Sector 1953524857 --> [Forged physical sector]

Sector 1953524858 --> [Forged physical sector]

Sector 1953524859 --> [Forged physical sector]

Sector 1953524860 --> [Forged physical sector]

Sector 1953524861 --> [Forged physical sector]

Sector 1953524862 --> [Forged physical sector]

Sector 1953524863 --> [Forged physical sector]

Sector 1953524864 --> [Forged physical sector]

Sector 1953524865 --> [Forged physical sector]

Sector 1953524866 --> [Forged physical sector]

Sector 1953524867 --> [Forged physical sector]

Sector 1953524868 --> [Forged physical sector]

Sector 1953524869 --> [Forged physical sector]

Sector 1953524870 --> [Forged physical sector]

Sector 1953524871 --> [Forged physical sector]

Sector 1953524872 --> [Forged physical sector]

Sector 1953524873 --> [Forged physical sector]

Sector 1953524874 --> [Forged physical sector]

Sector 1953524875 --> [Forged physical sector]

Sector 1953524876 --> [Forged physical sector]

Sector 1953524877 --> [Forged physical sector]

Sector 1953524878 --> [Forged physical sector]

Sector 1953524879 --> [Forged physical sector]

Sector 1953524880 --> [Forged physical sector]

Sector 1953524881 --> [Forged physical sector]

Sector 1953524882 --> [Forged physical sector]

Sector 1953524883 --> [Forged physical sector]

Sector 1953524884 --> [Forged physical sector]

Sector 1953524885 --> [Forged physical sector]

Sector 1953524886 --> [Forged physical sector]

Sector 1953524887 --> [Forged physical sector]

Sector 1953524888 --> [Forged physical sector]

Sector 1953524889 --> [Forged physical sector]

Sector 1953524890 --> [Forged physical sector]

Sector 1953524891 --> [Forged physical sector]

Sector 1953524892 --> [Forged physical sector]

Sector 1953524893 --> [Forged physical sector]

Sector 1953524894 --> [Forged physical sector]

Sector 1953524895 --> [Forged physical sector]

Sector 1953524896 --> [Forged physical sector]

Sector 1953524897 --> [Forged physical sector]

Sector 1953524898 --> [Forged physical sector]

Sector 1953524899 --> [Forged physical sector]

Sector 1953524900 --> [Forged physical sector]

Sector 1953524901 --> [Forged physical sector]

Sector 1953524902 --> [Forged physical sector]

Sector 1953524903 --> [Forged physical sector]

Sector 1953524904 --> [Forged physical sector]

Sector 1953524905 --> [Forged physical sector]

Sector 1953524906 --> [Forged physical sector]

Sector 1953524907 --> [Forged physical sector]

Sector 1953524908 --> [Forged physical sector]

Sector 1953524909 --> [Forged physical sector]

Sector 1953524910 --> [Forged physical sector]

Sector 1953524911 --> [Forged physical sector]

Sector 1953524912 --> [Forged physical sector]

Sector 1953524913 --> [Forged physical sector]

Sector 1953524914 --> [Forged physical sector]

Sector 1953524915 --> [Forged physical sector]

Sector 1953524916 --> [Forged physical sector]

Sector 1953524917 --> [Forged physical sector]

Sector 1953524918 --> [Forged physical sector]

Sector 1953524919 --> [Forged physical sector]

Sector 1953524920 --> [Forged physical sector]

Sector 1953524921 --> [Forged physical sector]

Sector 1953524922 --> [Forged physical sector]

Sector 1953524923 --> [Forged physical sector]

Sector 1953524924 --> [Forged physical sector]

Sector 1953524925 --> [Forged physical sector]

Sector 1953524926 --> [Forged physical sector]

Sector 1953524927 --> [Forged physical sector]

Sector 1953524928 --> [Forged physical sector]

Sector 1953524929 --> [Forged physical sector]

Sector 1953524930 --> [Forged physical sector]

Sector 1953524931 --> [Forged physical sector]

Sector 1953524932 --> [Forged physical sector]

Sector 1953524933 --> [Forged physical sector]

Sector 1953524934 --> [Forged physical sector]

Sector 1953524935 --> [Forged physical sector]

Sector 1953524936 --> [Forged physical sector]

Sector 1953524937 --> [Forged physical sector]

Sector 1953524938 --> [Forged physical sector]

Sector 1953524939 --> [Forged physical sector]

Sector 1953524940 --> [Forged physical sector]

Sector 1953524941 --> [Forged physical sector]

Sector 1953524942 --> [Forged physical sector]

Sector 1953524943 --> [Forged physical sector]

Sector 1953524944 --> [Forged physical sector]

Sector 1953524945 --> [Forged physical sector]

Sector 1953524946 --> [Forged physical sector]

Sector 1953524947 --> [Forged physical sector]

Sector 1953524948 --> [Forged physical sector]

Sector 1953524949 --> [Forged physical sector]

Sector 1953524950 --> [Forged physical sector]

Sector 1953524951 --> [Forged physical sector]

Sector 1953524952 --> [Forged physical sector]

Sector 1953524953 --> [Forged physical sector]

Sector 1953524954 --> [Forged physical sector]

Sector 1953524955 --> [Forged physical sector]

Sector 1953524956 --> [Forged physical sector]

Sector 1953524957 --> [Forged physical sector]

Sector 1953524958 --> [Forged physical sector]

Sector 1953524959 --> [Forged physical sector]

Sector 1953524960 --> [Forged physical sector]

Sector 1953524961 --> [Forged physical sector]

Sector 1953524962 --> [Forged physical sector]

Sector 1953524963 --> [Forged physical sector]

Sector 1953524964 --> [Forged physical sector]

Sector 1953524965 --> [Forged physical sector]

Sector 1953524966 --> [Forged physical sector]

Sector 1953524967 --> [Forged physical sector]

Sector 1953524968 --> [Forged physical sector]

Sector 1953524969 --> [Forged physical sector]

Sector 1953524970 --> [Forged physical sector]

Sector 1953524971 --> [Forged physical sector]

Sector 1953524972 --> [Forged physical sector]

Sector 1953524973 --> [Forged physical sector]

Sector 1953524974 --> [Forged physical sector]

Sector 1953524975 --> [Forged physical sector]

Sector 1953524976 --> [Forged physical sector]

Sector 1953524977 --> [Forged physical sector]

Sector 1953524978 --> [Forged physical sector]

Sector 1953524979 --> [Forged physical sector]

Sector 1953524980 --> [Forged physical sector]

Sector 1953524981 --> [Forged physical sector]

Sector 1953524982 --> [Forged physical sector]

Sector 1953524983 --> [Forged physical sector]

Sector 1953524984 --> [Forged physical sector]

Sector 1953524985 --> [Forged physical sector]

Sector 1953524986 --> [Forged physical sector]

Sector 1953524987 --> [Forged physical sector]

Sector 1953524988 --> [Forged physical sector]

Sector 1953524989 --> [Forged physical sector]

Sector 1953524990 --> [Forged physical sector]

Sector 1953524991 --> [Forged physical sector]

Sector 1953524992 --> [Forged physical sector]

Sector 1953524993 --> [Forged physical sector]

Sector 1953524994 --> [Forged physical sector]

Sector 1953524995 --> [Forged physical sector]

Sector 1953524996 --> [Forged physical sector]

Sector 1953524997 --> [Forged physical sector]

Sector 1953524998 --> [Forged physical sector]

Sector 1953524999 --> [Forged physical sector]

Sector 1953525000 --> [Forged physical sector]

Sector 1953525001 --> [Forged physical sector]

Sector 1953525002 --> [Forged physical sector]

Sector 1953525003 --> [Forged physical sector]

Sector 1953525004 --> [Forged physical sector]

Sector 1953525005 --> [Forged physical sector]

Sector 1953525006 --> [Forged physical sector]

Sector 1953525007 --> [Forged physical sector]

Sector 1953525008 --> [Forged physical sector]

Sector 1953525009 --> [Forged physical sector]

Sector 1953525010 --> [Forged physical sector]

Sector 1953525011 --> [Forged physical sector]

Sector 1953525012 --> [Forged physical sector]

Sector 1953525013 --> [Forged physical sector]

Sector 1953525014 --> [Forged physical sector]

Sector 1953525015 --> [Forged physical sector]

Sector 1953525016 --> [Forged physical sector]

Sector 1953525017 --> [Forged physical sector]

Sector 1953525018 --> [Forged physical sector]

Sector 1953525019 --> [Forged physical sector]

Sector 1953525020 --> [Forged physical sector]

Sector 1953525021 --> [Forged physical sector]

Sector 1953525022 --> [Forged physical sector]

Sector 1953525023 --> [Forged physical sector]

Sector 1953525024 --> [Forged physical sector]

Sector 1953525025 --> [Forged physical sector]

Sector 1953525026 --> [Forged physical sector]

Sector 1953525027 --> [Forged physical sector]

Sector 1953525028 --> [Forged physical sector]

Sector 1953525029 --> [Forged physical sector]

Sector 1953525030 --> [Forged physical sector]

Sector 1953525031 --> [Forged physical sector]

Sector 1953525032 --> [Forged physical sector]

Sector 1953525033 --> [Forged physical sector]

Sector 1953525034 --> [Forged physical sector]

Sector 1953525035 --> [Forged physical sector]

Sector 1953525036 --> [Forged physical sector]

Sector 1953525037 --> [Forged physical sector]

Sector 1953525038 --> [Forged physical sector]

Sector 1953525039 --> [Forged physical sector]

Sector 1953525040 --> [Forged physical sector]

Sector 1953525041 --> [Forged physical sector]

Sector 1953525042 --> [Forged physical sector]

Sector 1953525043 --> [Forged physical sector]

Sector 1953525044 --> [Forged physical sector]

Sector 1953525045 --> [Forged physical sector]

Sector 1953525046 --> [Forged physical sector]

Sector 1953525047 --> [Forged physical sector]

Sector 1953525048 --> [Forged physical sector]

Sector 1953525049 --> [Forged physical sector]

Sector 1953525050 --> [Forged physical sector]

Sector 1953525051 --> [Forged physical sector]

Sector 1953525052 --> [Forged physical sector]

Sector 1953525053 --> [Forged physical sector]

Sector 1953525054 --> [Forged physical sector]

Sector 1953525055 --> [Forged physical sector]

Sector 1953525056 --> [Forged physical sector]

Sector 1953525057 --> [Forged physical sector]

Sector 1953525058 --> [Forged physical sector]

Sector 1953525059 --> [Forged physical sector]

Sector 1953525060 --> [Forged physical sector]

Sector 1953525061 --> [Forged physical sector]

Sector 1953525062 --> [Forged physical sector]

Sector 1953525063 --> [Forged physical sector]

Sector 1953525064 --> [Forged physical sector]

Sector 1953525065 --> [Forged physical sector]

Sector 1953525066 --> [Forged physical sector]

Sector 1953525067 --> [Forged physical sector]

Sector 1953525068 --> [Forged physical sector]

Sector 1953525069 --> [Forged physical sector]

Sector 1953525070 --> [Forged physical sector]

Sector 1953525071 --> [Forged physical sector]

Sector 1953525072 --> [Forged physical sector]

Sector 1953525073 --> [Forged physical sector]

Sector 1953525074 --> [Forged physical sector]

Sector 1953525075 --> [Forged physical sector]

Sector 1953525076 --> [Forged physical sector]

Sector 1953525077 --> [Forged physical sector]

Sector 1953525078 --> [Forged physical sector]

Sector 1953525079 --> [Forged physical sector]

Sector 1953525080 --> [Forged physical sector]

Sector 1953525081 --> [Forged physical sector]

Sector 1953525082 --> [Forged physical sector]

Sector 1953525083 --> [Forged physical sector]

Sector 1953525084 --> [Forged physical sector]

Sector 1953525085 --> [Forged physical sector]

Sector 1953525086 --> [Forged physical sector]

Sector 1953525087 --> [Forged physical sector]

Sector 1953525088 --> [Forged physical sector]

Sector 1953525089 --> [Forged physical sector]

Sector 1953525090 --> [Forged physical sector]

Sector 1953525091 --> [Forged physical sector]

Sector 1953525092 --> [Forged physical sector]

Sector 1953525093 --> [Forged physical sector]

Sector 1953525094 --> [Forged physical sector]

Sector 1953525095 --> [Forged physical sector]

Sector 1953525096 --> [Forged physical sector]

Sector 1953525097 --> [Forged physical sector]

Sector 1953525098 --> [Forged physical sector]

Sector 1953525099 --> [Forged physical sector]

Sector 1953525100 --> [Forged physical sector]

Sector 1953525101 --> [Forged physical sector]

Sector 1953525102 --> [Forged physical sector]

Sector 1953525103 --> [Forged physical sector]

Sector 1953525104 --> [Forged physical sector]

Sector 1953525105 --> [Forged physical sector]

Sector 1953525106 --> [Forged physical sector]

Sector 1953525107 --> [Forged physical sector]

Sector 1953525108 --> [Forged physical sector]

Sector 1953525109 --> [Forged physical sector]

Sector 1953525110 --> [Forged physical sector]

Sector 1953525111 --> [Forged physical sector]

Sector 1953525112 --> [Forged physical sector]

Sector 1953525113 --> [Forged physical sector]

Sector 1953525114 --> [Forged physical sector]

Sector 1953525115 --> [Forged physical sector]

Sector 1953525116 --> [Forged physical sector]

Sector 1953525117 --> [Forged physical sector]

Sector 1953525118 --> [Forged physical sector]

Sector 1953525119 --> [Forged physical sector]

Sector 1953525120 --> [Forged physical sector]

Sector 1953525121 --> [Forged physical sector]

Sector 1953525122 --> [Forged physical sector]

Sector 1953525123 --> [Forged physical sector]

Sector 1953525124 --> [Forged physical sector]

Sector 1953525125 --> [Forged physical sector]

Sector 1953525126 --> [Forged physical sector]

Sector 1953525127 --> [Forged physical sector]

Sector 1953525128 --> [Forged physical sector]

Sector 1953525129 --> [Forged physical sector]

Sector 1953525130 --> [Forged physical sector]

Sector 1953525131 --> [Forged physical sector]

Sector 1953525132 --> [Forged physical sector]

Sector 1953525133 --> [Forged physical sector]

Sector 1953525134 --> [Forged physical sector]

Sector 1953525135 --> [Forged physical sector]

Sector 1953525136 --> [Forged physical sector]

Sector 1953525137 --> [Forged physical sector]

Sector 1953525138 --> [Forged physical sector]

Sector 1953525139 --> [Forged physical sector]

Sector 1953525140 --> [Forged physical sector]

Sector 1953525141 --> [Forged physical sector]

Sector 1953525142 --> [Forged physical sector]

Sector 1953525143 --> [Forged physical sector]

Sector 1953525144 --> [Forged physical sector]

Sector 1953525145 --> [Forged physical sector]

Sector 1953525146 --> [Forged physical sector]

Sector 1953525147 --> [Forged physical sector]

Sector 1953525148 --> [Forged physical sector]

Sector 1953525149 --> [Forged physical sector]

Sector 1953525150 --> [Forged physical sector]

Sector 1953525151 --> [Forged physical sector]

Sector 1953525152 --> [Forged physical sector]

Sector 1953525153 --> [Forged physical sector]

Sector 1953525154 --> [Forged physical sector]

Sector 1953525155 --> [Forged physical sector]

Sector 1953525156 --> [Forged physical sector]

Sector 1953525157 --> [Forged physical sector]

Sector 1953525158 --> [Forged physical sector]

Sector 1953525159 --> [Forged physical sector]

Sector 1953525160 --> [Forged physical sector]

Sector 1953525161 --> [Forged physical sector]

Sector 1953525162 --> [Forged physical sector]

Sector 1953525163 --> [Forged physical sector]

Sector 1953525164 --> [Forged physical sector]

Sector 1953525165 --> [Forged physical sector]

Sector 1953525166 --> [Forged physical sector]

Sector 1953525167 --> [Forged physical sector]

DevicePointer: 0xfffffa800aabb790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800a89ae40, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800a8af060, DeviceName: \Device\Ide\IdeDeviceP1T1L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a026ea9180, 0xfffffa800aabb790, 0xfffffa801070e090

Lower DeviceData: 0xfffff8a026e8d5b0, 0xfffffa800a8af060, 0xfffffa8011391bc0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 5B2C169A

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 2048 Numsec = 3907024896

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes

Sector size: 512 bytes

Physical Sector Size: 512

Drive: 2, DevicePointer: 0xfffffa800bbb2060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800bb63a60, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800bbb2060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800bbcf560, DeviceName: \Device\00000091\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xfffff8a026eb1680, 0xfffffa800bbb2060, 0xfffffa801142a090

Lower DeviceData: 0xfffff8a026e8d550, 0xfffffa800bbcf560, 0xfffffa8011305090

Drive 2

Scanning MBR on drive 2...

Inspecting partition table:

Partition information:

This drive is a Single Partition removable Drive.

Partition file system is FAT32

Partition is not bootable

Disk Size: 4049600512 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Read File: File "C:\ProgramData\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}\installedupdates.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}\instance.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}\setup.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\instance.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\setup.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{5794CDCB-FAB7-4C15-9069-4D8AC02592DE}\CrysisWars_patch5.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{5794CDCB-FAB7-4C15-9069-4D8AC02592DE}\instance.dat" is compressed (flags = 1)

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 3.016000 GHz

Memory total: 12882337792, free: 10808643584

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 3.016000 GHz

Memory total: 12882337792, free: 10417147904

------------ Kernel report ------------

12/14/2012 19:06:00

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\System32\Drivers\spjj.sys

\SystemRoot\System32\Drivers\WMILIB.SYS

\SystemRoot\System32\Drivers\SCSIPORT.SYS

\SystemRoot\system32\DRIVERS\ACPI.sys

\SystemRoot\system32\DRIVERS\msisadrv.sys

\SystemRoot\system32\DRIVERS\vdrvroot.sys

\SystemRoot\system32\DRIVERS\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\DRIVERS\pciide.sys

\SystemRoot\system32\DRIVERS\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\atapi.sys

\SystemRoot\system32\DRIVERS\ataport.SYS

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\N360x64\0502020.003\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\N360x64\0502020.003\SRTSP64.SYS

\SystemRoot\system32\drivers\N360x64\0502020.003\Ironx64.SYS

\SystemRoot\system32\drivers\N360x64\0502020.003\SRTSPX64.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.008\EX64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.008\ENG64.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20121214.001\IDSvia64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20121130.005\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\System32\Drivers\awz3eycv.SYS

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\drivers\ScreamingBAudio64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\hamachi.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\MarvinBus64.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\spsys.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa800d259060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000008e\

Lower Device Object: 0xfffffa800d24f340

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa800aabc060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T1L0-3\

Lower Device Object: 0xfffffa800a8b0060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800aabb060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-1\

Lower Device Object: 0xfffffa800a8a6060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 3.016000 GHz

Memory total: 12882337792, free: 10366410752

------------ Kernel report ------------

12/14/2012 19:06:17

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\System32\Drivers\spjj.sys

\SystemRoot\System32\Drivers\WMILIB.SYS

\SystemRoot\System32\Drivers\SCSIPORT.SYS

\SystemRoot\system32\DRIVERS\ACPI.sys

\SystemRoot\system32\DRIVERS\msisadrv.sys

\SystemRoot\system32\DRIVERS\vdrvroot.sys

\SystemRoot\system32\DRIVERS\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\DRIVERS\pciide.sys

\SystemRoot\system32\DRIVERS\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\atapi.sys

\SystemRoot\system32\DRIVERS\ataport.SYS

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\N360x64\0502020.003\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\N360x64\0502020.003\SRTSP64.SYS

\SystemRoot\system32\drivers\N360x64\0502020.003\Ironx64.SYS

\SystemRoot\system32\drivers\N360x64\0502020.003\SRTSPX64.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.008\EX64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20121214.008\ENG64.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20121214.001\IDSvia64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20121130.005\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\System32\Drivers\awz3eycv.SYS

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\drivers\ScreamingBAudio64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\hamachi.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\MarvinBus64.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\spsys.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa800d259060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000008e\

Lower Device Object: 0xfffffa800d24f340

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa800a17c090

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa800aabc060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T1L0-3\

Lower Device Object: 0xfffffa800a8b0060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa800e379a90

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800aabb060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-1\

Lower Device Object: 0xfffffa800a8a6060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa8009e9fe40

Downloaded database version: v2012.12.15.01

Downloaded database version: v2012.12.15.01

Canceled update

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800aabb060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800aabbb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800aabb060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800a8a4580, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800a8a6060, DeviceName: \Device\Ide\IdeDeviceP1T0L0-1\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a0177634c0, 0xfffffa800aabb060, 0xfffffa800a038090

Lower DeviceData: 0xfffff8a017721770, 0xfffffa800a8a6060, 0xfffffa8009e9fe40

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

File user open failed: C:\Windows\system32\drivers\sptd.sys (0x00000020)

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 12FCF55E

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa800aabc060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800aabcb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800aabc060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800a819670, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800a8b0060, DeviceName: \Device\Ide\IdeDeviceP1T1L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a014d9a730, 0xfffffa800aabc060, 0xfffffa800a1e2790

Lower DeviceData: 0xfffff8a0150d8450, 0xfffffa800a8b0060, 0xfffffa800e379a90

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 5B2C169A

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 2048 Numsec = 3907024896

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes

Sector size: 512 bytes

Physical Sector Size: 512

Drive: 2, DevicePointer: 0xfffffa800d259060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800cb81b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800d259060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800d24f340, DeviceName: \Device\0000008e\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xfffff8a0176894c0, 0xfffffa800d259060, 0xfffffa800a253790

Lower DeviceData: 0xfffff8a01b42e680, 0xfffffa800d24f340, 0xfffffa800a17c090

Drive 2

Scanning MBR on drive 2...

Inspecting partition table:

Partition information:

This drive is a Single Partition removable Drive.

Partition file system is FAT32

Partition is not bootable

Disk Size: 4049600512 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Read File: File "C:\ProgramData\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}\installedupdates.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}\instance.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}\setup.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\instance.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\setup.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{5794CDCB-FAB7-4C15-9069-4D8AC02592DE}\CrysisWars_patch5.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{5794CDCB-FAB7-4C15-9069-4D8AC02592DE}\instance.dat" is compressed (flags = 1)

Done!

Scan finished

=======================================

Link to post
Share on other sites

  • Staff

we have a bit more work to do first,

please run the following:

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

ComboFix 12-12-14.01 - Shadowsdabom 12/14/2012 20:22:45.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12286.9927 [GMT -7:00]

Running from: c:\users\Shadowsdabom\Desktop\ComboFix.exe

AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-11-15 to 2012-12-15 )))))))))))))))))))))))))))))))

.

.

2012-12-15 02:19 . 2012-12-15 02:19 -------- d-----w- c:\windows\system32\SPReview

2012-12-15 02:18 . 2012-12-15 02:18 -------- d-----w- c:\windows\system32\EventProviders

2012-12-14 23:54 . 2012-12-14 23:54 -------- d-----w- C:\FRST

2012-12-12 03:09 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-12 03:09 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-12 03:09 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2012-12-12 03:09 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-12 03:09 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-12 03:09 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-12 03:09 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-12 02:49 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-12-12 02:49 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-12-12 02:49 . 2010-11-20 12:58 3072 ----a-w- c:\windows\system32\dpnaddr.dll

2012-12-12 02:49 . 2010-11-20 11:57 2560 ----a-w- c:\windows\SysWow64\dpnaddr.dll

2012-12-11 17:53 . 2012-12-11 17:53 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi

2012-12-11 08:03 . 2012-12-11 08:03 -------- d-----w- c:\users\Shadowsdabom\AppData\Roaming\SUPERAntiSpyware.com

2012-12-11 08:03 . 2012-12-11 08:06 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-12-11 08:03 . 2012-12-11 08:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-12-11 08:00 . 2012-12-13 02:14 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer

2012-12-08 07:06 . 2012-12-08 07:06 -------- d-----w- c:\program files (x86)\InfoAtoms

2012-12-02 22:43 . 2012-12-07 03:11 -------- d-----w- c:\users\Shadowsdabom\AppData\Local\PixelTail

2012-12-02 22:43 . 2012-12-02 22:43 -------- d-----w- c:\users\Shadowsdabom\AppData\Roaming\Subversion

2012-11-23 10:37 . 2012-11-23 10:37 -------- d-----w- c:\users\Shadowsdabom\AppData\Local\Sony Online Entertainment

2012-11-23 10:27 . 2012-11-23 10:27 -------- d-----w- c:\users\Shadowsdabom\AppData\Local\NBGI

2012-11-16 09:51 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-16 09:51 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-16 09:51 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-16 09:51 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-16 09:21 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-16 09:21 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-16 09:21 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-16 09:21 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-16 09:21 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-16 09:21 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-16 09:21 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-15 02:31 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2012-12-15 02:31 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2012-12-12 03:13 . 2012-10-30 21:15 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-12 02:06 . 2012-07-18 21:07 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-12 02:06 . 2011-08-17 07:03 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-13 02:55 . 2012-01-30 18:58 2483008 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2012-11-11 02:51 . 2012-11-11 02:52 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-11 02:51 . 2011-01-04 16:56 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-11-11 02:44 . 2012-11-11 02:44 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll

2012-11-11 02:44 . 2012-11-11 02:44 289768 ----a-w- c:\windows\system32\javaws.exe

2012-11-11 02:44 . 2012-11-11 02:44 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-11-11 02:44 . 2012-11-11 02:44 189416 ----a-w- c:\windows\system32\javaw.exe

2012-11-11 02:44 . 2012-11-11 02:44 188904 ----a-w- c:\windows\system32\java.exe

2012-11-11 02:44 . 2011-01-04 00:48 916456 ----a-w- c:\windows\system32\deployJava1.dll

2012-10-30 21:11 . 2012-10-30 21:12 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-10-16 08:38 . 2012-11-27 18:23 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-27 18:23 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-27 18:23 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-04 16:40 . 2012-12-12 02:50 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-10-02 22:21 . 2012-10-11 04:42 9146728 ----a-w- c:\windows\system32\nvcuda.dll

2012-10-02 22:21 . 2012-10-11 04:42 831848 ----a-w- c:\windows\SysWow64\nvumdshim.dll

2012-10-02 22:21 . 2012-10-11 04:42 7697768 ----a-w- c:\windows\SysWow64\nvcuda.dll

2012-10-02 22:21 . 2012-10-11 04:42 7414632 ----a-w- c:\windows\system32\nvopencl.dll

2012-10-02 22:21 . 2012-10-11 04:42 6127464 ----a-w- c:\windows\SysWow64\nvopencl.dll

2012-10-02 22:21 . 2012-10-11 04:42 2747240 ----a-w- c:\windows\system32\nvcuvid.dll

2012-10-02 22:21 . 2012-10-11 04:42 26331496 ----a-w- c:\windows\system32\nvoglv64.dll

2012-10-02 22:21 . 2012-10-11 04:42 2574696 ----a-w- c:\windows\SysWow64\nvcuvid.dll

2012-10-02 22:21 . 2012-10-11 04:42 25256296 ----a-w- c:\windows\system32\nvcompiler.dll

2012-10-02 22:21 . 2012-10-11 04:42 247144 ----a-w- c:\windows\system32\nvinitx.dll

2012-10-02 22:21 . 2012-10-11 04:42 2218344 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-10-02 22:21 . 2012-10-11 04:42 202600 ----a-w- c:\windows\SysWow64\nvinit.dll

2012-10-02 22:21 . 2012-10-11 04:42 19906920 ----a-w- c:\windows\SysWow64\nvoglv32.dll

2012-10-02 22:21 . 2012-10-11 04:42 1867112 ----a-w- c:\windows\SysWow64\nvcuvenc.dll

2012-10-02 22:21 . 2012-10-11 04:42 18252136 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-10-02 22:21 . 2012-10-11 04:42 17559912 ----a-w- c:\windows\SysWow64\nvcompiler.dll

2012-10-02 22:21 . 2012-10-11 04:42 15309160 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-10-02 22:21 . 2012-10-11 04:42 13443944 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2012-10-02 22:21 . 2012-10-04 02:47 12501352 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-10-02 22:21 . 2012-10-04 02:47 2428776 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-10-02 22:21 . 2012-07-26 22:02 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll

2012-10-02 22:21 . 2012-02-22 05:49 973672 ----a-w- c:\windows\system32\nvumdshimx.dll

2012-10-02 22:21 . 2011-11-24 00:43 1760104 ----a-w- c:\windows\system32\nvdispco64.dll

2012-10-02 22:21 . 2010-12-08 19:55 2731880 ----a-w- c:\windows\system32\nvapi64.dll

2012-10-02 22:21 . 2010-12-08 19:55 14922600 ----a-w- c:\windows\system32\nvwgf2umx.dll

2012-10-02 20:15 . 2012-10-02 20:15 430952 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-10-02 19:51 . 2012-02-22 05:50 3536817 ----a-w- c:\windows\system32\nvcoproc.bin

2012-10-02 19:51 . 2010-10-16 20:13 3293544 ----a-w- c:\windows\system32\nvsvc64.dll

2012-10-02 19:51 . 2010-10-16 20:13 6200680 ----a-w- c:\windows\system32\nvcpl.dll

2012-10-02 19:50 . 2012-10-11 04:44 2557800 ----a-w- c:\windows\system32\nvsvcr.dll

2012-10-02 19:50 . 2010-10-16 21:13 63336 ----a-w- c:\windows\system32\nvshext.dll

2012-10-02 19:50 . 2010-10-16 20:13 891240 ----a-w- c:\windows\system32\nvvsvc.exe

2012-10-02 19:50 . 2010-10-16 20:13 118120 ----a-w- c:\windows\system32\nvmctray.dll

2012-09-30 03:10 . 2012-08-15 21:07 281520 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-09-30 03:10 . 2011-05-06 18:55 281520 ----a-w- c:\windows\SysWow64\PnkBstrB.exe

2012-09-30 03:10 . 2011-05-06 18:55 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-09-30 02:54 . 2011-01-01 06:02 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-25 06:16 . 2012-10-11 05:34 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-09-20 22:54 . 2011-05-06 18:54 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-06 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-09-26 106496]

"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-08-01 273544]

"WD Drive Unlocker"="c:\program files (x86)\Western Digital\WD Apps\WDDriveAutoUnlock.exe" [2011-12-16 1687968]

"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

R2 CrossLoopService;CrossLoop Service;c:\users\Shadowsdabom\AppData\Local\CrossLoop\CrossLoopService.exe [2010-08-18 560848]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

R3 ALSysIO;ALSysIO;c:\users\SHADOW~1\AppData\Local\Temp\ALSysIO64.sys [x]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]

R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]

R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [2012-01-04 16640]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 tvnserver;TightVNC Server;c:\users\Shadowsdabom\AppData\Local\CrossLoop\tvnserver.exe [2010-07-21 814080]

R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-19 68440]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-19 1255736]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]

R3 X6va005;X6va005;c:\users\SHADOW~1\AppData\Local\Temp\0052E81.tmp [x]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-01 834544]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502020.003\SYMDS64.SYS [2011-01-27 450680]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS [2011-03-15 912504]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [2012-10-23 1384608]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20121214.001\IDSvia64.sys [2012-09-06 513184]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502020.003\Ironx64.SYS [2010-11-16 171128]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS [2011-04-21 386168]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [2011-06-06 296808]

S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-12-11 2465712]

S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-05-30 8704]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]

S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe [2011-04-17 130008]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]

S2 WDDriveService;WD Drive Manager;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [2011-12-16 246688]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 138912]

S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-09-26 73728]

S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-09-26 178688]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]

S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [2010-07-01 38992]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-18 02:06]

.

2012-12-02 c:\windows\Tasks\Crysis Wars® Updates.job

- c:\windows\Installer\Crysis Wars® Updates for All Users.lnk [2011-05-06 18:54]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-29 8312352]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office10\EXCEL.EXE/3000

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

FF - ProfilePath - c:\users\Shadowsdabom\AppData\Roaming\Mozilla\Firefox\Profiles\94259wb0.default\

FF - prefs.js: browser.startup.homepage - hxxp://74.125.45.100/

FF - prefs.js: network.proxy.type - 0

FF - ExtSQL: 2012-12-08 00:06; infoatoms@infoatoms.com; c:\program files (x86)\Mozilla Firefox\extensions\infoatoms@infoatoms.com

FF - ExtSQL: !HIDDEN! 2012-12-08 00:06; infoatoms@infoatoms.com; c:\program files (x86)\Mozilla Firefox\extensions\infoatoms@infoatoms.com

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)

WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)

WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]

"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]

"ImagePath"="\??\c:\users\SHADOW~1\AppData\Local\Temp\0052E81.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-705382773-1740840466-1721545948-1000\Software\SecuROM\License information*]

"datasecu"=hex:80,11,09,b8,2e,7f,a1,cd,7f,de,b9,dc,e0,39,a8,81,43,ca,3f,f1,25,

e9,ba,4a,02,bb,9a,a9,57,c4,48,f3,ea,cf,5c,d6,b3,21,86,93,6f,0f,be,b4,97,97,\

"rkeysecu"=hex:b3,b2,bd,f5,f3,fa,0e,c8,67,16,8f,05,b0,75,04,2e

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-14 20:37:25

ComboFix-quarantined-files.txt 2012-12-15 03:37

.

Pre-Run: 131,053,584,384 bytes free

Post-Run: 130,330,558,464 bytes free

.

- - End Of File - - F152F4BBE2DC0546785E7910B909CA2B

Link to post
Share on other sites

  • Staff

looking better!

Please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.1.4 (12.14.2012:2)

OS: Windows 7 Home Premium x64

Ran by Shadowsdabom on Fri 12/14/2012 at 21:06:54.09

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{30f9b915-b755-4826-820b-08fba6bd249d}

~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\pricegong"

Successfully deleted: [Registry Key] "hkey_current_user\software\softonic"

Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"

Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afbcb7e0-f91a-4951-9f31-58fee57a25c4}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"

Successfully deleted: [Folder] "C:\Users\Shadowsdabom\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Shadowsdabom\appdata\locallow\pricegong"

Successfully deleted: [Folder] "C:\Program Files (x86)\infoatoms"

~~~ FireFox

Successfully deleted: [Folder] "C:\Program Files (x86)\Mozilla Firefox\extensions\infoatoms@infoatoms.com"

Successfully deleted: [Registry Value] hkey_local_machine\software\mozilla\firefox\extensions\\infoatoms@infoatoms.com

Successfully deleted the following from C:\Users\Shadowsdabom\AppData\Roaming\mozilla\firefox\profiles\94259wb0.default\prefs.js

user_pref("CT2790392..clientLogIsEnabled", true);

user_pref("CT2790392..clientLogServiceUrl", "http://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");

user_pref("CT2790392..uninstallLogServiceUrl", "http://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");

user_pref("CT2790392.AboutPrivacyUrl", "http://www.conduit.com/privacy/Default.aspx");

user_pref("CT2790392.CTID", "CT2790392");

user_pref("CT2790392.CurrentServerDate", "2-3-2011");

user_pref("CT2790392.DialogsAlignMode", "LTR");

user_pref("CT2790392.DownloadReferralCookieData", "");

user_pref("CT2790392.EMailNotifierPollDate", "Tue Mar 01 2011 15:25:17 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedLastCount129313977501788460", 550);

user_pref("CT2790392.FeedPollDate129313974171006416", "Tue Mar 01 2011 15:04:41 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313975698350231", "Tue Mar 01 2011 15:04:41 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313976370850190", "Tue Mar 01 2011 15:04:41 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313976648818968", "Tue Mar 01 2011 15:04:41 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313977444757117", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313980389131455", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313980655381977", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313980886163259", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313981234756535", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313983226631720", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedPollDate129313983607725691", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.FeedTTL129313974171006416", 10);

user_pref("CT2790392.FeedTTL129313977444757117", 15);

user_pref("CT2790392.FeedTTL129313980655381977", 5);

user_pref("CT2790392.FeedTTL129313981234756535", 5);

user_pref("CT2790392.FirstServerDate", "1-1-2011");

user_pref("CT2790392.FirstTime", true);

user_pref("CT2790392.FirstTimeFF3", true);

user_pref("CT2790392.FixPageNotFoundErrors", false);

user_pref("CT2790392.GroupingServerCheckInterval", 1440);

user_pref("CT2790392.GroupingServiceUrl", "http://grouping.services.conduit.com/");

user_pref("CT2790392.HasUserGlobalKeys", true);

user_pref("CT2790392.Initialize", true);

user_pref("CT2790392.InitializeCommonPrefs", true);

user_pref("CT2790392.InstallationAndCookieDataSentCount", 3);

user_pref("CT2790392.InstallationType", "UnknownIntegration");

user_pref("CT2790392.InstalledDate", "Fri Dec 31 2010 23:15:13 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.IsGrouping", false);

user_pref("CT2790392.IsMulticommunity", false);

user_pref("CT2790392.IsOpenThankYouPage", true);

user_pref("CT2790392.IsOpenUninstallPage", false);

user_pref("CT2790392.LanguagePackLastCheckTime", "Mon Feb 28 2011 17:11:00 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.LanguagePackReloadIntervalMM", 1440);

user_pref("CT2790392.LanguagePackServiceUrl", "http://translation.users.conduit.com/Translation.ashx");

user_pref("CT2790392.LastLogin_3.2.5.2", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.LatestVersion", "3.2.5.2");

user_pref("CT2790392.Locale", "en");

user_pref("CT2790392.MCDetectTooltipHeight", "83");

user_pref("CT2790392.MCDetectTooltipUrl", "http://@EB_INSTALL_LINK@/rank/tooltip/?version=1");

user_pref("CT2790392.MCDetectTooltipWidth", "295");

user_pref("CT2790392.SearchBoxWidth", 100);

user_pref("CT2790392.SearchFromAddressBarIsInit", true);

user_pref("CT2790392.SearchFromAddressBarUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&q=");

user_pref("CT2790392.SearchInNewTabEnabled", true);

user_pref("CT2790392.SearchInNewTabIntervalMM", 1440);

user_pref("CT2790392.SearchInNewTabLastCheckTime", "Mon Feb 28 2011 17:10:59 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.SearchInNewTabServiceUrl", "http://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");

user_pref("CT2790392.SearchInNewTabUsageUrl", "http://Usage.Hosting.conduit-services.com/UsageService.asmx/UsersRequests?ctid=EB_TOOLBAR_ID");

user_pref("CT2790392.ServiceMapLastCheckTime", "Mon Feb 28 2011 17:11:00 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.SettingsLastCheckTime", "Tue Mar 01 2011 15:04:41 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.SettingsLastUpdate", "1298422515");

user_pref("CT2790392.ThirdPartyComponentsInterval", 504);

user_pref("CT2790392.ThirdPartyComponentsLastCheck", "Sun Feb 13 2011 18:06:24 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.ThirdPartyComponentsLastUpdate", "1246790578");

user_pref("CT2790392.TrusteLinkUrl", "http://trust.conduit.com/EB_ORIGINAL_CTID");

user_pref("CT2790392.UserID", "UN51105225172630655");

user_pref("CT2790392.ValidationData_Toolbar", 2);

user_pref("CT2790392.WeatherNetwork", "");

user_pref("CT2790392.WeatherPollDate", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.WeatherUnit", "F");

user_pref("CT2790392.alertChannelId", "1182482");

user_pref("CT2790392.backendstorage.cb_firstuse0081", "31");

user_pref("CT2790392.backendstorage.http://conduit_priceblink_com/conduit.uid", "65636131333934322D323666312D656563642D396439622D343033663734653134383861");

user_pref("CT2790392.backendstorage.http://staging_priceblink_com/conduit.uid", "61626665313934302D393365662D343737302D666332612D616165633230383939326131");

user_pref("CT2790392.backendstorage.url_history", "687474703A2F2F73656375726974792E636F6D636173742E6E65742F3F6369643D4E45545F33335F30");

user_pref("CT2790392.backendstorage.url_history_time", "31323939303137313237363334");

user_pref("CT2790392.components.1000034", false);

user_pref("CT2790392.components.1000234", false);

user_pref("CT2790392.components.129298377186544355", false);

user_pref("CT2790392.components.129298377187638111", false);

user_pref("CT2790392.components.129309565073350181", false);

user_pref("CT2790392.components.129309577647413174", false);

user_pref("CT2790392.components.129309578575850709", false);

user_pref("CT2790392.components.129313977501788460", false);

user_pref("CT2790392.components.129428949113825740", false);

user_pref("CT2790392.myStuffEnabled", true);

user_pref("CT2790392.myStuffPublihserMinWidth", 400);

user_pref("CT2790392.myStuffSearchUrl", "http://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");

user_pref("CT2790392.myStuffServiceIntervalMM", 1440);

user_pref("CT2790392.myStuffServiceUrl", "http://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");

user_pref("CT2790392.testingCtid", "");

user_pref("CT2790392.toolbarAppMetaDataLastCheckTime", "Mon Feb 28 2011 17:11:00 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.toolbarContextMenuLastCheckTime", "Fri Dec 31 2010 23:15:13 GMT-0700 (US Mountain Standard Time)");

user_pref("CT2790392.usagesFlag", 2);

user_pref("CommunityToolbar.ETag.http://alerts.conduit-services.com/root/1182482/1178159/US", "\"0\"");

user_pref("CommunityToolbar.ETag.http://alerts.conduit-services.com/root/909619/905414/US", "\"0\"");

user_pref("CommunityToolbar.ETag.http://appsmetadata.toolbar.conduit-services.com/?ctid=CT2790392", "\"0\"");

user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "Zee/agZSWJctT5JcsQKOQQ==");

user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "/oUS1eK2SdsB3t6H2kLPsA==");

user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "+RsYuZ9IN1smka6Zuggr5w==");

user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "t6SQZ7j9WsBHhE8zC0kAEQ==");

user_pref("CommunityToolbar.ETag.http://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"01ffa8b1cc6cb1:0\"");

user_pref("CommunityToolbar.ETag.http://dynamicdialogs.engine.conduit-services.com/DLG.pkg?ver=3.3.3.2", "\"807dc126dd28cc1:0\"");

user_pref("CommunityToolbar.ETag.http://servicemap.conduit-services.com/toolbar/", "\"634333631231730000\"");

user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=0", "634293235860000000");

user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=1/11/2011 5:25:10 PM", "634335443890000000");

user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=12/30/2010 4:33:06 PM", "634303635100000000");

user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=2/17/2011 12:59:49 PM", "634339976460000000");

user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=2/22/2011 6:54:06 PM", "634356118310000000");

user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=3/13/2011 11:17:11 AM", "634356118310000000");

user_pref("CommunityToolbar.ETag.http://settings.toolbar.search.conduit.com/root/CT2790392/CT2790392", "\"1298422515\"");

user_pref("CommunityToolbar.ETag.http://translation.toolbar.conduit-services.com/?locale=en", "\"634322696881670000\"");

user_pref("CommunityToolbar.EngineOwner", "CT2790392");

user_pref("CommunityToolbar.EngineOwnerGuid", "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}");

user_pref("CommunityToolbar.EngineOwnerToolbarId", "bittorrentbar");

user_pref("CommunityToolbar.IsEngineShown", true);

user_pref("CommunityToolbar.IsMyStuffImportedToEngine", true);

user_pref("CommunityToolbar.OriginalEngineOwner", "CT2790392");

user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}");

user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "bittorrentbar");

user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.properties");

user_pref("CommunityToolbar.ToolbarsList", "ConduitEngine,CT2790392");

user_pref("CommunityToolbar.ToolbarsList2", "ConduitEngine,CT2790392");

user_pref("CommunityToolbar.alert.alertDialogsGetterLastCheckTime", "Thu Apr 07 2011 17:38:02 GMT-0700 (US Mountain Standard Time)");

user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);

user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Fri Jun 24 2011 14:00:37 GMT-0700 (US Mountain Standard Time)");

user_pref("CommunityToolbar.alert.clientsServerUrl", "http://alert.client.conduit.com");

user_pref("CommunityToolbar.alert.locale", "en");

user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);

user_pref("CommunityToolbar.alert.loginLastCheckTime", "Fri Jun 24 2011 14:00:29 GMT-0700 (US Mountain Standard Time)");

user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1305622559");

user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);

user_pref("CommunityToolbar.alert.servicesServerUrl", "http://alert.services.conduit.com");

user_pref("CommunityToolbar.alert.showTrayIcon", false);

user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);

user_pref("CommunityToolbar.alert.userId", "6442880d-10be-4f27-9a25-e7b2af946b64");

user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Mon Feb 28 2011 17:11:00 GMT-0700 (US Mountain Standard Time)");

user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);

user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);

user_pref("ConduitEngine.AppTrackingLastCheckTime", "Tue Jun 14 2011 16:58:44 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.CTID", "ConduitEngine");

user_pref("ConduitEngine.DialogsGetterLastCheckTime", "Tue Jun 21 2011 21:29:23 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.FirstServerDate", "01/01/2011 09");

user_pref("ConduitEngine.FirstTime", true);

user_pref("ConduitEngine.FirstTimeFF3", true);

user_pref("ConduitEngine.FixPageNotFoundErrors", false);

user_pref("ConduitEngine.HasUserGlobalKeys", true);

user_pref("ConduitEngine.Initialize", true);

user_pref("ConduitEngine.InitializeCommonPrefs", true);

user_pref("ConduitEngine.InstallationType", "UnknownIntegration");

user_pref("ConduitEngine.InstalledDate", "Fri Dec 31 2010 23:15:13 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.IsMulticommunity", false);

user_pref("ConduitEngine.IsOpenThankYouPage", false);

user_pref("ConduitEngine.IsOpenUninstallPage", false);

user_pref("ConduitEngine.LanguagePackLastCheckTime", "Fri Jun 24 2011 14:00:30 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.LastLogin_3.2.5.2", "Tue Mar 01 2011 15:04:42 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.LastLogin_3.3.3.2", "Fri Jun 24 2011 14:36:39 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.PublisherContainerWidth", 0);

user_pref("ConduitEngine.SearchFromAddressBarIsInit", true);

user_pref("ConduitEngine.SearchFromAddressBarUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CTXXXX&q=");

user_pref("ConduitEngine.SettingsLastCheckTime", "Fri Jun 24 2011 14:36:39 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.UserID", "UN74721749627896445");

user_pref("ConduitEngine.engineLocale", "en-US");

user_pref("ConduitEngine.enngineContextMenuLastCheckTime", "Fri Jun 24 2011 14:00:30 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.globalFirstTimeInfoLastCheckTime", "Fri Jun 24 2011 11:36:38 GMT-0700 (US Mountain Standard Time)");

user_pref("ConduitEngine.initDone", true);

user_pref("ConduitEngine.isAppTrackingManagerOn", true);

user_pref("ConduitEngine.usagesFlag", 2);

user_pref("extensions.enabledItems", "{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23,engine@conduit.com:3.3.3.2,{88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.3.3.2,{BBDA0591-3099-44

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Fri 12/14/2012 at 21:13:09.37

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

# AdwCleaner v2.100 - Logfile created 12/14/2012 at 21:20:07

# Updated 09/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Shadowsdabom - SHADOWSDABOM-PC

# Boot Mode : Normal

# Running from : C:\Users\Shadowsdabom\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\Shadowsdabom\AppData\Roaming\Mozilla\Firefox\Profiles\94259wb0.default\searchplugins\safesearch.xml

Folder Deleted : C:\Users\Shadowsdabom\AppData\Roaming\Mozilla\Firefox\Profiles\94259wb0.default\Conduit

Folder Deleted : C:\Users\Shadowsdabom\AppData\Roaming\Mozilla\Firefox\Profiles\94259wb0.default\ConduitEngine

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default

File : C:\Users\Shadowsdabom\AppData\Roaming\Mozilla\Firefox\Profiles\94259wb0.default\prefs.js

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1182482/1178159/US", "\"0\"[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/909619/905414/US", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2790392", [...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.engine.conduit-services.com/DLG.pkg?ver=3.3.3[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/toolbar/", "\"63433363123173[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2790392/CT2790392[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"634[...]

*************************

AdwCleaner[s1].txt - [1980 octets] - [14/12/2012 21:20:07]

########## EOF - C:\AdwCleaner[s1].txt - [2040 octets] ##########

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.