Jump to content

svchost.exe trojan


deneyed

Recommended Posts

Have ran MWB, finds trojan and states quaratined, continues to populate.

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457

Run by Tyler at 21:58:35 on 2012-12-18

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5119.3225 [GMT -8:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\ASUS\PCE-N15 WLAN Card Utilities\RtlService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\ASUS\PCE-N15 WLAN Card Utilities\RtWlan.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Program Files (x86)\Razer\Imperator\RazerImperatorTray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe

C:\Program Files (x86)\iTunes\iTunes.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3225826

uURLSearchHooks: BitTorrentControl_v12 Toolbar: {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - C:\Program Files (x86)\BitTorrentControl_v12\prxtbBitT.dll

mURLSearchHooks: BitTorrentControl_v12 Toolbar: {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - C:\Program Files (x86)\BitTorrentControl_v12\prxtbBitT.dll

mWinlogon: Userinit = userinit.exe,

BHO: BitTorrentControl_v12 Toolbar: {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - C:\Program Files (x86)\BitTorrentControl_v12\prxtbBitT.dll

TB: BitTorrentControl_v12 Toolbar: {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - C:\Program Files (x86)\BitTorrentControl_v12\prxtbBitT.dll

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

mRun: [searchProtection] C:\ProgramData\Search Protection\_run.bat

mRun: [Razer Imperator Driver] C:\Program Files (x86)\Razer\Imperator\RazerImperatorTray.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

TCP: NameServer = 64.233.222.2 64.233.222.7

TCP: Interfaces\{9A4096DD-13C8-42B1-83C2-663CC10A9464} : DHCPNameServer = 64.233.222.2 64.233.222.7

SSODL: WebCheck - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3225826&q=&SearchSource=2

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll

FF - ExtSQL: 2012-12-17 18:32; crossriderapp3491@crossrider.com; C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\extensions\crossriderapp3491@crossrider.com

FF - ExtSQL: 2012-12-17 18:32; {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}; C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\extensions\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}

.

============= SERVICES / DRIVERS ===============

.

R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2012-12-6 14456]

R2 AsusSE;AsusSE;C:\Program Files (x86)\ASUS\PCE-N15 WLAN Card Utilities\RtlService.exe [2012-12-6 36864]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-12 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-12 676936]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-2 382824]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-12 25928]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2012-12-6 1145960]

R3 rzendpt;rzendpt;C:\Windows\System32\drivers\rzendpt.sys [2012-11-6 22016]

R3 rzudd;Razer Mouse Driver;C:\Windows\System32\drivers\rzudd.sys [2012-11-6 113664]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 gfiark;gfiark;C:\Windows\System32\drivers\gfiark.sys [2012-12-6 35456]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-6 1255736]

.

=============== Created Last 30 ================

.

2012-12-19 05:56:40 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3E8FF2A5-8D4B-4036-8AE0-CB228F939F39}\mpengine.dll

2012-12-19 05:33:08 20480 ----a-w- C:\Windows\svchost.exe

2012-12-18 02:32:58 -------- d-----w- C:\Users\Tyler\AppData\Local\CRE

2012-12-18 02:32:53 -------- d-----w- C:\Users\Tyler\AppData\Local\Google

2012-12-18 02:32:53 -------- d-----w- C:\Program Files (x86)\Conduit

2012-12-18 02:32:52 -------- d-----w- C:\Users\Tyler\AppData\Local\Vid-Saver

2012-12-18 02:32:51 -------- d-----w- C:\Users\Tyler\AppData\Local\Conduit

2012-12-18 02:32:50 -------- d-----w- C:\Program Files (x86)\BitTorrentControl_v12

2012-12-18 02:32:49 -------- d-----w- C:\Program Files (x86)\Vid-Saver

2012-12-18 02:32:44 -------- d-----w- C:\Program Files (x86)\BitTorrent

2012-12-18 02:32:09 -------- d-----w- C:\Users\Tyler\AppData\Roaming\BitTorrent

2012-12-16 04:24:20 -------- d-----w- C:\Users\Tyler\AppData\Local\Razer

2012-12-13 06:14:01 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-12-13 06:14:01 304640 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll

2012-12-13 06:14:01 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-12-13 06:14:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-12-13 06:14:01 194048 ----a-w- C:\Program Files (x86)\Internet Explorer\IEShims.dll

2012-12-13 06:14:01 182816 ----a-w- C:\Program Files\Internet Explorer\sqmapi.dll

2012-12-13 06:14:01 149552 ----a-w- C:\Program Files (x86)\Internet Explorer\sqmapi.dll

2012-12-12 20:43:21 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-12-12 20:42:59 4608 ---ha-w- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-12 18:32:52 -------- d-----w- C:\Users\Tyler\AppData\Roaming\Malwarebytes

2012-12-12 18:31:51 -------- d-----w- C:\ProgramData\Malwarebytes

2012-12-12 18:31:49 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-12-12 18:31:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-07 02:26:08 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys

2012-12-07 02:26:08 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys

2012-12-07 02:26:08 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys

2012-12-07 02:26:08 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys

2012-12-07 02:26:08 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys

2012-12-07 02:26:08 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys

2012-12-07 02:26:08 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys

2012-12-07 02:25:59 2565632 ----a-w- C:\Windows\System32\esent.dll

2012-12-07 02:25:58 96768 ----a-w- C:\Windows\System32\fsutil.exe

2012-12-07 02:25:58 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe

2012-12-07 02:25:58 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys

2012-12-07 02:25:58 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys

2012-12-07 02:25:58 189824 ----a-w- C:\Windows\System32\drivers\storport.sys

2012-12-07 02:25:58 1699328 ----a-w- C:\Windows\SysWow64\esent.dll

2012-12-07 02:25:58 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys

2012-12-07 02:25:58 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys

2012-12-07 02:25:58 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys

2012-12-07 00:53:53 163056 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin

2012-12-06 19:29:48 35456 ----a-w- C:\Windows\System32\drivers\gfiark.sys

2012-12-06 19:19:55 -------- d-----w- C:\Windows\SysWow64\Wat

2012-12-06 19:19:54 -------- d-----w- C:\Windows\System32\Wat

2012-12-06 10:38:55 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-12-06 10:38:55 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-12-06 10:38:55 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-12-06 10:38:55 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-12-06 10:23:58 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-12-06 10:23:58 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-12-06 10:23:58 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-12-06 10:23:58 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-12-06 10:23:58 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-12-06 10:23:58 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-12-06 10:23:58 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-12-06 10:22:24 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2012-12-06 10:22:24 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2012-12-06 10:22:24 5120 ----a-w- C:\Windows\System32\wmi.dll

2012-12-06 10:22:24 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2012-12-06 10:22:24 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2012-12-06 10:01:48 -------- d-----w- C:\Users\Tyler\AppData\Local\Apple Computer

2012-12-06 10:01:05 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2012-12-06 10:00:15 -------- d-----w- C:\Program Files\iPod

2012-12-06 10:00:14 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-12-06 10:00:14 -------- d-----w- C:\Program Files\iTunes

2012-12-06 10:00:14 -------- d-----w- C:\Program Files (x86)\iTunes

2012-12-06 09:59:21 -------- d-----w- C:\Users\Tyler\AppData\Local\Apple

2012-12-06 09:58:47 -------- d-----w- C:\Program Files\Bonjour

2012-12-06 09:58:47 -------- d-----w- C:\Program Files (x86)\Bonjour

2012-12-06 09:57:44 -------- d-----w- C:\Program Files (x86)\Common Files\Steam

2012-12-06 09:57:23 -------- d-----w- C:\Program Files (x86)\Steam

2012-12-06 09:42:22 -------- d-----w- C:\Users\Tyler\AppData\Local\Macromedia

2012-12-06 09:42:08 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-06 09:42:08 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-12-06 09:36:57 395776 ----a-w- C:\Windows\System32\webio.dll

2012-12-06 09:35:41 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-12-06 09:34:50 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys

2012-12-06 09:34:49 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-12-06 09:34:48 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe

2012-12-06 09:34:48 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2012-12-06 09:34:48 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll

2012-12-06 09:34:15 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-12-06 09:34:15 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-12-06 09:32:47 715776 ----a-w- C:\Windows\System32\kerberos.dll

2012-12-06 09:31:59 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL

2012-12-06 09:17:30 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2012-12-06 08:43:25 -------- d-----w- C:\Users\Tyler\AppData\Roaming\LavasoftStatistics

2012-12-06 08:41:16 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2012-12-06 08:39:36 63336 ----a-w- C:\Windows\System32\nvshext.dll

2012-12-06 08:39:35 891240 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-12-06 08:39:35 3293544 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-12-06 08:39:35 2557800 ----a-w- C:\Windows\System32\nvsvcr.dll

2012-12-06 08:39:34 6200680 ----a-w- C:\Windows\System32\nvcpl.dll

2012-12-06 08:39:34 118120 ----a-w- C:\Windows\System32\nvmctray.dll

2012-12-06 08:37:47 60776 ----a-w- C:\Windows\System32\OpenCL.dll

2012-12-06 08:37:47 52584 ----a-w- C:\Windows\SysWow64\OpenCL.dll

2012-12-06 08:37:13 -------- d-----w- C:\ProgramData\NVIDIA Corporation

2012-12-06 08:37:00 -------- d-----w- C:\Program Files\NVIDIA Corporation

2012-12-06 08:34:39 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus

2012-12-06 08:34:22 -------- d-----w- C:\Users\Tyler\AppData\Local\Downloaded Installations

2012-12-06 08:34:16 14456 ----a-w- C:\Windows\System32\drivers\gfibto.sys

2012-12-06 08:33:38 -------- d-----w- C:\ProgramData\Search Protection

2012-12-06 08:33:24 -------- d-----w- C:\Users\Tyler\AppData\Roaming\blekko

2012-12-06 08:31:20 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-12-06 08:31:20 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-12-06 08:31:20 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-12-06 08:23:27 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-12-06 08:23:22 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-12-06 08:23:15 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-12-06 08:23:15 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-12-06 08:22:30 -------- d-----w- C:\Program Files (x86)\Cisco

2012-12-06 08:22:29 -------- d-sh--w- C:\Windows\Installer

2012-12-06 08:22:01 1145960 ----a-r- C:\Windows\System32\drivers\rtl8192ce.sys

2012-12-06 08:21:24 614400 ----a-w- C:\Windows\SysWow64\Rtlihvs.dll

2012-12-06 08:21:24 380928 ----a-w- C:\Windows\RtlUI2.exe

2012-12-06 08:21:23 188416 ----a-w- C:\Windows\SysWow64\RTLExtUI.dll

2012-12-06 08:21:22 451072 ----a-w- C:\Windows\SysWow64\ISSRemoveSP.exe

2012-12-06 08:21:22 -------- d-----w- C:\Program Files (x86)\ASUS

2012-12-06 04:52:46 -------- d-----w- C:\Windows\Panther

.

==================== Find3M ====================

.

2012-11-22 03:26:40 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-11-15 01:44:52 56320 ----a-w- C:\Windows\SysWow64\rzdevinfo.dll

2012-11-15 01:44:52 148480 ----a-w- C:\Windows\SysWow64\rztouchdll.dll

2012-11-15 01:44:48 617472 ----a-w- C:\Windows\SysWow64\rzdevicedll.dll

2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-11-07 07:49:46 22016 ----a-w- C:\Windows\System32\drivers\rzendpt.sys

2012-11-07 07:49:46 113664 ----a-w- C:\Windows\System32\drivers\rzudd.sys

2012-11-07 07:47:02 182272 ----a-w- C:\Windows\SysWow64\rzaudiodll.dll

2012-11-05 21:35:16 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-11-05 20:41:32 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-11-05 20:32:16 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-11-05 20:32:09 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll

2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll

2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll

2012-10-11 05:22:54 2428776 ----a-w- C:\Windows\SysWow64\nvapi.dll

2012-10-11 05:22:52 26331496 ----a-w- C:\Windows\System32\nvoglv64.dll

2012-10-11 05:22:52 1760104 ----a-w- C:\Windows\System32\nvdispco64.dll

2012-10-11 05:22:32 15309160 ----a-w- C:\Windows\SysWow64\nvd3dum.dll

2012-10-11 05:22:26 2747240 ----a-w- C:\Windows\System32\nvcuvid.dll

2012-10-11 05:22:24 19906920 ----a-w- C:\Windows\SysWow64\nvoglv32.dll

2012-10-11 05:22:18 13443944 ----a-w- C:\Windows\System32\drivers\nvlddmkm.sys

2012-10-11 05:22:14 17559912 ----a-w- C:\Windows\SysWow64\nvcompiler.dll

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll

2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-10-02 21:15:52 430952 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

2012-09-28 18:32:56 5989776 ----a-w- C:\Windows\System32\usbaaplrc.dll

2012-09-28 18:32:56 53760 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys

2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll

.

============= FINISH: 21:59:33.74 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/5/2012 9:29:13 PM

System Uptime: 12/18/2012 9:30:49 PM (0 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | Rampage Formula

Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | LGA775 | 2394/266mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 105.793 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}

Description: Standard PS/2 Keyboard

Device ID: ACPI\PNP0303\4&23F9C1E3&0

Manufacturer: (Standard keyboards)

Name: Standard PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&23F9C1E3&0

Service: i8042prt

.

==== System Restore Points ===================

.

RP11: 12/7/2012 2:06:29 AM - Windows Update

RP12: 12/12/2012 10:13:36 PM - Windows Update

RP13: 12/15/2012 8:20:11 PM - Windows Update

RP14: 12/15/2012 8:24:02 PM - Installed Razer Synapse 2.0.

RP15: 12/15/2012 8:29:21 PM - Windows Update

RP16: 12/16/2012 12:54:12 AM - Windows Update

RP17: 12/16/2012 1:26:30 AM - Windows Update

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ASUS PCE-N15 WLAN Card Utilities & Driver

BitTorrent

BitTorrentControl_v12 Toolbar

Bonjour

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

iTunes

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Mozilla Firefox 17.0.1 (x86 en-US)

Mozilla Maintenance Service

NVIDIA 3D Vision Driver 306.97

NVIDIA Control Panel 306.97

NVIDIA Graphics Driver 306.97

NVIDIA Install Application

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.10.8

NVIDIA Update Components

Razer Imperator

Razer Synapse 2.0

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Steam

The Binding of Isaac

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Vid-Saver

.

==== Event Viewer Messages From Past Week ========

.

12/18/2012 2:46:54 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

12/18/2012 2:02:06 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

12/18/2012 2:02:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

12/18/2012 2:02:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

12/18/2012 2:02:03 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/18/2012 2:01:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

12/18/2012 2:01:50 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6

12/18/2012 2:01:43 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000286b66b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121812-32167-01.

12/18/2012 12:33:13 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.

12/17/2012 7:21:30 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

12/17/2012 7:20:05 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000286666b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121712-20701-01.

12/17/2012 6:21:15 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000287966b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121712-22042-01.

12/16/2012 1:39:03 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000287066b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121612-32744-01.

12/16/2012 1:35:36 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000285f66b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121612-46581-01.

12/15/2012 8:15:33 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000287566b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121512-23493-01.

12/13/2012 12:27:09 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AsusSE service.

12/12/2012 11:26:01 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.

12/12/2012 11:24:31 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Function Discovery Resource Publication service to connect.

12/12/2012 11:24:31 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.

12/12/2012 11:24:31 AM, Error: Service Control Manager [7000] - The Function Discovery Resource Publication service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/12/2012 11:23:10 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002b7963a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 121212-31028-01.

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller V8.4.0 [Dec 18 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Tyler [Admin rights]

Mode : Scan -- Date : 12/18/2012 22:14:59

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : SearchProtection (C:\ProgramData\Search Protection\_run.bat) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-00SGB0 ATA Device +++++

--- User ---

[MBR] 6ca2e65eacdbd462f17be1fb75ba34c4

[bSP] 2f04dd2b79453fa6fcce6649e02f873d : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] e98df65db0daf954926e058346c7f574

[bSP] 2f04dd2b79453fa6fcce6649e02f873d : Windows 7/8 MBR Code

Partition table:

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

Finished : << RKreport[1]_S_12182012_02d2214.txt >>

RKreport[1]_S_12182012_02d2214.txt

Link to post
Share on other sites

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

So I ran the scan 3 times, each yielding the same 4 results, everytime I'd reboot I would get a blue screen, and it would dump the physical memory (this has actually been happening off and on when powering off or resetting since first noticing the trojan) I tried running in safe mode MBAR wouldn't initialize. With a "could not load dda driver" message.

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 3598934016

------------ Kernel report ------------

12/18/2012 22:26:50

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.asys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\gfibto.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk62x64.sys

\SystemRoot\system32\DRIVERS\rtl8192Ce.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\ASACPI.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\rzendpt.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\rzudd.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800568d060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa800541f060

Lower Device Driver Name: \00000662\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.19.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800568d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800568db90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800568d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005405e40, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800541f060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \00000662\

------------ End ----------

Upper DeviceData: 0xfffff8a007a65d70, 0xfffffa800568d060, 0xfffffa8005073630

Lower DeviceData: 0xfffff8a00b4151f0, 0xfffffa800541f060, 0xfffffa800756cbe0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2BD32BD3

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 23 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312560577

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-22-312561808-312581808)...

Sector 312581433 --> [Forged physical sector]

Sector 312581434 --> [Forged physical sector]

Sector 312581435 --> [Forged physical sector]

Sector 312581436 --> [Forged physical sector]

Sector 312581437 --> [Forged physical sector]

Sector 312581438 --> [Forged physical sector]

Sector 312581439 --> [Forged physical sector]

Sector 312581440 --> [Forged physical sector]

Sector 312581441 --> [Forged physical sector]

Sector 312581442 --> [Forged physical sector]

Sector 312581443 --> [Forged physical sector]

Sector 312581444 --> [Forged physical sector]

Sector 312581445 --> [Forged physical sector]

Sector 312581446 --> [Forged physical sector]

Sector 312581447 --> [Forged physical sector]

Sector 312581448 --> [Forged physical sector]

Sector 312581449 --> [Forged physical sector]

Sector 312581450 --> [Forged physical sector]

Sector 312581451 --> [Forged physical sector]

Sector 312581452 --> [Forged physical sector]

Sector 312581453 --> [Forged physical sector]

Sector 312581454 --> [Forged physical sector]

Sector 312581455 --> [Forged physical sector]

Sector 312581456 --> [Forged physical sector]

Sector 312581457 --> [Forged physical sector]

Sector 312581458 --> [Forged physical sector]

Sector 312581459 --> [Forged physical sector]

Sector 312581460 --> [Forged physical sector]

Sector 312581461 --> [Forged physical sector]

Sector 312581462 --> [Forged physical sector]

Sector 312581463 --> [Forged physical sector]

Sector 312581464 --> [Forged physical sector]

Sector 312581465 --> [Forged physical sector]

Sector 312581466 --> [Forged physical sector]

Sector 312581467 --> [Forged physical sector]

Sector 312581468 --> [Forged physical sector]

Sector 312581469 --> [Forged physical sector]

Sector 312581470 --> [Forged physical sector]

Sector 312581471 --> [Forged physical sector]

Sector 312581472 --> [Forged physical sector]

Sector 312581473 --> [Forged physical sector]

Sector 312581474 --> [Forged physical sector]

Sector 312581475 --> [Forged physical sector]

Sector 312581476 --> [Forged physical sector]

Sector 312581477 --> [Forged physical sector]

Sector 312581478 --> [Forged physical sector]

Sector 312581479 --> [Forged physical sector]

Sector 312581480 --> [Forged physical sector]

Sector 312581481 --> [Forged physical sector]

Sector 312581482 --> [Forged physical sector]

Sector 312581483 --> [Forged physical sector]

Sector 312581484 --> [Forged physical sector]

Sector 312581485 --> [Forged physical sector]

Sector 312581486 --> [Forged physical sector]

Sector 312581487 --> [Forged physical sector]

Sector 312581488 --> [Forged physical sector]

Sector 312581489 --> [Forged physical sector]

Sector 312581490 --> [Forged physical sector]

Sector 312581491 --> [Forged physical sector]

Sector 312581492 --> [Forged physical sector]

Sector 312581493 --> [Forged physical sector]

Sector 312581494 --> [Forged physical sector]

Sector 312581495 --> [Forged physical sector]

Sector 312581496 --> [Forged physical sector]

Sector 312581497 --> [Forged physical sector]

Sector 312581498 --> [Forged physical sector]

Sector 312581499 --> [Forged physical sector]

Sector 312581500 --> [Forged physical sector]

Sector 312581501 --> [Forged physical sector]

Sector 312581502 --> [Forged physical sector]

Sector 312581503 --> [Forged physical sector]

Sector 312581504 --> [Forged physical sector]

Sector 312581505 --> [Forged physical sector]

Sector 312581506 --> [Forged physical sector]

Sector 312581507 --> [Forged physical sector]

Sector 312581508 --> [Forged physical sector]

Sector 312581509 --> [Forged physical sector]

Sector 312581510 --> [Forged physical sector]

Sector 312581511 --> [Forged physical sector]

Sector 312581512 --> [Forged physical sector]

Sector 312581513 --> [Forged physical sector]

Sector 312581514 --> [Forged physical sector]

Sector 312581515 --> [Forged physical sector]

Sector 312581516 --> [Forged physical sector]

Sector 312581517 --> [Forged physical sector]

Sector 312581518 --> [Forged physical sector]

Sector 312581519 --> [Forged physical sector]

Sector 312581520 --> [Forged physical sector]

Sector 312581521 --> [Forged physical sector]

Sector 312581522 --> [Forged physical sector]

Sector 312581523 --> [Forged physical sector]

Sector 312581524 --> [Forged physical sector]

Sector 312581525 --> [Forged physical sector]

Sector 312581526 --> [Forged physical sector]

Sector 312581527 --> [Forged physical sector]

Sector 312581528 --> [Forged physical sector]

Sector 312581529 --> [Forged physical sector]

Sector 312581530 --> [Forged physical sector]

Sector 312581531 --> [Forged physical sector]

Sector 312581532 --> [Forged physical sector]

Sector 312581533 --> [Forged physical sector]

Sector 312581534 --> [Forged physical sector]

Sector 312581535 --> [Forged physical sector]

Sector 312581536 --> [Forged physical sector]

Sector 312581537 --> [Forged physical sector]

Sector 312581538 --> [Forged physical sector]

Sector 312581539 --> [Forged physical sector]

Sector 312581540 --> [Forged physical sector]

Sector 312581541 --> [Forged physical sector]

Sector 312581542 --> [Forged physical sector]

Sector 312581543 --> [Forged physical sector]

Sector 312581544 --> [Forged physical sector]

Sector 312581545 --> [Forged physical sector]

Sector 312581546 --> [Forged physical sector]

Sector 312581547 --> [Forged physical sector]

Sector 312581548 --> [Forged physical sector]

Sector 312581549 --> [Forged physical sector]

Sector 312581550 --> [Forged physical sector]

Sector 312581551 --> [Forged physical sector]

Sector 312581552 --> [Forged physical sector]

Sector 312581553 --> [Forged physical sector]

Sector 312581554 --> [Forged physical sector]

Sector 312581555 --> [Forged physical sector]

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4026081280

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4035997696

------------ Kernel report ------------

12/18/2012 22:45:01

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\gfibto.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk62x64.sys

\SystemRoot\system32\DRIVERS\rtl8192Ce.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\ASACPI.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\rzendpt.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\rzudd.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800566d060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa80053d0060

Lower Device Driver Name: \00001113\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800566d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800566db90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800566d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa80053ce520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa80053d0060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \00001113\

------------ End ----------

Upper DeviceData: 0xfffff8a00354f1e0, 0xfffffa800566d060, 0xfffffa8004cd9790

Lower DeviceData: 0xfffff8a0072d9510, 0xfffffa80053d0060, 0xfffffa8004bd8220

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2BD32BD3

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 23 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312560577

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-22-312561808-312581808)...

Sector 312581432 --> [Forged physical sector]

Sector 312581433 --> [Forged physical sector]

Sector 312581434 --> [Forged physical sector]

Sector 312581435 --> [Forged physical sector]

Sector 312581436 --> [Forged physical sector]

Sector 312581437 --> [Forged physical sector]

Sector 312581438 --> [Forged physical sector]

Sector 312581439 --> [Forged physical sector]

Sector 312581440 --> [Forged physical sector]

Sector 312581441 --> [Forged physical sector]

Sector 312581442 --> [Forged physical sector]

Sector 312581443 --> [Forged physical sector]

Sector 312581444 --> [Forged physical sector]

Sector 312581445 --> [Forged physical sector]

Sector 312581446 --> [Forged physical sector]

Sector 312581447 --> [Forged physical sector]

Sector 312581448 --> [Forged physical sector]

Sector 312581449 --> [Forged physical sector]

Sector 312581450 --> [Forged physical sector]

Sector 312581451 --> [Forged physical sector]

Sector 312581452 --> [Forged physical sector]

Sector 312581453 --> [Forged physical sector]

Sector 312581454 --> [Forged physical sector]

Sector 312581455 --> [Forged physical sector]

Sector 312581456 --> [Forged physical sector]

Sector 312581457 --> [Forged physical sector]

Sector 312581458 --> [Forged physical sector]

Sector 312581459 --> [Forged physical sector]

Sector 312581460 --> [Forged physical sector]

Sector 312581461 --> [Forged physical sector]

Sector 312581462 --> [Forged physical sector]

Sector 312581463 --> [Forged physical sector]

Sector 312581464 --> [Forged physical sector]

Sector 312581465 --> [Forged physical sector]

Sector 312581466 --> [Forged physical sector]

Sector 312581467 --> [Forged physical sector]

Sector 312581468 --> [Forged physical sector]

Sector 312581469 --> [Forged physical sector]

Sector 312581470 --> [Forged physical sector]

Sector 312581471 --> [Forged physical sector]

Sector 312581472 --> [Forged physical sector]

Sector 312581473 --> [Forged physical sector]

Sector 312581474 --> [Forged physical sector]

Sector 312581475 --> [Forged physical sector]

Sector 312581476 --> [Forged physical sector]

Sector 312581477 --> [Forged physical sector]

Sector 312581478 --> [Forged physical sector]

Sector 312581479 --> [Forged physical sector]

Sector 312581480 --> [Forged physical sector]

Sector 312581481 --> [Forged physical sector]

Sector 312581482 --> [Forged physical sector]

Sector 312581483 --> [Forged physical sector]

Sector 312581484 --> [Forged physical sector]

Sector 312581485 --> [Forged physical sector]

Sector 312581486 --> [Forged physical sector]

Sector 312581487 --> [Forged physical sector]

Sector 312581488 --> [Forged physical sector]

Sector 312581489 --> [Forged physical sector]

Sector 312581490 --> [Forged physical sector]

Sector 312581491 --> [Forged physical sector]

Sector 312581492 --> [Forged physical sector]

Sector 312581493 --> [Forged physical sector]

Sector 312581494 --> [Forged physical sector]

Sector 312581495 --> [Forged physical sector]

Sector 312581496 --> [Forged physical sector]

Sector 312581497 --> [Forged physical sector]

Sector 312581498 --> [Forged physical sector]

Sector 312581499 --> [Forged physical sector]

Sector 312581500 --> [Forged physical sector]

Sector 312581501 --> [Forged physical sector]

Sector 312581502 --> [Forged physical sector]

Sector 312581503 --> [Forged physical sector]

Sector 312581504 --> [Forged physical sector]

Sector 312581505 --> [Forged physical sector]

Sector 312581506 --> [Forged physical sector]

Sector 312581507 --> [Forged physical sector]

Sector 312581508 --> [Forged physical sector]

Sector 312581509 --> [Forged physical sector]

Sector 312581510 --> [Forged physical sector]

Sector 312581511 --> [Forged physical sector]

Sector 312581512 --> [Forged physical sector]

Sector 312581513 --> [Forged physical sector]

Sector 312581514 --> [Forged physical sector]

Sector 312581515 --> [Forged physical sector]

Sector 312581516 --> [Forged physical sector]

Sector 312581517 --> [Forged physical sector]

Sector 312581518 --> [Forged physical sector]

Sector 312581519 --> [Forged physical sector]

Sector 312581520 --> [Forged physical sector]

Sector 312581521 --> [Forged physical sector]

Sector 312581522 --> [Forged physical sector]

Sector 312581523 --> [Forged physical sector]

Sector 312581524 --> [Forged physical sector]

Sector 312581525 --> [Forged physical sector]

Sector 312581526 --> [Forged physical sector]

Sector 312581527 --> [Forged physical sector]

Sector 312581528 --> [Forged physical sector]

Sector 312581529 --> [Forged physical sector]

Sector 312581530 --> [Forged physical sector]

Sector 312581531 --> [Forged physical sector]

Sector 312581532 --> [Forged physical sector]

Sector 312581533 --> [Forged physical sector]

Sector 312581534 --> [Forged physical sector]

Sector 312581535 --> [Forged physical sector]

Sector 312581536 --> [Forged physical sector]

Sector 312581537 --> [Forged physical sector]

Sector 312581538 --> [Forged physical sector]

Sector 312581539 --> [Forged physical sector]

Sector 312581540 --> [Forged physical sector]

Sector 312581541 --> [Forged physical sector]

Sector 312581542 --> [Forged physical sector]

Sector 312581543 --> [Forged physical sector]

Sector 312581544 --> [Forged physical sector]

Sector 312581545 --> [Forged physical sector]

Sector 312581546 --> [Forged physical sector]

Sector 312581547 --> [Forged physical sector]

Sector 312581548 --> [Forged physical sector]

Sector 312581549 --> [Forged physical sector]

Sector 312581550 --> [Forged physical sector]

Sector 312581551 --> [Forged physical sector]

Sector 312581552 --> [Forged physical sector]

Sector 312581553 --> [Forged physical sector]

Sector 312581554 --> [Forged physical sector]

Sector 312581555 --> [Forged physical sector]

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4360196096

Could not load protection driver

DDA Driver installation error.

Driver installed on boot. Reboot required.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4369907712

DDA Driver installation error.

Driver installed on boot. Reboot required.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4060553216

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800568c060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa8005413060

Lower Device Driver Name: \00000630\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800568c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800550d9d0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800568c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005439520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8005413060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \00000630\

------------ End ----------

Upper DeviceData: 0xfffff8a00146c760, 0xfffffa800568c060, 0xfffffa800734a790

Lower DeviceData: 0xfffff8a0017dfa80, 0xfffffa8005413060, 0xfffffa80075e0a40

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2BD32BD3

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 23 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312560577

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-22-312561808-312581808)...

Sector 312581428 --> [Forged physical sector]

Sector 312581429 --> [Forged physical sector]

Sector 312581430 --> [Forged physical sector]

Sector 312581431 --> [Forged physical sector]

Sector 312581432 --> [Forged physical sector]

Sector 312581433 --> [Forged physical sector]

Sector 312581434 --> [Forged physical sector]

Sector 312581435 --> [Forged physical sector]

Sector 312581436 --> [Forged physical sector]

Sector 312581437 --> [Forged physical sector]

Sector 312581438 --> [Forged physical sector]

Sector 312581439 --> [Forged physical sector]

Sector 312581440 --> [Forged physical sector]

Sector 312581441 --> [Forged physical sector]

Sector 312581442 --> [Forged physical sector]

Sector 312581443 --> [Forged physical sector]

Sector 312581444 --> [Forged physical sector]

Sector 312581445 --> [Forged physical sector]

Sector 312581446 --> [Forged physical sector]

Sector 312581447 --> [Forged physical sector]

Sector 312581448 --> [Forged physical sector]

Sector 312581449 --> [Forged physical sector]

Sector 312581450 --> [Forged physical sector]

Sector 312581451 --> [Forged physical sector]

Sector 312581452 --> [Forged physical sector]

Sector 312581453 --> [Forged physical sector]

Sector 312581454 --> [Forged physical sector]

Sector 312581455 --> [Forged physical sector]

Sector 312581456 --> [Forged physical sector]

Sector 312581457 --> [Forged physical sector]

Sector 312581458 --> [Forged physical sector]

Sector 312581459 --> [Forged physical sector]

Sector 312581460 --> [Forged physical sector]

Sector 312581461 --> [Forged physical sector]

Sector 312581462 --> [Forged physical sector]

Sector 312581463 --> [Forged physical sector]

Sector 312581464 --> [Forged physical sector]

Sector 312581465 --> [Forged physical sector]

Sector 312581466 --> [Forged physical sector]

Sector 312581467 --> [Forged physical sector]

Sector 312581468 --> [Forged physical sector]

Sector 312581469 --> [Forged physical sector]

Sector 312581470 --> [Forged physical sector]

Sector 312581471 --> [Forged physical sector]

Sector 312581472 --> [Forged physical sector]

Sector 312581473 --> [Forged physical sector]

Sector 312581474 --> [Forged physical sector]

Sector 312581475 --> [Forged physical sector]

Sector 312581476 --> [Forged physical sector]

Sector 312581477 --> [Forged physical sector]

Sector 312581478 --> [Forged physical sector]

Sector 312581479 --> [Forged physical sector]

Sector 312581480 --> [Forged physical sector]

Sector 312581481 --> [Forged physical sector]

Sector 312581482 --> [Forged physical sector]

Sector 312581483 --> [Forged physical sector]

Sector 312581484 --> [Forged physical sector]

Sector 312581485 --> [Forged physical sector]

Sector 312581486 --> [Forged physical sector]

Sector 312581487 --> [Forged physical sector]

Sector 312581488 --> [Forged physical sector]

Sector 312581489 --> [Forged physical sector]

Sector 312581490 --> [Forged physical sector]

Sector 312581491 --> [Forged physical sector]

Sector 312581492 --> [Forged physical sector]

Sector 312581493 --> [Forged physical sector]

Sector 312581494 --> [Forged physical sector]

Sector 312581495 --> [Forged physical sector]

Sector 312581496 --> [Forged physical sector]

Sector 312581497 --> [Forged physical sector]

Sector 312581498 --> [Forged physical sector]

Sector 312581499 --> [Forged physical sector]

Sector 312581500 --> [Forged physical sector]

Sector 312581501 --> [Forged physical sector]

Sector 312581502 --> [Forged physical sector]

Sector 312581503 --> [Forged physical sector]

Sector 312581504 --> [Forged physical sector]

Sector 312581505 --> [Forged physical sector]

Sector 312581506 --> [Forged physical sector]

Sector 312581507 --> [Forged physical sector]

Sector 312581508 --> [Forged physical sector]

Sector 312581509 --> [Forged physical sector]

Sector 312581510 --> [Forged physical sector]

Sector 312581511 --> [Forged physical sector]

Sector 312581512 --> [Forged physical sector]

Sector 312581513 --> [Forged physical sector]

Sector 312581514 --> [Forged physical sector]

Sector 312581515 --> [Forged physical sector]

Sector 312581516 --> [Forged physical sector]

Sector 312581517 --> [Forged physical sector]

Sector 312581518 --> [Forged physical sector]

Sector 312581519 --> [Forged physical sector]

Sector 312581520 --> [Forged physical sector]

Sector 312581521 --> [Forged physical sector]

Sector 312581522 --> [Forged physical sector]

Sector 312581523 --> [Forged physical sector]

Sector 312581524 --> [Forged physical sector]

Sector 312581525 --> [Forged physical sector]

Sector 312581526 --> [Forged physical sector]

Sector 312581527 --> [Forged physical sector]

Sector 312581528 --> [Forged physical sector]

Sector 312581529 --> [Forged physical sector]

Sector 312581530 --> [Forged physical sector]

Sector 312581531 --> [Forged physical sector]

Sector 312581532 --> [Forged physical sector]

Sector 312581533 --> [Forged physical sector]

Sector 312581534 --> [Forged physical sector]

Sector 312581535 --> [Forged physical sector]

Sector 312581536 --> [Forged physical sector]

Sector 312581537 --> [Forged physical sector]

Sector 312581538 --> [Forged physical sector]

Sector 312581539 --> [Forged physical sector]

Sector 312581540 --> [Forged physical sector]

Sector 312581541 --> [Forged physical sector]

Sector 312581542 --> [Forged physical sector]

Sector 312581543 --> [Forged physical sector]

Sector 312581544 --> [Forged physical sector]

Sector 312581545 --> [Forged physical sector]

Sector 312581546 --> [Forged physical sector]

Sector 312581547 --> [Forged physical sector]

Sector 312581548 --> [Forged physical sector]

Sector 312581549 --> [Forged physical sector]

Sector 312581550 --> [Forged physical sector]

Sector 312581551 --> [Forged physical sector]

Sector 312581552 --> [Forged physical sector]

Sector 312581553 --> [Forged physical sector]

Sector 312581554 --> [Forged physical sector]

Sector 312581555 --> [Forged physical sector]

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.19.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tyler :: TYLER-PC [administrator]

12/18/2012 11:19:46 PM

mbar-log-2012-12-18 (23-19-46).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 26642

Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_23_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_312581428_user.mbam (Forged physical sector) -> Delete on reboot.

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

Link to post
Share on other sites

So I ran the scan 3 times, each yielding the same 4 results, everytime I'd reboot I would get a blue screen, and it would dump the physical memory (this has actually been happening off and on when powering off or resetting since first noticing the trojan) I tried running in safe mode MBAR wouldn't initialize. With a "could not load dda driver" message.

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 3598934016

------------ Kernel report ------------

12/18/2012 22:26:50

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.asys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\gfibto.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk62x64.sys

\SystemRoot\system32\DRIVERS\rtl8192Ce.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\ASACPI.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\rzendpt.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\rzudd.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800568d060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa800541f060

Lower Device Driver Name: \00000662\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.19.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800568d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800568db90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800568d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005405e40, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa800541f060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \00000662\

------------ End ----------

Upper DeviceData: 0xfffff8a007a65d70, 0xfffffa800568d060, 0xfffffa8005073630

Lower DeviceData: 0xfffff8a00b4151f0, 0xfffffa800541f060, 0xfffffa800756cbe0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2BD32BD3

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 23 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312560577

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-22-312561808-312581808)...

Sector 312581433 --> [Forged physical sector]

Sector 312581434 --> [Forged physical sector]

Sector 312581435 --> [Forged physical sector]

Sector 312581436 --> [Forged physical sector]

Sector 312581437 --> [Forged physical sector]

Sector 312581438 --> [Forged physical sector]

Sector 312581439 --> [Forged physical sector]

Sector 312581440 --> [Forged physical sector]

Sector 312581441 --> [Forged physical sector]

Sector 312581442 --> [Forged physical sector]

Sector 312581443 --> [Forged physical sector]

Sector 312581444 --> [Forged physical sector]

Sector 312581445 --> [Forged physical sector]

Sector 312581446 --> [Forged physical sector]

Sector 312581447 --> [Forged physical sector]

Sector 312581448 --> [Forged physical sector]

Sector 312581449 --> [Forged physical sector]

Sector 312581450 --> [Forged physical sector]

Sector 312581451 --> [Forged physical sector]

Sector 312581452 --> [Forged physical sector]

Sector 312581453 --> [Forged physical sector]

Sector 312581454 --> [Forged physical sector]

Sector 312581455 --> [Forged physical sector]

Sector 312581456 --> [Forged physical sector]

Sector 312581457 --> [Forged physical sector]

Sector 312581458 --> [Forged physical sector]

Sector 312581459 --> [Forged physical sector]

Sector 312581460 --> [Forged physical sector]

Sector 312581461 --> [Forged physical sector]

Sector 312581462 --> [Forged physical sector]

Sector 312581463 --> [Forged physical sector]

Sector 312581464 --> [Forged physical sector]

Sector 312581465 --> [Forged physical sector]

Sector 312581466 --> [Forged physical sector]

Sector 312581467 --> [Forged physical sector]

Sector 312581468 --> [Forged physical sector]

Sector 312581469 --> [Forged physical sector]

Sector 312581470 --> [Forged physical sector]

Sector 312581471 --> [Forged physical sector]

Sector 312581472 --> [Forged physical sector]

Sector 312581473 --> [Forged physical sector]

Sector 312581474 --> [Forged physical sector]

Sector 312581475 --> [Forged physical sector]

Sector 312581476 --> [Forged physical sector]

Sector 312581477 --> [Forged physical sector]

Sector 312581478 --> [Forged physical sector]

Sector 312581479 --> [Forged physical sector]

Sector 312581480 --> [Forged physical sector]

Sector 312581481 --> [Forged physical sector]

Sector 312581482 --> [Forged physical sector]

Sector 312581483 --> [Forged physical sector]

Sector 312581484 --> [Forged physical sector]

Sector 312581485 --> [Forged physical sector]

Sector 312581486 --> [Forged physical sector]

Sector 312581487 --> [Forged physical sector]

Sector 312581488 --> [Forged physical sector]

Sector 312581489 --> [Forged physical sector]

Sector 312581490 --> [Forged physical sector]

Sector 312581491 --> [Forged physical sector]

Sector 312581492 --> [Forged physical sector]

Sector 312581493 --> [Forged physical sector]

Sector 312581494 --> [Forged physical sector]

Sector 312581495 --> [Forged physical sector]

Sector 312581496 --> [Forged physical sector]

Sector 312581497 --> [Forged physical sector]

Sector 312581498 --> [Forged physical sector]

Sector 312581499 --> [Forged physical sector]

Sector 312581500 --> [Forged physical sector]

Sector 312581501 --> [Forged physical sector]

Sector 312581502 --> [Forged physical sector]

Sector 312581503 --> [Forged physical sector]

Sector 312581504 --> [Forged physical sector]

Sector 312581505 --> [Forged physical sector]

Sector 312581506 --> [Forged physical sector]

Sector 312581507 --> [Forged physical sector]

Sector 312581508 --> [Forged physical sector]

Sector 312581509 --> [Forged physical sector]

Sector 312581510 --> [Forged physical sector]

Sector 312581511 --> [Forged physical sector]

Sector 312581512 --> [Forged physical sector]

Sector 312581513 --> [Forged physical sector]

Sector 312581514 --> [Forged physical sector]

Sector 312581515 --> [Forged physical sector]

Sector 312581516 --> [Forged physical sector]

Sector 312581517 --> [Forged physical sector]

Sector 312581518 --> [Forged physical sector]

Sector 312581519 --> [Forged physical sector]

Sector 312581520 --> [Forged physical sector]

Sector 312581521 --> [Forged physical sector]

Sector 312581522 --> [Forged physical sector]

Sector 312581523 --> [Forged physical sector]

Sector 312581524 --> [Forged physical sector]

Sector 312581525 --> [Forged physical sector]

Sector 312581526 --> [Forged physical sector]

Sector 312581527 --> [Forged physical sector]

Sector 312581528 --> [Forged physical sector]

Sector 312581529 --> [Forged physical sector]

Sector 312581530 --> [Forged physical sector]

Sector 312581531 --> [Forged physical sector]

Sector 312581532 --> [Forged physical sector]

Sector 312581533 --> [Forged physical sector]

Sector 312581534 --> [Forged physical sector]

Sector 312581535 --> [Forged physical sector]

Sector 312581536 --> [Forged physical sector]

Sector 312581537 --> [Forged physical sector]

Sector 312581538 --> [Forged physical sector]

Sector 312581539 --> [Forged physical sector]

Sector 312581540 --> [Forged physical sector]

Sector 312581541 --> [Forged physical sector]

Sector 312581542 --> [Forged physical sector]

Sector 312581543 --> [Forged physical sector]

Sector 312581544 --> [Forged physical sector]

Sector 312581545 --> [Forged physical sector]

Sector 312581546 --> [Forged physical sector]

Sector 312581547 --> [Forged physical sector]

Sector 312581548 --> [Forged physical sector]

Sector 312581549 --> [Forged physical sector]

Sector 312581550 --> [Forged physical sector]

Sector 312581551 --> [Forged physical sector]

Sector 312581552 --> [Forged physical sector]

Sector 312581553 --> [Forged physical sector]

Sector 312581554 --> [Forged physical sector]

Sector 312581555 --> [Forged physical sector]

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4026081280

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4035997696

------------ Kernel report ------------

12/18/2012 22:45:01

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\gfibto.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk62x64.sys

\SystemRoot\system32\DRIVERS\rtl8192Ce.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\1394ohci.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\ASACPI.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\rzendpt.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\rzudd.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800566d060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa80053d0060

Lower Device Driver Name: \00001113\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800566d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800566db90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800566d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa80053ce520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa80053d0060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \00001113\

------------ End ----------

Upper DeviceData: 0xfffff8a00354f1e0, 0xfffffa800566d060, 0xfffffa8004cd9790

Lower DeviceData: 0xfffff8a0072d9510, 0xfffffa80053d0060, 0xfffffa8004bd8220

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2BD32BD3

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 23 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312560577

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-22-312561808-312581808)...

Sector 312581432 --> [Forged physical sector]

Sector 312581433 --> [Forged physical sector]

Sector 312581434 --> [Forged physical sector]

Sector 312581435 --> [Forged physical sector]

Sector 312581436 --> [Forged physical sector]

Sector 312581437 --> [Forged physical sector]

Sector 312581438 --> [Forged physical sector]

Sector 312581439 --> [Forged physical sector]

Sector 312581440 --> [Forged physical sector]

Sector 312581441 --> [Forged physical sector]

Sector 312581442 --> [Forged physical sector]

Sector 312581443 --> [Forged physical sector]

Sector 312581444 --> [Forged physical sector]

Sector 312581445 --> [Forged physical sector]

Sector 312581446 --> [Forged physical sector]

Sector 312581447 --> [Forged physical sector]

Sector 312581448 --> [Forged physical sector]

Sector 312581449 --> [Forged physical sector]

Sector 312581450 --> [Forged physical sector]

Sector 312581451 --> [Forged physical sector]

Sector 312581452 --> [Forged physical sector]

Sector 312581453 --> [Forged physical sector]

Sector 312581454 --> [Forged physical sector]

Sector 312581455 --> [Forged physical sector]

Sector 312581456 --> [Forged physical sector]

Sector 312581457 --> [Forged physical sector]

Sector 312581458 --> [Forged physical sector]

Sector 312581459 --> [Forged physical sector]

Sector 312581460 --> [Forged physical sector]

Sector 312581461 --> [Forged physical sector]

Sector 312581462 --> [Forged physical sector]

Sector 312581463 --> [Forged physical sector]

Sector 312581464 --> [Forged physical sector]

Sector 312581465 --> [Forged physical sector]

Sector 312581466 --> [Forged physical sector]

Sector 312581467 --> [Forged physical sector]

Sector 312581468 --> [Forged physical sector]

Sector 312581469 --> [Forged physical sector]

Sector 312581470 --> [Forged physical sector]

Sector 312581471 --> [Forged physical sector]

Sector 312581472 --> [Forged physical sector]

Sector 312581473 --> [Forged physical sector]

Sector 312581474 --> [Forged physical sector]

Sector 312581475 --> [Forged physical sector]

Sector 312581476 --> [Forged physical sector]

Sector 312581477 --> [Forged physical sector]

Sector 312581478 --> [Forged physical sector]

Sector 312581479 --> [Forged physical sector]

Sector 312581480 --> [Forged physical sector]

Sector 312581481 --> [Forged physical sector]

Sector 312581482 --> [Forged physical sector]

Sector 312581483 --> [Forged physical sector]

Sector 312581484 --> [Forged physical sector]

Sector 312581485 --> [Forged physical sector]

Sector 312581486 --> [Forged physical sector]

Sector 312581487 --> [Forged physical sector]

Sector 312581488 --> [Forged physical sector]

Sector 312581489 --> [Forged physical sector]

Sector 312581490 --> [Forged physical sector]

Sector 312581491 --> [Forged physical sector]

Sector 312581492 --> [Forged physical sector]

Sector 312581493 --> [Forged physical sector]

Sector 312581494 --> [Forged physical sector]

Sector 312581495 --> [Forged physical sector]

Sector 312581496 --> [Forged physical sector]

Sector 312581497 --> [Forged physical sector]

Sector 312581498 --> [Forged physical sector]

Sector 312581499 --> [Forged physical sector]

Sector 312581500 --> [Forged physical sector]

Sector 312581501 --> [Forged physical sector]

Sector 312581502 --> [Forged physical sector]

Sector 312581503 --> [Forged physical sector]

Sector 312581504 --> [Forged physical sector]

Sector 312581505 --> [Forged physical sector]

Sector 312581506 --> [Forged physical sector]

Sector 312581507 --> [Forged physical sector]

Sector 312581508 --> [Forged physical sector]

Sector 312581509 --> [Forged physical sector]

Sector 312581510 --> [Forged physical sector]

Sector 312581511 --> [Forged physical sector]

Sector 312581512 --> [Forged physical sector]

Sector 312581513 --> [Forged physical sector]

Sector 312581514 --> [Forged physical sector]

Sector 312581515 --> [Forged physical sector]

Sector 312581516 --> [Forged physical sector]

Sector 312581517 --> [Forged physical sector]

Sector 312581518 --> [Forged physical sector]

Sector 312581519 --> [Forged physical sector]

Sector 312581520 --> [Forged physical sector]

Sector 312581521 --> [Forged physical sector]

Sector 312581522 --> [Forged physical sector]

Sector 312581523 --> [Forged physical sector]

Sector 312581524 --> [Forged physical sector]

Sector 312581525 --> [Forged physical sector]

Sector 312581526 --> [Forged physical sector]

Sector 312581527 --> [Forged physical sector]

Sector 312581528 --> [Forged physical sector]

Sector 312581529 --> [Forged physical sector]

Sector 312581530 --> [Forged physical sector]

Sector 312581531 --> [Forged physical sector]

Sector 312581532 --> [Forged physical sector]

Sector 312581533 --> [Forged physical sector]

Sector 312581534 --> [Forged physical sector]

Sector 312581535 --> [Forged physical sector]

Sector 312581536 --> [Forged physical sector]

Sector 312581537 --> [Forged physical sector]

Sector 312581538 --> [Forged physical sector]

Sector 312581539 --> [Forged physical sector]

Sector 312581540 --> [Forged physical sector]

Sector 312581541 --> [Forged physical sector]

Sector 312581542 --> [Forged physical sector]

Sector 312581543 --> [Forged physical sector]

Sector 312581544 --> [Forged physical sector]

Sector 312581545 --> [Forged physical sector]

Sector 312581546 --> [Forged physical sector]

Sector 312581547 --> [Forged physical sector]

Sector 312581548 --> [Forged physical sector]

Sector 312581549 --> [Forged physical sector]

Sector 312581550 --> [Forged physical sector]

Sector 312581551 --> [Forged physical sector]

Sector 312581552 --> [Forged physical sector]

Sector 312581553 --> [Forged physical sector]

Sector 312581554 --> [Forged physical sector]

Sector 312581555 --> [Forged physical sector]

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4360196096

Could not load protection driver

DDA Driver installation error.

Driver installed on boot. Reboot required.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4369907712

DDA Driver installation error.

Driver installed on boot. Reboot required.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.405000 GHz

Memory total: 5367783424, free: 4060553216

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa800568c060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\

Lower Device Object: 0xfffffa8005413060

Lower Device Driver Name: \00000630\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa800568c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800550d9d0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800568c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005439520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8005413060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \00000630\

------------ End ----------

Upper DeviceData: 0xfffff8a00146c760, 0xfffffa800568c060, 0xfffffa800734a790

Lower DeviceData: 0xfffff8a0017dfa80, 0xfffffa8005413060, 0xfffffa80075e0a40

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [5b875a22f8ce39ec096216471c83be3f]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 2BD32BD3

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 23 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312560577

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-22-312561808-312581808)...

Sector 312581428 --> [Forged physical sector]

Sector 312581429 --> [Forged physical sector]

Sector 312581430 --> [Forged physical sector]

Sector 312581431 --> [Forged physical sector]

Sector 312581432 --> [Forged physical sector]

Sector 312581433 --> [Forged physical sector]

Sector 312581434 --> [Forged physical sector]

Sector 312581435 --> [Forged physical sector]

Sector 312581436 --> [Forged physical sector]

Sector 312581437 --> [Forged physical sector]

Sector 312581438 --> [Forged physical sector]

Sector 312581439 --> [Forged physical sector]

Sector 312581440 --> [Forged physical sector]

Sector 312581441 --> [Forged physical sector]

Sector 312581442 --> [Forged physical sector]

Sector 312581443 --> [Forged physical sector]

Sector 312581444 --> [Forged physical sector]

Sector 312581445 --> [Forged physical sector]

Sector 312581446 --> [Forged physical sector]

Sector 312581447 --> [Forged physical sector]

Sector 312581448 --> [Forged physical sector]

Sector 312581449 --> [Forged physical sector]

Sector 312581450 --> [Forged physical sector]

Sector 312581451 --> [Forged physical sector]

Sector 312581452 --> [Forged physical sector]

Sector 312581453 --> [Forged physical sector]

Sector 312581454 --> [Forged physical sector]

Sector 312581455 --> [Forged physical sector]

Sector 312581456 --> [Forged physical sector]

Sector 312581457 --> [Forged physical sector]

Sector 312581458 --> [Forged physical sector]

Sector 312581459 --> [Forged physical sector]

Sector 312581460 --> [Forged physical sector]

Sector 312581461 --> [Forged physical sector]

Sector 312581462 --> [Forged physical sector]

Sector 312581463 --> [Forged physical sector]

Sector 312581464 --> [Forged physical sector]

Sector 312581465 --> [Forged physical sector]

Sector 312581466 --> [Forged physical sector]

Sector 312581467 --> [Forged physical sector]

Sector 312581468 --> [Forged physical sector]

Sector 312581469 --> [Forged physical sector]

Sector 312581470 --> [Forged physical sector]

Sector 312581471 --> [Forged physical sector]

Sector 312581472 --> [Forged physical sector]

Sector 312581473 --> [Forged physical sector]

Sector 312581474 --> [Forged physical sector]

Sector 312581475 --> [Forged physical sector]

Sector 312581476 --> [Forged physical sector]

Sector 312581477 --> [Forged physical sector]

Sector 312581478 --> [Forged physical sector]

Sector 312581479 --> [Forged physical sector]

Sector 312581480 --> [Forged physical sector]

Sector 312581481 --> [Forged physical sector]

Sector 312581482 --> [Forged physical sector]

Sector 312581483 --> [Forged physical sector]

Sector 312581484 --> [Forged physical sector]

Sector 312581485 --> [Forged physical sector]

Sector 312581486 --> [Forged physical sector]

Sector 312581487 --> [Forged physical sector]

Sector 312581488 --> [Forged physical sector]

Sector 312581489 --> [Forged physical sector]

Sector 312581490 --> [Forged physical sector]

Sector 312581491 --> [Forged physical sector]

Sector 312581492 --> [Forged physical sector]

Sector 312581493 --> [Forged physical sector]

Sector 312581494 --> [Forged physical sector]

Sector 312581495 --> [Forged physical sector]

Sector 312581496 --> [Forged physical sector]

Sector 312581497 --> [Forged physical sector]

Sector 312581498 --> [Forged physical sector]

Sector 312581499 --> [Forged physical sector]

Sector 312581500 --> [Forged physical sector]

Sector 312581501 --> [Forged physical sector]

Sector 312581502 --> [Forged physical sector]

Sector 312581503 --> [Forged physical sector]

Sector 312581504 --> [Forged physical sector]

Sector 312581505 --> [Forged physical sector]

Sector 312581506 --> [Forged physical sector]

Sector 312581507 --> [Forged physical sector]

Sector 312581508 --> [Forged physical sector]

Sector 312581509 --> [Forged physical sector]

Sector 312581510 --> [Forged physical sector]

Sector 312581511 --> [Forged physical sector]

Sector 312581512 --> [Forged physical sector]

Sector 312581513 --> [Forged physical sector]

Sector 312581514 --> [Forged physical sector]

Sector 312581515 --> [Forged physical sector]

Sector 312581516 --> [Forged physical sector]

Sector 312581517 --> [Forged physical sector]

Sector 312581518 --> [Forged physical sector]

Sector 312581519 --> [Forged physical sector]

Sector 312581520 --> [Forged physical sector]

Sector 312581521 --> [Forged physical sector]

Sector 312581522 --> [Forged physical sector]

Sector 312581523 --> [Forged physical sector]

Sector 312581524 --> [Forged physical sector]

Sector 312581525 --> [Forged physical sector]

Sector 312581526 --> [Forged physical sector]

Sector 312581527 --> [Forged physical sector]

Sector 312581528 --> [Forged physical sector]

Sector 312581529 --> [Forged physical sector]

Sector 312581530 --> [Forged physical sector]

Sector 312581531 --> [Forged physical sector]

Sector 312581532 --> [Forged physical sector]

Sector 312581533 --> [Forged physical sector]

Sector 312581534 --> [Forged physical sector]

Sector 312581535 --> [Forged physical sector]

Sector 312581536 --> [Forged physical sector]

Sector 312581537 --> [Forged physical sector]

Sector 312581538 --> [Forged physical sector]

Sector 312581539 --> [Forged physical sector]

Sector 312581540 --> [Forged physical sector]

Sector 312581541 --> [Forged physical sector]

Sector 312581542 --> [Forged physical sector]

Sector 312581543 --> [Forged physical sector]

Sector 312581544 --> [Forged physical sector]

Sector 312581545 --> [Forged physical sector]

Sector 312581546 --> [Forged physical sector]

Sector 312581547 --> [Forged physical sector]

Sector 312581548 --> [Forged physical sector]

Sector 312581549 --> [Forged physical sector]

Sector 312581550 --> [Forged physical sector]

Sector 312581551 --> [Forged physical sector]

Sector 312581552 --> [Forged physical sector]

Sector 312581553 --> [Forged physical sector]

Sector 312581554 --> [Forged physical sector]

Sector 312581555 --> [Forged physical sector]

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.19.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tyler :: TYLER-PC [administrator]

12/18/2012 11:19:46 PM

mbar-log-2012-12-18 (23-19-46).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 26642

Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_23_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_312581428_user.mbam (Forged physical sector) -> Delete on reboot.

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

Link to post
Share on other sites

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

22:48:28.0226 4160 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

22:48:28.0575 4160 ============================================================

22:48:28.0575 4160 Current date / time: 2012/12/21 22:48:28.0575

22:48:28.0575 4160 SystemInfo:

22:48:28.0575 4160

22:48:28.0575 4160 OS Version: 6.1.7601 ServicePack: 1.0

22:48:28.0575 4160 Product type: Workstation

22:48:28.0576 4160 ComputerName: TYLER-PC

22:48:28.0576 4160 UserName: Tyler

22:48:28.0576 4160 Windows directory: C:\Windows

22:48:28.0576 4160 System windows directory: C:\Windows

22:48:28.0576 4160 Running under WOW64

22:48:28.0576 4160 Processor architecture: Intel x64

22:48:28.0576 4160 Number of processors: 4

22:48:28.0576 4160 Page size: 0x1000

22:48:28.0576 4160 Boot type: Normal boot

22:48:28.0576 4160 ============================================================

22:48:30.0108 4160 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

22:48:30.0112 4160 ============================================================

22:48:30.0112 4160 \Device\Harddisk0\DR0:

22:48:30.0113 4160 MBR partitions:

22:48:30.0113 4160 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1

22:48:30.0113 4160 ============================================================

22:48:30.0132 4160 C: <-> \Device\Harddisk0\DR0\Partition1

22:48:30.0132 4160 ============================================================

22:48:30.0132 4160 Initialize success

22:48:30.0132 4160 ============================================================

22:48:39.0593 4184 Deinitialize success

22:48:50.0322 4564 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

22:48:50.0701 4564 ============================================================

22:48:50.0701 4564 Current date / time: 2012/12/21 22:48:50.0701

22:48:50.0701 4564 SystemInfo:

22:48:50.0701 4564

22:48:50.0701 4564 OS Version: 6.1.7601 ServicePack: 1.0

22:48:50.0701 4564 Product type: Workstation

22:48:50.0701 4564 ComputerName: TYLER-PC

22:48:50.0701 4564 UserName: Tyler

22:48:50.0701 4564 Windows directory: C:\Windows

22:48:50.0701 4564 System windows directory: C:\Windows

22:48:50.0701 4564 Running under WOW64

22:48:50.0702 4564 Processor architecture: Intel x64

22:48:50.0702 4564 Number of processors: 4

22:48:50.0702 4564 Page size: 0x1000

22:48:50.0702 4564 Boot type: Normal boot

22:48:50.0702 4564 ============================================================

22:48:52.0529 4564 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

22:48:52.0534 4564 ============================================================

22:48:52.0534 4564 \Device\Harddisk0\DR0:

22:48:52.0534 4564 MBR partitions:

22:48:52.0534 4564 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1

22:48:52.0534 4564 ============================================================

22:48:52.0553 4564 C: <-> \Device\Harddisk0\DR0\Partition1

22:48:52.0553 4564 ============================================================

22:48:52.0554 4564 Initialize success

22:48:52.0554 4564 ============================================================

22:48:53.0314 4052 ============================================================

22:48:53.0314 4052 Scan started

22:48:53.0314 4052 Mode: Manual;

22:48:53.0314 4052 ============================================================

22:48:54.0793 4052 ================ Scan system memory ========================

22:48:54.0793 4052 System memory - ok

22:48:54.0794 4052 ================ Scan services =============================

22:48:55.0241 4052 [ A87D604AEA360176311474C87A63BB88 ] 1394ohci C:\Windows\system32\DRIVERS\1394ohci.sys

22:48:55.0252 4052 1394ohci - ok

22:48:55.0323 4052 [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI C:\Windows\system32\drivers\ACPI.sys

22:48:55.0335 4052 ACPI - ok

22:48:55.0357 4052 [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys

22:48:55.0358 4052 AcpiPmi - ok

22:48:55.0796 4052 [ 95CE557D16A75606CCC2D7F3B0B0BCCB ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

22:48:55.0813 4052 AdobeFlashPlayerUpdateSvc - ok

22:48:55.0923 4052 [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys

22:48:55.0940 4052 adp94xx - ok

22:48:56.0043 4052 [ 597F78224EE9224EA1A13D6350CED962 ] adpahci C:\Windows\system32\drivers\adpahci.sys

22:48:56.0055 4052 adpahci - ok

22:48:56.0079 4052 [ E109549C90F62FB570B9540C4B148E54 ] adpu320 C:\Windows\system32\drivers\adpu320.sys

22:48:56.0083 4052 adpu320 - ok

22:48:56.0123 4052 [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll

22:48:56.0138 4052 AeLookupSvc - ok

22:48:56.0286 4052 [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD C:\Windows\system32\drivers\afd.sys

22:48:56.0300 4052 AFD - ok

22:48:56.0313 4052 [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440 C:\Windows\system32\drivers\agp440.sys

22:48:56.0314 4052 agp440 - ok

22:48:56.0329 4052 [ 3290D6946B5E30E70414990574883DDB ] ALG C:\Windows\System32\alg.exe

22:48:56.0330 4052 ALG - ok

22:48:56.0356 4052 [ 5812713A477A3AD7363C7438CA2EE038 ] aliide C:\Windows\system32\drivers\aliide.sys

22:48:56.0370 4052 aliide - ok

22:48:56.0376 4052 [ 1FF8B4431C353CE385C875F194924C0C ] amdide C:\Windows\system32\drivers\amdide.sys

22:48:56.0377 4052 amdide - ok

22:48:56.0405 4052 [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys

22:48:56.0407 4052 AmdK8 - ok

22:48:56.0430 4052 [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM C:\Windows\system32\drivers\amdppm.sys

22:48:56.0439 4052 AmdPPM - ok

22:48:56.0488 4052 [ D4121AE6D0C0E7E13AA221AA57EF2D49 ] amdsata C:\Windows\system32\drivers\amdsata.sys

22:48:56.0502 4052 amdsata - ok

22:48:56.0567 4052 [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs C:\Windows\system32\drivers\amdsbs.sys

22:48:56.0583 4052 amdsbs - ok

22:48:56.0617 4052 [ 540DAF1CEA6094886D72126FD7C33048 ] amdxata C:\Windows\system32\drivers\amdxata.sys

22:48:56.0617 4052 amdxata - ok

22:48:56.0643 4052 [ 89A69C3F2F319B43379399547526D952 ] AppID C:\Windows\system32\drivers\appid.sys

22:48:56.0659 4052 AppID - ok

22:48:56.0685 4052 [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc C:\Windows\System32\appidsvc.dll

22:48:56.0686 4052 AppIDSvc - ok

22:48:56.0706 4052 [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo C:\Windows\System32\appinfo.dll

22:48:56.0716 4052 Appinfo - ok

22:48:56.0898 4052 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

22:48:56.0910 4052 Apple Mobile Device - ok

22:48:56.0954 4052 [ C484F8CEB1717C540242531DB7845C4E ] arc C:\Windows\system32\drivers\arc.sys

22:48:56.0965 4052 arc - ok

22:48:56.0981 4052 [ 019AF6924AEFE7839F61C830227FE79C ] arcsas C:\Windows\system32\drivers\arcsas.sys

22:48:56.0983 4052 arcsas - ok

22:48:57.0217 4052 [ 9217D874131AE6FF8F642F124F00A555 ] aspnet_state C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

22:48:57.0282 4052 aspnet_state - ok

22:48:57.0406 4052 [ EA569D48B2E755AF6D96F03F3335D98A ] AsusSE C:\Program Files (x86)\ASUS\PCE-N15 WLAN Card Utilities\RtlService.exe

22:48:57.0406 4052 AsusSE - ok

22:48:57.0465 4052 [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys

22:48:57.0466 4052 AsyncMac - ok

22:48:57.0490 4052 [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi C:\Windows\system32\drivers\atapi.sys

22:48:57.0490 4052 atapi - ok

22:48:57.0683 4052 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll

22:48:57.0693 4052 AudioEndpointBuilder - ok

22:48:57.0714 4052 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv C:\Windows\System32\Audiosrv.dll

22:48:57.0718 4052 AudioSrv - ok

22:48:57.0779 4052 [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV C:\Windows\System32\AxInstSV.dll

22:48:57.0789 4052 AxInstSV - ok

22:48:57.0851 4052 [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv C:\Windows\system32\drivers\bxvbda.sys

22:48:57.0866 4052 b06bdrv - ok

22:48:57.0902 4052 [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a C:\Windows\system32\DRIVERS\b57nd60a.sys

22:48:57.0927 4052 b57nd60a - ok

22:48:57.0950 4052 [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC C:\Windows\System32\bdesvc.dll

22:48:57.0952 4052 BDESVC - ok

22:48:57.0981 4052 [ 16A47CE2DECC9B099349A5F840654746 ] Beep C:\Windows\system32\drivers\Beep.sys

22:48:57.0982 4052 Beep - ok

22:48:58.0203 4052 [ 82974D6A2FD19445CC5171FC378668A4 ] BFE C:\Windows\System32\bfe.dll

22:48:58.0219 4052 BFE - ok

22:48:58.0268 4052 [ 1EA7969E3271CBC59E1730697DC74682 ] BITS C:\Windows\System32\qmgr.dll

22:48:58.0305 4052 BITS - ok

22:48:58.0352 4052 [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys

22:48:58.0353 4052 blbdrive - ok

22:48:58.0622 4052 [ EBBCD5DFBB1DE70E8F4AF8FA59E401FD ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe

22:48:58.0634 4052 Bonjour Service - ok

22:48:58.0676 4052 [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser C:\Windows\system32\DRIVERS\bowser.sys

22:48:58.0678 4052 bowser - ok

22:48:58.0696 4052 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys

22:48:58.0713 4052 BrFiltLo - ok

22:48:58.0725 4052 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys

22:48:58.0727 4052 BrFiltUp - ok

22:48:58.0787 4052 [ 05F5A0D14A2EE1D8255C2AA0E9E8E694 ] Browser C:\Windows\System32\browser.dll

22:48:58.0789 4052 Browser - ok

22:48:58.0809 4052 [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid C:\Windows\System32\Drivers\Brserid.sys

22:48:58.0824 4052 Brserid - ok

22:48:58.0846 4052 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys

22:48:58.0848 4052 BrSerWdm - ok

22:48:58.0880 4052 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys

22:48:58.0881 4052 BrUsbMdm - ok

22:48:58.0904 4052 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys

22:48:58.0917 4052 BrUsbSer - ok

22:48:58.0936 4052 [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys

22:48:58.0939 4052 BTHMODEM - ok

22:48:58.0988 4052 [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv C:\Windows\system32\bthserv.dll

22:48:59.0001 4052 bthserv - ok

22:48:59.0025 4052 [ B8BD2BB284668C84865658C77574381A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys

22:48:59.0027 4052 cdfs - ok

22:48:59.0112 4052 [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys

22:48:59.0116 4052 cdrom - ok

22:48:59.0183 4052 [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc C:\Windows\System32\certprop.dll

22:48:59.0194 4052 CertPropSvc - ok

22:48:59.0236 4052 [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass C:\Windows\system32\drivers\circlass.sys

22:48:59.0249 4052 circlass - ok

22:48:59.0306 4052 [ FE1EC06F2253F691FE36217C592A0206 ] CLFS C:\Windows\system32\CLFS.sys

22:48:59.0318 4052 CLFS - ok

22:48:59.0395 4052 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

22:48:59.0409 4052 clr_optimization_v2.0.50727_32 - ok

22:48:59.0477 4052 [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

22:48:59.0497 4052 clr_optimization_v2.0.50727_64 - ok

22:48:59.0682 4052 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

22:49:00.0105 4052 clr_optimization_v4.0.30319_32 - ok

22:49:00.0135 4052 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

22:49:00.0301 4052 clr_optimization_v4.0.30319_64 - ok

22:49:00.0364 4052 [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt C:\Windows\system32\drivers\CmBatt.sys

22:49:00.0370 4052 CmBatt - ok

22:49:00.0387 4052 [ E19D3F095812725D88F9001985B94EDD ] cmdide C:\Windows\system32\drivers\cmdide.sys

22:49:00.0401 4052 cmdide - ok

22:49:00.0519 4052 [ 9AC4F97C2D3E93367E2148EA940CD2CD ] CNG C:\Windows\system32\Drivers\cng.sys

22:49:00.0538 4052 CNG - ok

22:49:00.0551 4052 [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt C:\Windows\system32\drivers\compbatt.sys

22:49:00.0553 4052 Compbatt - ok

22:49:00.0590 4052 [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys

22:49:00.0604 4052 CompositeBus - ok

22:49:00.0620 4052 COMSysApp - ok

22:49:00.0640 4052 [ 1C827878A998C18847245FE1F34EE597 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys

22:49:00.0648 4052 crcdisk - ok

22:49:00.0736 4052 [ 9C01375BE382E834CC26D1B7EAF2C4FE ] CryptSvc C:\Windows\system32\cryptsvc.dll

22:49:00.0745 4052 CryptSvc - ok

22:49:00.0780 4052 [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch C:\Windows\system32\rpcss.dll

22:49:00.0794 4052 DcomLaunch - ok

22:49:00.0830 4052 [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc C:\Windows\System32\defragsvc.dll

22:49:00.0835 4052 defragsvc - ok

22:49:00.0871 4052 [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC C:\Windows\system32\Drivers\dfsc.sys

22:49:00.0880 4052 DfsC - ok

22:49:00.0973 4052 [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp C:\Windows\system32\dhcpcore.dll

22:49:00.0987 4052 Dhcp - ok

22:49:01.0005 4052 [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache C:\Windows\system32\drivers\discache.sys

22:49:01.0006 4052 discache - ok

22:49:01.0062 4052 [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk C:\Windows\system32\drivers\disk.sys

22:49:01.0085 4052 Disk - ok

22:49:01.0116 4052 [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache C:\Windows\System32\dnsrslvr.dll

22:49:01.0119 4052 Dnscache - ok

22:49:01.0196 4052 [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc C:\Windows\System32\dot3svc.dll

22:49:01.0212 4052 dot3svc - ok

22:49:01.0249 4052 [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS C:\Windows\system32\dps.dll

22:49:01.0260 4052 DPS - ok

22:49:01.0336 4052 [ 9B19F34400D24DF84C858A421C205754 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys

22:49:01.0337 4052 drmkaud - ok

22:49:01.0511 4052 [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys

22:49:01.0517 4052 DXGKrnl - ok

22:49:01.0537 4052 [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost C:\Windows\System32\eapsvc.dll

22:49:01.0552 4052 EapHost - ok

22:49:02.0173 4052 [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv C:\Windows\system32\drivers\evbda.sys

22:49:02.0217 4052 ebdrv - ok

22:49:02.0258 4052 [ C118A82CD78818C29AB228366EBF81C3 ] EFS C:\Windows\System32\lsass.exe

22:49:02.0259 4052 EFS - ok

22:49:02.0486 4052 [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr C:\Windows\ehome\ehRecvr.exe

22:49:02.0508 4052 ehRecvr - ok

22:49:02.0540 4052 [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched C:\Windows\ehome\ehsched.exe

22:49:02.0543 4052 ehSched - ok

22:49:02.0689 4052 [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor C:\Windows\system32\drivers\elxstor.sys

22:49:02.0697 4052 elxstor - ok

22:49:02.0713 4052 [ 34A3C54752046E79A126E15C51DB409B ] ErrDev C:\Windows\system32\drivers\errdev.sys

22:49:02.0715 4052 ErrDev - ok

22:49:02.0824 4052 [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem C:\Windows\system32\es.dll

22:49:02.0830 4052 EventSystem - ok

22:49:02.0848 4052 [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat C:\Windows\system32\drivers\exfat.sys

22:49:02.0863 4052 exfat - ok

22:49:02.0883 4052 [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat C:\Windows\system32\drivers\fastfat.sys

22:49:02.0897 4052 fastfat - ok

22:49:03.0088 4052 [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax C:\Windows\system32\fxssvc.exe

22:49:03.0106 4052 Fax - ok

22:49:03.0124 4052 [ D765D19CD8EF61F650C384F62FAC00AB ] fdc C:\Windows\system32\DRIVERS\fdc.sys

22:49:03.0126 4052 fdc - ok

22:49:03.0147 4052 [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost C:\Windows\system32\fdPHost.dll

22:49:03.0149 4052 fdPHost - ok

22:49:03.0176 4052 [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub C:\Windows\system32\fdrespub.dll

22:49:03.0191 4052 FDResPub - ok

22:49:03.0211 4052 [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys

22:49:03.0212 4052 FileInfo - ok

22:49:03.0230 4052 [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace C:\Windows\system32\drivers\filetrace.sys

22:49:03.0239 4052 Filetrace - ok

22:49:03.0255 4052 [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys

22:49:03.0268 4052 flpydisk - ok

22:49:03.0296 4052 [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys

22:49:03.0300 4052 FltMgr - ok

22:49:03.0333 4052 [ B4447F606BB19FD8AD0BAFB59B90F5D9 ] FontCache C:\Windows\system32\FntCache.dll

22:49:03.0356 4052 FontCache - ok

22:49:03.0405 4052 [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

22:49:03.0407 4052 FontCache3.0.0.0 - ok

22:49:03.0422 4052 [ D43703496149971890703B4B1B723EAC ] FsDepends C:\Windows\system32\drivers\FsDepends.sys

22:49:03.0423 4052 FsDepends - ok

22:49:03.0452 4052 [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys

22:49:03.0452 4052 Fs_Rec - ok

22:49:03.0467 4052 [ 1F7B25B858FA27015169FE95E54108ED ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys

22:49:03.0471 4052 fvevol - ok

22:49:03.0494 4052 [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys

22:49:03.0496 4052 gagp30kx - ok

22:49:03.0521 4052 [ 8E98D21EE06192492A5671A6144D092F ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys

22:49:03.0522 4052 GEARAspiWDM - ok

22:49:03.0558 4052 [ E6460809993FA1A86899AB39D2B785B6 ] gfiark C:\Windows\system32\drivers\gfiark.sys

22:49:03.0571 4052 gfiark - ok

22:49:03.0637 4052 [ 14908F4F9005C29DE8F5587E271390EE ] gfibto C:\Windows\system32\drivers\gfibto.sys

22:49:03.0637 4052 gfibto - ok

22:49:03.0717 4052 [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc C:\Windows\System32\gpsvc.dll

22:49:03.0735 4052 gpsvc - ok

22:49:03.0783 4052 [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys

22:49:03.0784 4052 hcw85cir - ok

22:49:03.0850 4052 [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys

22:49:03.0856 4052 HdAudAddService - ok

22:49:03.0882 4052 [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys

22:49:03.0884 4052 HDAudBus - ok

22:49:03.0904 4052 [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt C:\Windows\system32\drivers\HidBatt.sys

22:49:03.0905 4052 HidBatt - ok

22:49:03.0918 4052 [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth C:\Windows\system32\drivers\hidbth.sys

22:49:03.0934 4052 HidBth - ok

22:49:03.0960 4052 [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr C:\Windows\system32\drivers\hidir.sys

22:49:03.0961 4052 HidIr - ok

22:49:03.0989 4052 [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv C:\Windows\system32\hidserv.dll

22:49:04.0002 4052 hidserv - ok

22:49:04.0063 4052 [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys

22:49:04.0074 4052 HidUsb - ok

22:49:04.0112 4052 [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc C:\Windows\system32\kmsvc.dll

22:49:04.0124 4052 hkmsvc - ok

22:49:04.0170 4052 [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\Windows\system32\ListSvc.dll

22:49:04.0184 4052 HomeGroupListener - ok

22:49:04.0230 4052 [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll

22:49:04.0237 4052 HomeGroupProvider - ok

22:49:04.0262 4052 [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys

22:49:04.0275 4052 HpSAMD - ok

22:49:04.0354 4052 [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP C:\Windows\system32\drivers\HTTP.sys

22:49:04.0363 4052 HTTP - ok

22:49:04.0400 4052 [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys

22:49:04.0400 4052 hwpolicy - ok

22:49:04.0425 4052 [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys

22:49:04.0429 4052 i8042prt - ok

22:49:04.0486 4052 [ AAAF44DB3BD0B9D1FB6969B23ECC8366 ] iaStorV C:\Windows\system32\drivers\iaStorV.sys

22:49:04.0492 4052 iaStorV - ok

22:49:04.0544 4052 [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

22:49:04.0569 4052 idsvc - ok

22:49:04.0602 4052 [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp C:\Windows\system32\drivers\iirsp.sys

22:49:04.0617 4052 iirsp - ok

22:49:04.0657 4052 [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT C:\Windows\System32\ikeext.dll

22:49:04.0685 4052 IKEEXT - ok

22:49:04.0700 4052 [ F00F20E70C6EC3AA366910083A0518AA ] intelide C:\Windows\system32\drivers\intelide.sys

22:49:04.0701 4052 intelide - ok

22:49:04.0726 4052 [ ADA036632C664CAA754079041CF1F8C1 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys

22:49:04.0727 4052 intelppm - ok

22:49:04.0740 4052 [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum C:\Windows\system32\ipbusenum.dll

22:49:04.0742 4052 IPBusEnum - ok

22:49:04.0755 4052 [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys

22:49:04.0770 4052 IpFilterDriver - ok

22:49:04.0824 4052 [ 08C2957BB30058E663720C5606885653 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll

22:49:04.0842 4052 iphlpsvc - ok

22:49:04.0858 4052 [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys

22:49:04.0859 4052 IPMIDRV - ok

22:49:04.0867 4052 [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT C:\Windows\system32\drivers\ipnat.sys

22:49:04.0869 4052 IPNAT - ok

22:49:04.0938 4052 [ B474C756C13960793C7583B766F904C4 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe

22:49:04.0942 4052 iPod Service - ok

22:49:04.0968 4052 [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM C:\Windows\system32\drivers\irenum.sys

22:49:04.0978 4052 IRENUM - ok

22:49:05.0005 4052 [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp C:\Windows\system32\drivers\isapnp.sys

22:49:05.0018 4052 isapnp - ok

22:49:05.0036 4052 [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys

22:49:05.0041 4052 iScsiPrt - ok

22:49:05.0062 4052 [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys

22:49:05.0063 4052 kbdclass - ok

22:49:05.0105 4052 [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys

22:49:05.0109 4052 kbdhid - ok

22:49:05.0123 4052 [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso C:\Windows\system32\lsass.exe

22:49:05.0124 4052 KeyIso - ok

22:49:05.0153 4052 [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys

22:49:05.0159 4052 KSecDD - ok

22:49:05.0171 4052 [ 26C43A7C2862447EC59DEDA188D1DA07 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys

22:49:05.0173 4052 KSecPkg - ok

22:49:05.0178 4052 [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk C:\Windows\system32\drivers\ksthunk.sys

22:49:05.0179 4052 ksthunk - ok

22:49:05.0214 4052 [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm C:\Windows\system32\msdtckrm.dll

22:49:05.0220 4052 KtmRm - ok

22:49:05.0273 4052 [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer C:\Windows\system32\srvsvc.dll

22:49:05.0277 4052 LanmanServer - ok

22:49:05.0311 4052 [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\Windows\System32\wkssvc.dll

22:49:05.0314 4052 LanmanWorkstation - ok

22:49:05.0338 4052 [ 1538831CF8AD2979A04C423779465827 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys

22:49:05.0339 4052 lltdio - ok

22:49:05.0372 4052 [ C1185803384AB3FEED115F79F109427F ] lltdsvc C:\Windows\System32\lltdsvc.dll

22:49:05.0377 4052 lltdsvc - ok

22:49:05.0388 4052 [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts C:\Windows\System32\lmhsvc.dll

22:49:05.0389 4052 lmhosts - ok

22:49:05.0422 4052 [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys

22:49:05.0424 4052 LSI_FC - ok

22:49:05.0454 4052 [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys

22:49:05.0456 4052 LSI_SAS - ok

22:49:05.0463 4052 [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys

22:49:05.0465 4052 LSI_SAS2 - ok

22:49:05.0483 4052 [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys

22:49:05.0486 4052 LSI_SCSI - ok

22:49:05.0506 4052 [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv C:\Windows\system32\drivers\luafv.sys

22:49:05.0508 4052 luafv - ok

22:49:05.0540 4052 [ 31C6AFFFAD7C733A65F888929548BC22 ] mbamchameleon C:\Windows\system32\drivers\mbamchameleon.sys

22:49:05.0541 4052 mbamchameleon - ok

22:49:05.0579 4052 [ A8FE8F2783B2929B56F5370A89356CE9 ] MBAMProtector C:\Windows\system32\drivers\mbam.sys

22:49:05.0580 4052 MBAMProtector - ok

22:49:05.0624 4052 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

22:49:05.0629 4052 MBAMScheduler - ok

22:49:05.0651 4052 [ 20E2469DB709FC675E655CEAA11BE312 ] MBAMService C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

22:49:05.0662 4052 MBAMService - ok

22:49:05.0696 4052 [ 97E9755D1B33E6F080505F5A1C16A36D ] mbamswissarmy C:\Windows\system32\drivers\mbamswissarmy.sys

22:49:05.0698 4052 mbamswissarmy - ok

22:49:05.0727 4052 [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll

22:49:05.0729 4052 Mcx2Svc - ok

22:49:05.0747 4052 [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas C:\Windows\system32\drivers\megasas.sys

22:49:05.0749 4052 megasas - ok

22:49:05.0769 4052 [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys

22:49:05.0774 4052 MegaSR - ok

22:49:05.0799 4052 [ E40E80D0304A73E8D269F7141D77250B ] MMCSS C:\Windows\system32\mmcss.dll

22:49:05.0801 4052 MMCSS - ok

22:49:05.0817 4052 [ 800BA92F7010378B09F9ED9270F07137 ] Modem C:\Windows\system32\drivers\modem.sys

22:49:05.0819 4052 Modem - ok

22:49:05.0841 4052 [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor C:\Windows\system32\DRIVERS\monitor.sys

22:49:05.0842 4052 monitor - ok

22:49:05.0862 4052 [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys

22:49:05.0862 4052 mouclass - ok

22:49:05.0884 4052 [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys

22:49:05.0885 4052 mouhid - ok

22:49:05.0897 4052 [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr C:\Windows\system32\drivers\mountmgr.sys

22:49:05.0898 4052 mountmgr - ok

22:49:05.0944 4052 [ 8C7336950F1E69CDFD811CBBD9CF00A2 ] MozillaMaintenance C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

22:49:05.0946 4052 MozillaMaintenance - ok

22:49:05.0953 4052 [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio C:\Windows\system32\drivers\mpio.sys

22:49:05.0955 4052 mpio - ok

22:49:05.0986 4052 [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys

22:49:05.0987 4052 mpsdrv - ok

22:49:06.0019 4052 [ 54FFC9C8898113ACE189D4AA7199D2C1 ] MpsSvc C:\Windows\system32\mpssvc.dll

22:49:06.0059 4052 MpsSvc - ok

22:49:06.0090 4052 [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys

22:49:06.0099 4052 MRxDAV - ok

22:49:06.0144 4052 [ A5D9106A73DC88564C825D317CAC68AC ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys

22:49:06.0146 4052 mrxsmb - ok

22:49:06.0188 4052 [ D711B3C1D5F42C0C2415687BE09FC163 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys

22:49:06.0193 4052 mrxsmb10 - ok

22:49:06.0216 4052 [ 9423E9D355C8D303E76B8CFBD8A5C30C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys

22:49:06.0218 4052 mrxsmb20 - ok

22:49:06.0241 4052 [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci C:\Windows\system32\drivers\msahci.sys

22:49:06.0243 4052 msahci - ok

22:49:06.0256 4052 [ DB801A638D011B9633829EB6F663C900 ] msdsm C:\Windows\system32\drivers\msdsm.sys

22:49:06.0259 4052 msdsm - ok

22:49:06.0279 4052 [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC C:\Windows\System32\msdtc.exe

22:49:06.0282 4052 MSDTC - ok

22:49:06.0309 4052 [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs C:\Windows\system32\drivers\Msfs.sys

22:49:06.0311 4052 Msfs - ok

22:49:06.0334 4052 [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys

22:49:06.0335 4052 mshidkmdf - ok

22:49:06.0355 4052 [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv C:\Windows\system32\drivers\msisadrv.sys

22:49:06.0356 4052 msisadrv - ok

22:49:06.0387 4052 [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI C:\Windows\system32\iscsiexe.dll

22:49:06.0391 4052 MSiSCSI - ok

22:49:06.0397 4052 msiserver - ok

22:49:06.0427 4052 [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys

22:49:06.0428 4052 MSKSSRV - ok

22:49:06.0447 4052 [ BDD71ACE35A232104DDD349EE70E1AB3 ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys

22:49:06.0449 4052 MSPCLOCK - ok

22:49:06.0473 4052 [ 4ED981241DB27C3383D72092B618A1D0 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys

22:49:06.0474 4052 MSPQM - ok

22:49:06.0494 4052 [ 759A9EEB0FA9ED79DA1FB7D4EF78866D ] MsRPC C:\Windows\system32\drivers\MsRPC.sys

22:49:06.0500 4052 MsRPC - ok

22:49:06.0519 4052 [ 0EED230E37515A0EAEE3C2E1BC97B288 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys

22:49:06.0520 4052 mssmbios - ok

22:49:06.0525 4052 [ 2E66F9ECB30B4221A318C92AC2250779 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys

22:49:06.0526 4052 MSTEE - ok

22:49:06.0537 4052 [ 7EA404308934E675BFFDE8EDF0757BCD ] MTConfig C:\Windows\system32\drivers\MTConfig.sys

22:49:06.0538 4052 MTConfig - ok

22:49:06.0571 4052 [ 03B7145C889603537E9FFEABB1AD1089 ] MTsensor C:\Windows\system32\DRIVERS\ASACPI.sys

22:49:06.0572 4052 MTsensor - ok

22:49:06.0585 4052 [ F9A18612FD3526FE473C1BDA678D61C8 ] Mup C:\Windows\system32\Drivers\mup.sys

22:49:06.0586 4052 Mup - ok

22:49:06.0622 4052 [ 582AC6D9873E31DFA28A4547270862DD ] napagent C:\Windows\system32\qagentRT.dll

22:49:06.0629 4052 napagent - ok

22:49:06.0669 4052 [ 1EA3749C4114DB3E3161156FFFFA6B33 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys

22:49:06.0674 4052 NativeWifiP - ok

22:49:06.0720 4052 [ 760E38053BF56E501D562B70AD796B88 ] NDIS C:\Windows\system32\drivers\ndis.sys

22:49:06.0744 4052 NDIS - ok

22:49:06.0762 4052 [ 9F9A1F53AAD7DA4D6FEF5BB73AB811AC ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys

22:49:06.0764 4052 NdisCap - ok

22:49:06.0790 4052 [ 30639C932D9FEF22B31268FE25A1B6E5 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys

22:49:06.0791 4052 NdisTapi - ok

22:49:06.0812 4052 [ 136185F9FB2CC61E573E676AA5402356 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys

22:49:06.0814 4052 Ndisuio - ok

22:49:06.0831 4052 [ 53F7305169863F0A2BDDC49E116C2E11 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys

22:49:06.0840 4052 NdisWan - ok

22:49:06.0868 4052 [ 015C0D8E0E0421B4CFD48CFFE2825879 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys

22:49:06.0871 4052 NDProxy - ok

22:49:06.0892 4052 [ 86743D9F5D2B1048062B14B1D84501C4 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys

22:49:06.0906 4052 NetBIOS - ok

22:49:06.0945 4052 [ 09594D1089C523423B32A4229263F068 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys

22:49:06.0950 4052 NetBT - ok

22:49:06.0972 4052 [ C118A82CD78818C29AB228366EBF81C3 ] Netlogon C:\Windows\system32\lsass.exe

22:49:06.0973 4052 Netlogon - ok

22:49:07.0027 4052 [ 847D3AE376C0817161A14A82C8922A9E ] Netman C:\Windows\System32\netman.dll

22:49:07.0034 4052 Netman - ok

22:49:07.0069 4052 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetMsmqActivator c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

22:49:07.0205 4052 NetMsmqActivator - ok

22:49:07.0240 4052 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetPipeActivator c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

22:49:07.0241 4052 NetPipeActivator - ok

22:49:07.0259 4052 [ 5F28111C648F1E24F7DBC87CDEB091B8 ] netprofm C:\Windows\System32\netprofm.dll

22:49:07.0266 4052 netprofm - ok

22:49:07.0324 4052 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpActivator c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

22:49:07.0325 4052 NetTcpActivator - ok

22:49:07.0330 4052 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

22:49:07.0331 4052 NetTcpPortSharing - ok

22:49:07.0371 4052 [ 77889813BE4D166CDAB78DDBA990DA92 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys

22:49:07.0375 4052 nfrd960 - ok

22:49:07.0432 4052 [ 8AD77806D336673F270DB31645267293 ] NlaSvc C:\Windows\System32\nlasvc.dll

22:49:07.0442 4052 NlaSvc - ok

22:49:07.0470 4052 [ 1E4C4AB5C9B8DD13179BBDC75A2A01F7 ] Npfs C:\Windows\system32\drivers\Npfs.sys

22:49:07.0481 4052 Npfs - ok

22:49:07.0508 4052 [ D54BFDF3E0C953F823B3D0BFE4732528 ] nsi C:\Windows\system32\nsisvc.dll

22:49:07.0516 4052 nsi - ok

22:49:07.0525 4052 [ E7F5AE18AF4168178A642A9247C63001 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys

22:49:07.0526 4052 nsiproxy - ok

22:49:07.0629 4052 [ E453ACF4E7D44E5530B5D5F2B9CA8563 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys

22:49:07.0670 4052 Ntfs - ok

22:49:07.0689 4052 [ 9899284589F75FA8724FF3D16AED75C1 ] Null C:\Windows\system32\drivers\Null.sys

22:49:07.0714 4052 Null - ok

22:49:09.0328 4052 [ 5104BAC2DA2A5BDD86AC6B0708B00F06 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys

22:49:09.0409 4052 nvlddmkm - ok

22:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ================ Scan global ===============================

22:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ================ Scan MBR ==================================

22:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ================ Scan VBR ==================================

22:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ============================================================

22:49:09.0437 4052 Scan finished

22:49:09.0437 4052 ============================================================

22:49:09.0446 3532 Detected object count: 0

22:49:09.0446 3532 Actual detected object count: 0

22:49:11.0400 4288 Deinitialize success

22:49:36.0616 4496 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

22:49:37.0011 4496 ============================================================

22:49:37.0011 4496 Current date / time: 2012/12/21 22:49:37.0011

22:49:37.0011 4496 SystemInfo:

22:49:37.0011 4496

22:49:37.0011 4496 OS Version: 6.1.7601 ServicePack: 1.0

22:49:37.0011 4496 Product type: Workstation

22:49:37.0011 4496 ComputerName: TYLER-PC

22:49:37.0011 4496 UserName: Tyler

22:49:37.0011 4496 Windows directory: C:\Windows

22:49:37.0011 4496 System windows directory: C:\Windows

22:49:37.0011 4496 Running under WOW64

22:49:37.0011 4496 Processor architecture: Intel x64

22:49:37.0011 4496 Number of processors: 4

22:49:37.0011 4496 Page size: 0x1000

22:49:37.0011 4496 Boot type: Normal boot

22:49:37.0011 4496 ============================================================

22:49:37.0888 4496 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

22:49:37.0893 4496 ============================================================

22:49:37.0893 4496 \Device\Harddisk0\DR0:

22:49:37.0893 4496 MBR partitions:

22:49:37.0893 4496 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1

22:49:37.0893 4496 ============================================================

22:49:37.0913 4496 C: <-> \Device\Harddisk0\DR0\Partition1

22:49:37.0913 4496 ============================================================

22:49:37.0913 4496 Initialize success

22:49:37.0913 4496 ============================================================

22:49:50.0268 4076 Deinitialize success

Link to post
Share on other sites

Did you interrupt the scan???

2:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ================ Scan global ===============================

22:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ================ Scan MBR ==================================

22:49:09.0437 4052 Scan interrupted by user!

22:49:09.0437 4052 ================ Scan VBR ==================================

22:49:09.0437 4052 Scan interrupted by user!

If so, please run it again.....MrC

Link to post
Share on other sites

11:12:51.0752 2944 AsusSE ( UnsignedFile.Multi.Generic ) - skipped by user

11:12:51.0753 2944 AsusSE ( UnsignedFile.Multi.Generic ) - User select action: Skip

11:12:56.0498 0396 Deinitialize success

Didn't you understand my instructions?? It clearly states:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue

Skip is the correct chose!

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next..............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

ComboFix 12-12-22.01 - Tyler 12/22/2012 11:41:19.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5119.3460 [GMT -8:00]

Running from: c:\users\Tyler\Downloads\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\Vid-Saver

c:\program files (x86)\Vid-Saver\ButtonUtil.dll

c:\program files (x86)\Vid-Saver\Uninstall.exe

c:\program files (x86)\Vid-Saver\Vid-Saver-bg.exe

c:\program files (x86)\Vid-Saver\Vid-Saver.exe

c:\program files (x86)\Vid-Saver\Vid-Saver.ico

c:\program files (x86)\Vid-Saver\Vid-Saver.ini

c:\program files (x86)\Vid-Saver\Vid-SaverInstaller.log

c:\users\Tyler\AppData\Local\Vid-Saver

c:\users\Tyler\AppData\Local\Vid-Saver\Chrome\Vid-Saver.crx

.

.

((((((((((((((((((((((((( Files Created from 2012-11-22 to 2012-12-22 )))))))))))))))))))))))))))))))

.

.

2012-12-22 19:45 . 2012-12-22 19:45 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-22 06:58 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-22 06:58 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-22 06:58 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-22 06:58 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-22 06:55 . 2012-11-19 09:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DFF44C81-30E2-48B8-9A05-2365AC745635}\mpengine.dll

2012-12-19 06:45 . 2012-12-19 07:07 150640 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-12-19 06:44 . 2012-12-19 07:02 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-12-18 02:32 . 2012-12-18 02:32 -------- d-----w- c:\program files (x86)\Conduit

2012-12-18 02:32 . 2012-12-18 02:32 -------- d-----w- c:\program files (x86)\BitTorrent

2012-12-16 08:54 . 2012-11-28 23:58 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-16 04:24 . 2012-12-16 04:24 -------- d-----w- c:\programdata\Razer

2012-12-13 06:14 . 2012-11-14 07:11 182816 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2012-12-13 06:14 . 2012-11-14 06:00 304640 ----a-w- c:\program files\Internet Explorer\IEShims.dll

2012-12-13 06:14 . 2012-11-14 05:53 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-12-13 06:14 . 2012-11-14 05:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-12-13 06:14 . 2012-11-14 02:56 149552 ----a-w- c:\program files (x86)\Internet Explorer\sqmapi.dll

2012-12-13 06:14 . 2012-11-14 01:51 194048 ----a-w- c:\program files (x86)\Internet Explorer\IEShims.dll

2012-12-13 06:14 . 2012-11-14 01:48 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-12-13 06:14 . 2012-11-14 01:44 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-12-12 20:43 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-12 20:42 . 2012-10-04 17:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-12 18:31 . 2012-12-12 18:31 -------- d-----w- c:\programdata\Malwarebytes

2012-12-12 18:31 . 2012-12-12 18:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-12 18:31 . 2012-09-30 03:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-07 02:26 . 2011-03-25 03:29 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

2012-12-07 02:26 . 2011-03-25 03:29 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2012-12-07 02:26 . 2011-03-25 03:29 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

2012-12-07 02:26 . 2011-03-25 03:29 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys

2012-12-07 02:26 . 2011-03-25 03:29 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

2012-12-07 02:26 . 2011-03-25 03:29 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2012-12-07 02:26 . 2011-03-25 03:28 7936 ----a-w- c:\windows\system32\drivers\usbd.sys

2012-12-07 02:25 . 2011-03-11 06:33 2565632 ----a-w- c:\windows\system32\esent.dll

2012-12-07 02:25 . 2011-03-11 06:41 189824 ----a-w- c:\windows\system32\drivers\storport.sys

2012-12-07 02:25 . 2011-03-11 06:41 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys

2012-12-07 02:25 . 2011-03-11 06:41 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys

2012-12-07 02:25 . 2011-03-11 06:41 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2012-12-07 02:25 . 2011-03-11 06:41 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys

2012-12-07 02:25 . 2011-03-11 06:41 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys

2012-12-07 02:25 . 2011-03-11 06:30 96768 ----a-w- c:\windows\system32\fsutil.exe

2012-12-07 02:25 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\SysWow64\esent.dll

2012-12-07 02:25 . 2011-03-11 05:31 74240 ----a-w- c:\windows\SysWow64\fsutil.exe

2012-12-07 02:25 . 2011-03-11 04:37 91648 ----a-w- c:\windows\system32\drivers\USBSTOR.SYS

2012-12-07 00:53 . 2012-12-07 00:53 163056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin

2012-12-06 19:33 . 2012-12-06 19:33 -------- d-----w- c:\program files (x86)\Microsoft.NET

2012-12-06 19:29 . 2012-10-24 17:32 35456 ----a-w- c:\windows\system32\drivers\gfiark.sys

2012-12-06 19:19 . 2012-12-06 19:19 -------- d-----w- c:\windows\SysWow64\Wat

2012-12-06 19:19 . 2012-12-06 19:19 -------- d-----w- c:\windows\system32\Wat

2012-12-06 10:38 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-12-06 10:38 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-12-06 10:38 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-12-06 10:38 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-12-06 10:23 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-12-06 10:23 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-12-06 10:23 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-12-06 10:23 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-12-06 10:23 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-12-06 10:23 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-12-06 10:23 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-12-06 10:22 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-12-06 10:22 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll

2012-12-06 10:22 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll

2012-12-06 10:22 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-12-06 10:22 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2012-12-06 10:01 . 2012-12-06 10:01 -------- dc----w- c:\windows\system32\DRVSTORE

2012-12-06 09:57 . 2012-12-22 19:11 -------- d-----w- c:\program files (x86)\Steam

2012-12-06 09:42 . 2012-12-12 19:01 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-06 09:42 . 2012-12-12 19:01 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-06 09:42 . 2012-12-06 09:42 -------- d-----w- c:\windows\SysWow64\Macromed

2012-12-06 09:42 . 2012-12-06 09:42 -------- d-----w- c:\windows\system32\Macromed

2012-12-06 09:36 . 2011-11-17 06:35 395776 ----a-w- c:\windows\system32\webio.dll

2012-12-06 09:35 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-12-06 09:34 . 2011-04-22 22:15 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2012-12-06 09:34 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll

2012-12-06 09:34 . 2011-03-03 06:24 183296 ----a-w- c:\windows\system32\dnsrslvr.dll

2012-12-06 09:34 . 2011-03-03 06:24 357888 ----a-w- c:\windows\system32\dnsapi.dll

2012-12-06 09:34 . 2011-03-03 06:21 30208 ----a-w- c:\windows\system32\dnscacheugc.exe

2012-12-06 09:34 . 2011-03-03 05:36 28672 ----a-w- c:\windows\SysWow64\dnscacheugc.exe

2012-12-06 09:34 . 2012-08-24 18:05 220160 ----a-w- c:\windows\system32\wintrust.dll

2012-12-06 09:34 . 2012-08-24 16:57 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-12-06 09:32 . 2012-08-11 00:56 715776 ----a-w- c:\windows\system32\kerberos.dll

2012-12-06 09:31 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL

2012-12-06 09:26 . 2012-12-16 04:27 -------- d-----w- c:\program files (x86)\Razer

2012-12-06 08:34 . 2012-12-13 06:13 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2012-12-06 08:34 . 2012-12-06 08:34 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-12-06 08:33 . 2012-12-13 06:11 -------- d-----w- c:\programdata\Search Protection

2012-12-06 08:31 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-12-06 08:31 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2012-12-06 08:31 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2012-12-06 08:29 . 2012-12-06 08:29 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2012-12-06 08:23 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-12-06 08:23 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-12-06 08:23 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-12-06 08:23 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-12-06 08:23 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-12-06 08:23 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-12-06 08:23 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-12-06 08:23 . 2012-06-02 23:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-12-06 08:23 . 2012-06-02 23:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-12-06 08:22 . 2012-12-06 08:22 -------- d-----w- c:\program files (x86)\Cisco

2012-12-06 08:22 . 2012-12-16 09:29 -------- d-sh--w- c:\windows\Installer

2012-12-06 08:22 . 2011-06-29 05:45 1145960 ----a-r- c:\windows\system32\drivers\rtl8192ce.sys

2012-12-06 08:21 . 2011-06-24 00:04 614400 ----a-w- c:\windows\SysWow64\Rtlihvs.dll

2012-12-06 08:21 . 2011-06-24 00:04 380928 ----a-w- c:\windows\RtlUI2.exe

2012-12-06 08:21 . 2011-06-24 00:04 188416 ----a-w- c:\windows\SysWow64\RTLExtUI.dll

2012-12-06 08:21 . 2012-12-06 08:21 -------- d-----w- c:\program files (x86)\ASUS

2012-12-06 08:21 . 2011-06-24 00:04 451072 ----a-w- c:\windows\SysWow64\ISSRemoveSP.exe

2012-12-06 08:21 . 2012-12-06 08:21 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information

2012-12-06 05:29 . 2012-12-18 03:13 -------- d-----w- c:\users\Tyler

2012-12-06 04:52 . 2012-12-06 05:29 -------- d-----w- c:\windows\Panther

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-15 01:44 . 2012-11-15 01:44 56320 ----a-w- c:\windows\SysWow64\rzdevinfo.dll

2012-11-15 01:44 . 2012-11-15 01:44 148480 ----a-w- c:\windows\SysWow64\rztouchdll.dll

2012-11-15 01:44 . 2012-11-15 01:44 617472 ----a-w- c:\windows\SysWow64\rzdevicedll.dll

2012-11-07 07:49 . 2012-11-07 07:49 22016 ----a-w- c:\windows\system32\drivers\rzendpt.sys

2012-11-07 07:49 . 2012-11-07 07:49 113664 ----a-w- c:\windows\system32\drivers\rzudd.sys

2012-11-07 07:47 . 2012-11-07 07:47 182272 ----a-w- c:\windows\SysWow64\rzaudiodll.dll

2012-10-16 08:38 . 2012-12-06 09:32 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-12-06 09:32 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-12-06 09:32 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-11 05:23 . 2012-10-11 05:23 1867112 ----a-w- c:\windows\SysWow64\nvcuvenc.dll

2012-10-11 05:23 . 2012-10-11 05:23 18252136 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-10-11 05:23 . 2012-10-11 05:23 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll

2012-10-11 05:23 . 2012-10-11 05:23 6127464 ----a-w- c:\windows\SysWow64\nvopencl.dll

2012-10-11 05:23 . 2012-10-11 05:23 2574696 ----a-w- c:\windows\SysWow64\nvcuvid.dll

2012-10-11 05:23 . 2012-10-11 05:23 25256296 ----a-w- c:\windows\system32\nvcompiler.dll

2012-10-11 05:23 . 2012-10-11 05:23 7414632 ----a-w- c:\windows\system32\nvopencl.dll

2012-10-11 05:23 . 2012-10-11 05:23 2731880 ----a-w- c:\windows\system32\nvapi64.dll

2012-10-11 05:23 . 2009-07-13 21:59 14922600 ----a-w- c:\windows\system32\nvwgf2umx.dll

2012-10-11 05:23 . 2012-10-11 05:23 9146728 ----a-w- c:\windows\system32\nvcuda.dll

2012-10-11 05:23 . 2012-10-11 05:23 7697768 ----a-w- c:\windows\SysWow64\nvcuda.dll

2012-10-11 05:23 . 2012-10-11 05:23 2218344 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-10-11 05:23 . 2012-10-11 05:23 12501352 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-10-11 05:22 . 2012-10-11 05:22 2428776 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-10-11 05:22 . 2012-10-11 05:22 26331496 ----a-w- c:\windows\system32\nvoglv64.dll

2012-10-11 05:22 . 2012-10-11 05:22 1760104 ----a-w- c:\windows\system32\nvdispco64.dll

2012-10-11 05:22 . 2012-10-11 05:22 15309160 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-10-11 05:22 . 2012-10-11 05:22 2747240 ----a-w- c:\windows\system32\nvcuvid.dll

2012-10-11 05:22 . 2012-10-11 05:22 19906920 ----a-w- c:\windows\SysWow64\nvoglv32.dll

2012-10-11 05:22 . 2012-10-11 05:22 13443944 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2012-10-11 05:22 . 2012-10-11 05:22 17559912 ----a-w- c:\windows\SysWow64\nvcompiler.dll

2012-10-04 16:40 . 2012-12-12 20:43 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-10-02 21:15 . 2012-10-02 21:15 430952 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-09-28 18:32 . 2012-09-28 18:32 5989776 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-09-28 18:32 . 2012-09-28 18:32 53760 ----a-w- c:\windows\system32\drivers\usbaapl64.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}"= "c:\program files (x86)\BitTorrentControl_v12\prxtbBitT.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\BitTorrentControl_v12\prxtbBitT.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}"= "c:\program files (x86)\BitTorrentControl_v12\prxtbBitT.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-06 1354736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Razer Imperator Driver"="c:\program files (x86)\Razer\Imperator\RazerImperatorTray.exe" [2009-11-03 2787224]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-11-29 151952]

"Razer Synapse"="c:\program files (x86)\Razer\Synapse\RzSynapse.exe" [2012-12-11 338864]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]

R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-10-24 35456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-06 1255736]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-06 14456]

S0 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-12-19 36680]

S0 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-19 150640]

S2 AsusSE;AsusSE;c:\program files (x86)\ASUS\PCE-N15 WLAN Card Utilities\RtlService.exe [2011-06-24 36864]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]

S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-06-29 1145960]

S3 rzendpt;rzendpt;c:\windows\system32\DRIVERS\rzendpt.sys [2012-11-07 22016]

S3 rzudd;Razer Mouse Driver;c:\windows\system32\DRIVERS\rzudd.sys [2012-11-07 113664]

S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 12430567

*NewlyCreated* - 78471908

*Deregistered* - 12430567

*Deregistered* - 78471908

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-22 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-06 19:01]

.

.

--------- X64 Entries -----------

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3225826

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 64.233.222.2 64.233.222.7

FF - ProfilePath - c:\users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3225826&q=&SearchSource=2

FF - ExtSQL: 2012-12-17 18:32; crossriderapp3491@crossrider.com; c:\users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\extensions\crossriderapp3491@crossrider.com

FF - ExtSQL: 2012-12-17 18:32; {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}; c:\users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\extensions\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-SearchProtection - c:\programdata\Search Protection\_run.bat

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

SafeBoot-12430567.sys

SafeBoot-59491204.sys

WebBrowser-{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14} - (no file)

AddRemove-Vid-Saver - c:\program files (x86)\Vid-Saver\Uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{6C97A91E-4524-4019-86AF-2AA2D567BF5C}"=hex:51,66,7a,6c,4c,1d,38,12,70,aa,84,

68,16,0b,77,05,f9,b9,69,e2,d0,39,fb,48

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:00,7a,d4,06,3f,d6,cd,01

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-22 11:48:07

ComboFix-quarantined-files.txt 2012-12-22 19:48

.

Pre-Run: 114,148,990,976 bytes free

Post-Run: 114,249,273,344 bytes free

.

- - End Of File - - DDF67D6572B1C13FD0C47AA1679D7798

Link to post
Share on other sites

Looks Good...........lets check the system for adware>>>

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

# AdwCleaner v2.101 - Logfile created 12/22/2012 at 12:25:01

# Updated 16/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Tyler - TYLER-PC

# Boot Mode : Normal

# Running from : C:\Users\Tyler\Downloads\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Program Files (x86)\BitTorrentControl_v12

Folder Found : C:\Program Files (x86)\Conduit

Folder Found : C:\ProgramData\search protection

Folder Found : C:\Users\Tyler\AppData\Local\Conduit

Folder Found : C:\Users\Tyler\AppData\LocalLow\BitTorrentControl_v12

Folder Found : C:\Users\Tyler\AppData\LocalLow\Conduit

Folder Found : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\CT3225826

Folder Found : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\extensions\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}

Folder Found : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\Smartbar

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\BitTorrentControl_v12

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes

Key Found : HKCU\Software\AppDataLow\Software\Crossrider

Key Found : HKCU\Software\AppDataLow\Software\SmartBar

Key Found : HKCU\Software\AppDataLow\Toolbar

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\InstalledBrowserExtensions

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

Key Found : HKLM\Software\BitTorrentControl_v12

Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3225826

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{780FE963-1BA3-4BA7-AA06-0DCF2AA2EB4A}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0570996-6959-4EF8-9C1F-07CF33D15623}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrentControl_v12 Toolbar

Key Found : HKU\S-1-5-21-73233574-1750012809-2388504430-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3225826

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default-1354787696471 [Profil par défaut]

File : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\prefs.js

Found : user_pref("CT3225826.BT_Stats.enc", "eyJsYXN0X2xvZyI6MTM1NTc5Nzk4MywidXVpZCI6OTQxMzQ0OTA4ODg3NDQwLCJ[...]

Found : user_pref("CT3225826.BT_Usage.enc", "eyJ1dWlkIjo5NDEzNDQ5MDg4ODc0NDAsInNlcV9pZCI6Mn0=");

Found : user_pref("CT3225826.CBOpenMAMSettings.enc", "MA==");

Found : user_pref("CT3225826.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"false\"}");

Found : user_pref("CT3225826.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]

Found : user_pref("CT3225826.FirstTime", "true");

Found : user_pref("CT3225826.FirstTimeFF3", "true");

Found : user_pref("CT3225826.LoginRevertSettingsEnabled", true);

Found : user_pref("CT3225826.RevertSettingsEnabled", true);

Found : user_pref("CT3225826.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]

Found : user_pref("CT3225826.UserID", "UN62439443661763463");

Found : user_pref("CT3225826.addressBarTakeOverEnabledInHidden", "true");

Found : user_pref("CT3225826.autoDisableScopes", 0);

Found : user_pref("CT3225826.browser.search.defaultthis.engineName", true);

Found : user_pref("CT3225826.cbcountry_001.enc", "VVM=");

Found : user_pref("CT3225826.cbfirsttime.enc", "TW9uIERlYyAxNyAyMDEyIDE4OjMzOjAzIEdNVC0wODAwIChQYWNpZmljIFN0[...]

Found : user_pref("CT3225826.defaultSearch", "true");

Found : user_pref("CT3225826.embeddedsData", "[{\"appId\":\"129830626805552092\",\"apiPermissions\":{\"cross[...]

Found : user_pref("CT3225826.enableAlerts", "always");

Found : user_pref("CT3225826.enableSearchFromAddressBar", "true");

Found : user_pref("CT3225826.firstTimeDialogOpened", "true");

Found : user_pref("CT3225826.fixPageNotFoundError", "true");

Found : user_pref("CT3225826.fixPageNotFoundErrorInHidden", "true");

Found : user_pref("CT3225826.fixUrls", true);

Found : user_pref("CT3225826.hxxp___toolbar_utorrent_com.APP_WIN_FEATURES.enc", "cmVzaXphYmxlPTAsc2F2ZXJlc2l[...]

Found : user_pref("CT3225826.installType", "xpe");

Found : user_pref("CT3225826.isCheckedStartAsHidden", true);

Found : user_pref("CT3225826.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");

Found : user_pref("CT3225826.isFirstTimeToolbarLoading", "false");

Found : user_pref("CT3225826.isNewTabEnabled", false);

Found : user_pref("CT3225826.isPerformedSmartBarTransition", "true");

Found : user_pref("CT3225826.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");

Found : user_pref("CT3225826.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");

Found : user_pref("CT3225826.keyword", true);

Found : user_pref("CT3225826.migrateAppsAndComponents", true);

Found : user_pref("CT3225826.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"about[...]

Found : user_pref("CT3225826.openThankYouPage", "true");

Found : user_pref("CT3225826.openUninstallPage", "false");

Found : user_pref("CT3225826.revertSettingsEnabled", "false");

Found : user_pref("CT3225826.search.searchAppId", "129830626805552092");

Found : user_pref("CT3225826.search.searchCount", "1");

Found : user_pref("CT3225826.searchInNewTabEnabled", "false");

Found : user_pref("CT3225826.searchInNewTabEnabledInHidden", "true");

Found : user_pref("CT3225826.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");

Found : user_pref("CT3225826.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"false\"}");

Found : user_pref("CT3225826.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]

Found : user_pref("CT3225826.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"3\[...]

Found : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]

Found : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]

Found : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]

Found : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]

Found : user_pref("CT3225826.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1355797982555");

Found : user_pref("CT3225826.serviceLayer_services_appsMetadata_lastUpdate", "1355797982545");

Found : user_pref("CT3225826.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1355797982935");

Found : user_pref("CT3225826.serviceLayer_services_login_10.13.40.15_lastUpdate", "1355797983045");

Found : user_pref("CT3225826.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1355797983006");

Found : user_pref("CT3225826.serviceLayer_services_searchAPI_lastUpdate", "1355797981694");

Found : user_pref("CT3225826.serviceLayer_services_serviceMap_lastUpdate", "1355797981503");

Found : user_pref("CT3225826.serviceLayer_services_toolbarContextMenu_lastUpdate", "1355797982972");

Found : user_pref("CT3225826.serviceLayer_services_toolbarSettings_lastUpdate", "1355797981604");

Found : user_pref("CT3225826.serviceLayer_services_translation_lastUpdate", "1355797982549");

Found : user_pref("CT3225826.settingsINI", true);

Found : user_pref("CT3225826.shouldFirstTimeDialog", "false");

Found : user_pref("CT3225826.smartbar.CTID", "CT3225826");

Found : user_pref("CT3225826.smartbar.Uninstall", "0");

Found : user_pref("CT3225826.smartbar.homepage", true);

Found : user_pref("CT3225826.smartbar.toolbarName", "BitTorrentControl_v12 ");

Found : user_pref("CT3225826.startPage", "TRUE");

Found : user_pref("CT3225826.toolbarBornServerTime", "18-12-2012");

Found : user_pref("CT3225826.toolbarCurrentServerTime", "18-12-2012");

Found : user_pref("CT3225826.toolbarDisabled", "true");

Found : user_pref("CT3225826.url_history0001.enc", "aHR0cDovL3d3dy5mYWNlYm9vay5jb20vamVubmlmZXIuZXBwbGV5Ojo6[...]

Found : user_pref("CT3225826_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]

Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=1[...]

Found : user_pref("Smartbar.ConduitSearchEngineList", "");

Found : user_pref("Smartbar.ConduitSearchUrlList", "");

Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3225826");

Found : user_pref("extensions.crossriderapp3491.3491.InstallationThankYouPage", true);

Found : user_pref("extensions.crossriderapp3491.3491.InstallationTime", 1355797967);

Found : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.searchUserConifrmation", false[...]

Found : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.setHomepage", false);

Found : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.setNewTab", false);

Found : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.setSearch", false);

Found : user_pref("extensions.crossriderapp3491.3491.active", true);

Found : user_pref("extensions.crossriderapp3491.3491.addressbar", "");

Found : user_pref("extensions.crossriderapp3491.3491.addressbarenhanced", "");

Found : user_pref("extensions.crossriderapp3491.3491.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]

Found : user_pref("extensions.crossriderapp3491.3491.backgroundver", 12);

Found : user_pref("extensions.crossriderapp3491.3491.can_run_bg_code", true);

Found : user_pref("extensions.crossriderapp3491.3491.certdomaininstaller", "");

Found : user_pref("extensions.crossriderapp3491.3491.changeprevious", false);

Found : user_pref("extensions.crossriderapp3491.3491.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie.InstallationTime.value", "1355797967");

Found : user_pref("extensions.crossriderapp3491.3491.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_aoi.value", "1355797967");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_blocklist.expiration", "Mon Dec 17 2012 19:[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_blocklist.value", "%22nonexistantdomain.com[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_country_code.expiration", "Mon Dec 24 2012 [...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_country_code.value", "%22US%22");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 [...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_crr.value", "1355800517");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_hotfix20111102645.value", "%221%22");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_parent_zoneid.value", "%2296989%22");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 0[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_pc_20120828.value", "1355798003726");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_product_id.value", "%221147%22");

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_zoneid.value", "%22120486%22");

Found : user_pref("extensions.crossriderapp3491.3491.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GM[...]

Found : user_pref("extensions.crossriderapp3491.3491.cookie.dbtest.value", "1355797985541");

Found : user_pref("extensions.crossriderapp3491.3491.description", "Vid-Saver allows you to download your fa[...]

Found : user_pref("extensions.crossriderapp3491.3491.domain", "");

Found : user_pref("extensions.crossriderapp3491.3491.enablesearch", false);

Found : user_pref("extensions.crossriderapp3491.3491.fbremoteurl", "");

Found : user_pref("extensions.crossriderapp3491.3491.group", 0);

Found : user_pref("extensions.crossriderapp3491.3491.homepage", "");

Found : user_pref("extensions.crossriderapp3491.3491.iframe", false);

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_appVer.value", "60");

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_lastVersion.value", "0");

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_meta.value", "%7B%7D");

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_nextCheck.expiration", "Tue Dec 18[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_nextCheck.value", "true");

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_queue.value", "%7B%7D");

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.SoftwareDetected.expiration", "Fri Feb 01 20[...]

Found : user_pref("extensions.crossriderapp3491.3491.internaldb.SoftwareDetected.value", "%7B%22AnySoftware%[...]

Found : user_pref("extensions.crossriderapp3491.3491.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]

Found : user_pref("extensions.crossriderapp3491.3491.manifesturl", "");

Found : user_pref("extensions.crossriderapp3491.3491.name", "Vid-Saver");

Found : user_pref("extensions.crossriderapp3491.3491.newtab", "");

Found : user_pref("extensions.crossriderapp3491.3491.opensearch", "");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.name", "GPL Plugin (Loader)");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.ver", 7);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.name", "GPL Background (BG)");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.ver", 4);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.name", "CrossriderAppUtils");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.ver", 2);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.name", "CrossriderUtils");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.ver", 2);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.name", "FacebookFFIE");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.ver", 1);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.name", "FFAppAPIWrapper");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.ver", 4);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.name", "jQuery");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.ver", 3);

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.name", "resources_background");

Found : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.ver", 1);

Found : user_pref("extensions.crossriderapp3491.3491.plugins_lists.plugins_0", "17,14,16,47,1000015");

Found : user_pref("extensions.crossriderapp3491.3491.plugins_lists.plugins_1", "17,14,13,16,15,1000014");

Found : user_pref("extensions.crossriderapp3491.3491.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]

Found : user_pref("extensions.crossriderapp3491.3491.pluginsversion", 17);

Found : user_pref("extensions.crossriderapp3491.3491.publisher", "215 Apps");

Found : user_pref("extensions.crossriderapp3491.3491.searchstatus", 0);

Found : user_pref("extensions.crossriderapp3491.3491.setnewtab", false);

Found : user_pref("extensions.crossriderapp3491.3491.settingsurl", "");

Found : user_pref("extensions.crossriderapp3491.3491.thankyou", "hxxp://vid-saver.com/thankyou.html");

Found : user_pref("extensions.crossriderapp3491.3491.updateinterval", 360);

Found : user_pref("extensions.crossriderapp3491.3491.ver", 60);

Found : user_pref("extensions.crossriderapp3491.adsOldValue", -1);

Found : user_pref("extensions.crossriderapp3491.apps", "3491");

Found : user_pref("extensions.crossriderapp3491.bic", "13babdb67367d04609b3dea956535a23");

Found : user_pref("extensions.crossriderapp3491.cid", 3491);

Found : user_pref("extensions.crossriderapp3491.firstrun", false);

Found : user_pref("extensions.crossriderapp3491.hadappinstalled", true);

Found : user_pref("extensions.crossriderapp3491.installationdate", 1355797981);

Found : user_pref("extensions.crossriderapp3491.lastcheck", 22596633);

Found : user_pref("extensions.crossriderapp3491.lastcheckitem", 22596676);

Found : user_pref("extensions.crossriderapp3491.modetype", "production");

Found : user_pref("extensions.crossriderapp3491.reportInstall", true);

Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3225826&q=&SearchSource=2[...]

Found : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=13[...]

Found : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]

-\\ Google Chrome v [unable to get version]

File : C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.1] : urls_to_restore_on_startup ={"homepage":"hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48","homepage_is_newtabpage":false,"session":{"restore_on_startup":4,["hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48"]},"extensions":{"settings":{"dknkjnkhedbanphkkpbpcgoblmkbfhlf":{"ack_external":true}}}}

*************************

AdwCleaner[R1].txt - [21597 octets] - [22/12/2012 12:25:01]

########## EOF - C:\AdwCleaner[R1].txt - [21658 octets] ##########

Link to post
Share on other sites

Lots of adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~~~~

Then..........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

# AdwCleaner v2.101 - Logfile created 12/22/2012 at 12:56:52

# Updated 16/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Tyler - TYLER-PC

# Boot Mode : Normal

# Running from : C:\Users\Tyler\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\BitTorrentControl_v12

Folder Deleted : C:\Program Files (x86)\Conduit

Folder Deleted : C:\ProgramData\search protection

Folder Deleted : C:\Users\Tyler\AppData\Local\Conduit

Folder Deleted : C:\Users\Tyler\AppData\LocalLow\BitTorrentControl_v12

Folder Deleted : C:\Users\Tyler\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\CT3225826

Folder Deleted : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\extensions\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}

Folder Deleted : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\Smartbar

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\BitTorrentControl_v12

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar

Key Deleted : HKCU\Software\AppDataLow\Toolbar

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\InstalledBrowserExtensions

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

Key Deleted : HKLM\Software\BitTorrentControl_v12

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3225826

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E20AC1DB-792A-41CC-BC36-70C2EFE618C2}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{780FE963-1BA3-4BA7-AA06-0DCF2AA2EB4A}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0570996-6959-4EF8-9C1F-07CF33D15623}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrentControl_v12 Toolbar

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3225826 --> hxxp://www.google.com

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default-1354787696471 [Profil par défaut]

File : C:\Users\Tyler\AppData\Roaming\Mozilla\Firefox\Profiles\l7s5cx94.default-1354787696471\prefs.js

Deleted : user_pref("CT3225826.BT_Stats.enc", "eyJsYXN0X2xvZyI6MTM1NTc5Nzk4MywidXVpZCI6OTQxMzQ0OTA4ODg3NDQwLCJ[...]

Deleted : user_pref("CT3225826.BT_Usage.enc", "eyJ1dWlkIjo5NDEzNDQ5MDg4ODc0NDAsInNlcV9pZCI6Mn0=");

Deleted : user_pref("CT3225826.CBOpenMAMSettings.enc", "MA==");

Deleted : user_pref("CT3225826.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"false\"}");

Deleted : user_pref("CT3225826.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]

Deleted : user_pref("CT3225826.FirstTime", "true");

Deleted : user_pref("CT3225826.FirstTimeFF3", "true");

Deleted : user_pref("CT3225826.LoginRevertSettingsEnabled", true);

Deleted : user_pref("CT3225826.RevertSettingsEnabled", true);

Deleted : user_pref("CT3225826.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]

Deleted : user_pref("CT3225826.UserID", "UN62439443661763463");

Deleted : user_pref("CT3225826.addressBarTakeOverEnabledInHidden", "true");

Deleted : user_pref("CT3225826.autoDisableScopes", 0);

Deleted : user_pref("CT3225826.browser.search.defaultthis.engineName", true);

Deleted : user_pref("CT3225826.cbcountry_001.enc", "VVM=");

Deleted : user_pref("CT3225826.cbfirsttime.enc", "TW9uIERlYyAxNyAyMDEyIDE4OjMzOjAzIEdNVC0wODAwIChQYWNpZmljIFN0[...]

Deleted : user_pref("CT3225826.defaultSearch", "true");

Deleted : user_pref("CT3225826.embeddedsData", "[{\"appId\":\"129830626805552092\",\"apiPermissions\":{\"cross[...]

Deleted : user_pref("CT3225826.enableAlerts", "always");

Deleted : user_pref("CT3225826.enableSearchFromAddressBar", "true");

Deleted : user_pref("CT3225826.firstTimeDialogOpened", "true");

Deleted : user_pref("CT3225826.fixPageNotFoundError", "true");

Deleted : user_pref("CT3225826.fixPageNotFoundErrorInHidden", "true");

Deleted : user_pref("CT3225826.fixUrls", true);

Deleted : user_pref("CT3225826.hxxp___toolbar_utorrent_com.APP_WIN_FEATURES.enc", "cmVzaXphYmxlPTAsc2F2ZXJlc2l[...]

Deleted : user_pref("CT3225826.installType", "xpe");

Deleted : user_pref("CT3225826.isCheckedStartAsHidden", true);

Deleted : user_pref("CT3225826.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");

Deleted : user_pref("CT3225826.isFirstTimeToolbarLoading", "false");

Deleted : user_pref("CT3225826.isNewTabEnabled", false);

Deleted : user_pref("CT3225826.isPerformedSmartBarTransition", "true");

Deleted : user_pref("CT3225826.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");

Deleted : user_pref("CT3225826.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");

Deleted : user_pref("CT3225826.keyword", true);

Deleted : user_pref("CT3225826.migrateAppsAndComponents", true);

Deleted : user_pref("CT3225826.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"about[...]

Deleted : user_pref("CT3225826.openThankYouPage", "true");

Deleted : user_pref("CT3225826.openUninstallPage", "false");

Deleted : user_pref("CT3225826.revertSettingsEnabled", "false");

Deleted : user_pref("CT3225826.search.searchAppId", "129830626805552092");

Deleted : user_pref("CT3225826.search.searchCount", "1");

Deleted : user_pref("CT3225826.searchInNewTabEnabled", "false");

Deleted : user_pref("CT3225826.searchInNewTabEnabledInHidden", "true");

Deleted : user_pref("CT3225826.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");

Deleted : user_pref("CT3225826.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"false\"}");

Deleted : user_pref("CT3225826.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]

Deleted : user_pref("CT3225826.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"3\[...]

Deleted : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]

Deleted : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]

Deleted : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]

Deleted : user_pref("CT3225826.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]

Deleted : user_pref("CT3225826.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1355797982555");

Deleted : user_pref("CT3225826.serviceLayer_services_appsMetadata_lastUpdate", "1355797982545");

Deleted : user_pref("CT3225826.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1355797982935");

Deleted : user_pref("CT3225826.serviceLayer_services_login_10.13.40.15_lastUpdate", "1355797983045");

Deleted : user_pref("CT3225826.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1355797983006");

Deleted : user_pref("CT3225826.serviceLayer_services_searchAPI_lastUpdate", "1355797981694");

Deleted : user_pref("CT3225826.serviceLayer_services_serviceMap_lastUpdate", "1355797981503");

Deleted : user_pref("CT3225826.serviceLayer_services_toolbarContextMenu_lastUpdate", "1355797982972");

Deleted : user_pref("CT3225826.serviceLayer_services_toolbarSettings_lastUpdate", "1355797981604");

Deleted : user_pref("CT3225826.serviceLayer_services_translation_lastUpdate", "1355797982549");

Deleted : user_pref("CT3225826.settingsINI", true);

Deleted : user_pref("CT3225826.shouldFirstTimeDialog", "false");

Deleted : user_pref("CT3225826.smartbar.CTID", "CT3225826");

Deleted : user_pref("CT3225826.smartbar.Uninstall", "0");

Deleted : user_pref("CT3225826.smartbar.homepage", true);

Deleted : user_pref("CT3225826.smartbar.toolbarName", "BitTorrentControl_v12 ");

Deleted : user_pref("CT3225826.startPage", "TRUE");

Deleted : user_pref("CT3225826.toolbarBornServerTime", "18-12-2012");

Deleted : user_pref("CT3225826.toolbarCurrentServerTime", "18-12-2012");

Deleted : user_pref("CT3225826.toolbarDisabled", "true");

Deleted : user_pref("CT3225826.url_history0001.enc", "aHR0cDovL3d3dy5mYWNlYm9vay5jb20vamVubmlmZXIuZXBwbGV5Ojo6[...]

Deleted : user_pref("CT3225826_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]

Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=1[...]

Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");

Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");

Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3225826");

Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationThankYouPage", true);

Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationTime", 1355797967);

Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.searchUserConifrmation", false[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.setHomepage", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.setNewTab", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationUserSettings.setSearch", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.active", true);

Deleted : user_pref("extensions.crossriderapp3491.3491.addressbar", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.addressbarenhanced", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.backgroundver", 12);

Deleted : user_pref("extensions.crossriderapp3491.3491.can_run_bg_code", true);

Deleted : user_pref("extensions.crossriderapp3491.3491.certdomaininstaller", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.changeprevious", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.InstallationTime.value", "1355797967");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_aoi.value", "1355797967");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_blocklist.expiration", "Mon Dec 17 2012 19:[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_blocklist.value", "%22nonexistantdomain.com[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_country_code.expiration", "Mon Dec 24 2012 [...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_country_code.value", "%22US%22");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 [...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_crr.value", "1355800517");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_hotfix20111102645.value", "%221%22");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_parent_zoneid.value", "%2296989%22");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 0[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_pc_20120828.value", "1355798003726");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_product_id.value", "%221147%22");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_zoneid.value", "%22120486%22");

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GM[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.dbtest.value", "1355797985541");

Deleted : user_pref("extensions.crossriderapp3491.3491.description", "Vid-Saver allows you to download your fa[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.domain", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.enablesearch", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.fbremoteurl", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.group", 0);

Deleted : user_pref("extensions.crossriderapp3491.3491.homepage", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.iframe", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_appVer.value", "60");

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_lastVersion.value", "0");

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_meta.value", "%7B%7D");

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_nextCheck.expiration", "Tue Dec 18[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_nextCheck.value", "true");

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_queue.value", "%7B%7D");

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.SoftwareDetected.expiration", "Fri Feb 01 20[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.SoftwareDetected.value", "%7B%22AnySoftware%[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.manifesturl", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.name", "Vid-Saver");

Deleted : user_pref("extensions.crossriderapp3491.3491.newtab", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.opensearch", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.name", "GPL Plugin (Loader)");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.ver", 7);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.name", "GPL Background (BG)");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.ver", 4);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.name", "CrossriderAppUtils");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.ver", 2);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.name", "CrossriderUtils");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.ver", 2);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.name", "FacebookFFIE");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.ver", 1);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.name", "FFAppAPIWrapper");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.ver", 4);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.name", "jQuery");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.ver", 3);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.name", "resources_background");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.ver", 1);

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins_lists.plugins_0", "17,14,16,47,1000015");

Deleted : user_pref("extensions.crossriderapp3491.3491.plugins_lists.plugins_1", "17,14,13,16,15,1000014");

Deleted : user_pref("extensions.crossriderapp3491.3491.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]

Deleted : user_pref("extensions.crossriderapp3491.3491.pluginsversion", 17);

Deleted : user_pref("extensions.crossriderapp3491.3491.publisher", "215 Apps");

Deleted : user_pref("extensions.crossriderapp3491.3491.searchstatus", 0);

Deleted : user_pref("extensions.crossriderapp3491.3491.setnewtab", false);

Deleted : user_pref("extensions.crossriderapp3491.3491.settingsurl", "");

Deleted : user_pref("extensions.crossriderapp3491.3491.thankyou", "hxxp://vid-saver.com/thankyou.html");

Deleted : user_pref("extensions.crossriderapp3491.3491.updateinterval", 360);

Deleted : user_pref("extensions.crossriderapp3491.3491.ver", 60);

Deleted : user_pref("extensions.crossriderapp3491.adsOldValue", -1);

Deleted : user_pref("extensions.crossriderapp3491.apps", "3491");

Deleted : user_pref("extensions.crossriderapp3491.bic", "13babdb67367d04609b3dea956535a23");

Deleted : user_pref("extensions.crossriderapp3491.cid", 3491);

Deleted : user_pref("extensions.crossriderapp3491.firstrun", false);

Deleted : user_pref("extensions.crossriderapp3491.hadappinstalled", true);

Deleted : user_pref("extensions.crossriderapp3491.installationdate", 1355797981);

Deleted : user_pref("extensions.crossriderapp3491.lastcheck", 22596633);

Deleted : user_pref("extensions.crossriderapp3491.lastcheckitem", 22596676);

Deleted : user_pref("extensions.crossriderapp3491.modetype", "production");

Deleted : user_pref("extensions.crossriderapp3491.reportInstall", true);

Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3225826&q=&SearchSource=2[...]

Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=13[...]

Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]

-\\ Google Chrome v [unable to get version]

File : C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1] : urls_to_restore_on_startup ={"homepage":"hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48","homepage_is_newtabpage":fal[...]

*************************

AdwCleaner[R1].txt - [21726 octets] - [22/12/2012 12:25:01]

AdwCleaner[s1].txt - [21818 octets] - [22/12/2012 12:56:52]

########## EOF - C:\AdwCleaner[s1].txt - [21879 octets] ##########

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Adobe Flash Player 11.5.502.135

Mozilla Firefox (17.0.1)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Looks Good!

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.