Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Mebroot Trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 ButchSOA

ButchSOA

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 28 August 2010 - 12:11 PM

A few days ago, I received a call from Symantec stating that my laptop was infected with Mebroot Trojan. I called Comcast, my IP, who confirmed that the call was from Symantec. Symantec could not provide any further info to me except to run the antivirus. I ran Norton, and it showed nothing. I have since ran Malwarebytes and nothing there either. I was able to run DDS and will post that info. When I tried to run GMER, it would not allow me to mark the appropriate ticks, so when I did the scan it said there was nothing to report. I am running Windows 7 64bit - Home Premium on a Emachines E725. Is there an issue with Win7 and GMER or am I doing something wrong? Thank you for your help.


DDS (Ver_10-03-17.01) - NTFSX64
Run by BUTCH at 11:34:54.90 on Sat 08/28/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3002.1843 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\PROGRA~2\MICROS~2\wkcalrem.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273602108735l04f4z1j5r44m2025n
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273602108735l04f4z1j5r44m2025n
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273602108735l04f4z1j5r44m2025n
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [LManager] c:\program files (x86)\launch manager\LManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "c:\program files (x86)\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://82.135.124.180/activex/AMC.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files (x86)\norton security suite\engine\3.8.0.41\CoIEPlg.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [IAAnotif] c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Acer ePower Management] c:\program files\emachines\emachines power management\ePowerTray.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360x64\0308000.029\SymEFA64.sys [2010-2-28 402992]
R1 BHDrvx64;Symantec Heuristics Driver;c:\windows\system32\drivers\n360x64\0308000.029\BHDrvx64.sys [2010-2-28 334384]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360x64\0308000.029\cchpx64.sys [2010-2-28 583296]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100827.001\IDSviA64.sys [2010-8-28 463408]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 ePowerSvc;Acer ePower Service;c:\program files\emachines\emachines power management\ePowerSvc.exe [2009-11-5 844320]
R2 Greg_Service;GRegService;c:\program files (x86)\emachines\registration\GregHSRW.exe [2009-8-28 1150496]
R2 N360;Norton Security Suite;c:\program files (x86)\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-28 117640]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2009-6-17 144640]
R2 Updater Service;Updater Service;c:\program files\emachines\emachines updater\UpdaterService.exe [2009-11-5 240160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 132656]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x64.sys [2009-11-13 67072]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360x64\0308000.029\symndisv.sys [2010-2-28 56880]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-2-28 135664]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\newtech infosystems\nti backup now 5\BackupSvc.exe [2009-6-17 50432]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-5 225280]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1255736]

=============== Created Last 30 ================

2010-08-28 14:32:53 0 ----a-w- c:\users\butch\defogger_reenable
2010-08-28 13:08:52 0 d-----w- c:\users\butch\appdata\roaming\Malwarebytes
2010-08-28 13:08:44 0 d-----w- c:\programdata\Malwarebytes
2010-08-28 13:08:43 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 13:08:43 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-08-24 23:15:24 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-24 23:15:22 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-17 23:48:59 340992 ----a-w- c:\windows\system32\schannel.dll
2010-08-17 23:48:59 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-08-17 23:48:56 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-17 23:48:56 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-17 23:48:56 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-17 23:48:51 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-17 23:48:47 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-17 23:48:46 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-08-17 23:48:45 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-08-03 18:53:07 12867584 ----a-w- c:\windows\syswow64\shell32.dll

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-02 01:23:00 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:35:21.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:15 AM

Posted 04 September 2010 - 06:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 ButchSOA

ButchSOA
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 05 September 2010 - 07:59 AM

Hi and thanks for you help. I followed your instructions, and again was able to run DDS, but am still having the same issue with gmer. I can not tick any of the items that the instructions say that I should. Here are the 2 files you request. Today is the first time I've been on the laptop since posting the original information. It is running pretty slow, which is not normal.


DDS (Ver_10-03-17.01) - NTFSX64
Run by BUTCH at 7:52:11.66 on Sun 09/05/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3002.1766 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\PROGRA~2\MICROS~2\wkcalrem.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\BUTCH\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5HCS6MHF\dds[1].scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273602108735l04f4z1j5r44m2025n
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273602108735l04f4z1j5r44m2025n
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273602108735l04f4z1j5r44m2025n
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\syswow64\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [LManager] c:\program files (x86)\launch manager\LManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "c:\program files (x86)\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://82.135.124.180/activex/AMC.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files (x86)\norton security suite\engine\3.8.0.41\CoIEPlg.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [IAAnotif] c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Acer ePower Management] c:\program files\emachines\emachines power management\ePowerTray.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360x64\0308000.029\SymEFA64.sys [2010-2-28 402992]
R1 BHDrvx64;Symantec Heuristics Driver;c:\windows\system32\drivers\n360x64\0308000.029\BHDrvx64.sys [2010-2-28 334384]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360x64\0308000.029\cchpx64.sys [2010-2-28 583296]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100903.003\IDSviA64.sys [2010-9-5 463408]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 ePowerSvc;Acer ePower Service;c:\program files\emachines\emachines power management\ePowerSvc.exe [2009-11-5 844320]
R2 Greg_Service;GRegService;c:\program files (x86)\emachines\registration\GregHSRW.exe [2009-8-28 1150496]
R2 N360;Norton Security Suite;c:\program files (x86)\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-28 117640]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2009-6-17 144640]
R2 Updater Service;Updater Service;c:\program files\emachines\emachines updater\UpdaterService.exe [2009-11-5 240160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 132656]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x64.sys [2009-11-13 67072]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360x64\0308000.029\symndisv.sys [2010-2-28 56880]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-2-28 135664]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\newtech infosystems\nti backup now 5\BackupSvc.exe [2009-6-17 50432]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-5 225280]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1255736]

=============== Created Last 30 ================

2010-08-28 14:32:53 0 ----a-w- c:\users\butch\defogger_reenable
2010-08-28 13:08:52 0 d-----w- c:\users\butch\appdata\roaming\Malwarebytes
2010-08-28 13:08:44 0 d-----w- c:\programdata\Malwarebytes
2010-08-28 13:08:43 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 13:08:43 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-08-24 23:15:24 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-24 23:15:22 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-17 23:48:59 340992 ----a-w- c:\windows\system32\schannel.dll
2010-08-17 23:48:59 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-08-17 23:48:56 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-17 23:48:56 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-17 23:48:56 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-17 23:48:51 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-17 23:48:47 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-17 23:48:46 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-08-17 23:48:45 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-02 01:23:00 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 7:52:44.56 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 06 September 2010 - 05:17 PM

Hello, ButchSOA.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1

GMER won't work since you're running 64 bit.

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 06 September 2010 - 05:17 PM

Hello, ButchSOA.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1

GMER won't work since you're running 64 bit.

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 ButchSOA

ButchSOA
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 07 September 2010 - 07:14 AM

Here is the MBRCheck information you requested.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: eMachines
System Manufacturer: eMachines
System Product Name: eMachines E725
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 190):
0x02A68000 \SystemRoot\system32\ntoskrnl.exe
0x02A1F000 \SystemRoot\system32\hal.dll
0x00BB0000 \SystemRoot\system32\kdcom.dll
0x00C63000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CA7000 \SystemRoot\system32\PSHED.dll
0x00CBB000 \SystemRoot\system32\CLFS.SYS
0x00D19000 \SystemRoot\system32\CI.dll
0x00E3E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EE2000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00EF1000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00F48000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00F51000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00F5B000 \SystemRoot\system32\DRIVERS\pci.sys
0x00F8E000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00F9B000 \SystemRoot\System32\drivers\partmgr.sys
0x00FB0000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00FB9000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00FC5000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00FDA000 \SystemRoot\System32\drivers\mountmgr.sys
0x010CA000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x011E6000 \SystemRoot\system32\DRIVERS\atapi.sys
0x01000000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x0102A000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x01035000 \SystemRoot\system32\drivers\fltmgr.sys
0x01081000 \SystemRoot\system32\drivers\fileinfo.sys
0x01249000 \SystemRoot\system32\drivers\N360x64\0308000.029\SYMEFA64.SYS
0x0144F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x012B0000 \SystemRoot\System32\Drivers\msrpc.sys
0x01400000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0130E000 \SystemRoot\System32\Drivers\cng.sys
0x0141A000 \SystemRoot\System32\drivers\pcw.sys
0x0142B000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0160F000 \SystemRoot\system32\drivers\ndis.sys
0x01701000 \SystemRoot\system32\drivers\NETIO.SYS
0x01761000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01800000 \SystemRoot\System32\drivers\tcpip.sys
0x0178C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01381000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x017D6000 \SystemRoot\System32\Drivers\spldr.sys
0x01200000 \SystemRoot\System32\drivers\rdyboost.sys
0x017DE000 \SystemRoot\System32\Drivers\mup.sys
0x017F0000 \SystemRoot\System32\drivers\hwpolicy.sys
0x00E00000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01435000 \SystemRoot\system32\DRIVERS\disk.sys
0x013CD000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x03A00000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03A2A000 \SystemRoot\System32\Drivers\Null.SYS
0x03A33000 \SystemRoot\System32\Drivers\Beep.SYS
0x03A3A000 \SystemRoot\System32\drivers\vga.sys
0x03A48000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03A6D000 \SystemRoot\System32\drivers\watchdog.sys
0x03A7D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03A86000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03A8F000 \SystemRoot\system32\drivers\rdprefmp.sys
0x03A98000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03AA3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01095000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03AB4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02CF6000 \SystemRoot\System32\Drivers\N360x64\0308000.029\SYMTDI.SYS
0x02D42000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x02D78000 \SystemRoot\System32\Drivers\N360x64\0308000.029\SYMNDISV.SYS
0x02D88000 \SystemRoot\System32\Drivers\N360x64\0308000.029\SYMFW.SYS
0x02C00000 \SystemRoot\system32\drivers\afd.sys
0x02C8A000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02CCF000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02DAA000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02DD0000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x02DE6000 \SystemRoot\system32\DRIVERS\SymIMv.sys
0x02DF1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02CD8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x010B3000 \SystemRoot\system32\DRIVERS\termdd.sys
0x00DD9000 \SystemRoot\system32\drivers\N360x64\0308000.029\SRTSPX64.SYS
0x03E10000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03E61000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03E6D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03EEE000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x03F64000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x03F89000 \SystemRoot\System32\drivers\discache.sys
0x03F98000 \SystemRoot\System32\Drivers\dfsc.sys
0x03C13000 \SystemRoot\System32\Drivers\N360x64\0308000.029\ccHPx64.sys
0x03CA6000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03CB7000 \SystemRoot\System32\Drivers\N360x64\0308000.029\BHDrvx64.sys
0x03D0E000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03D34000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0483A000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x04045000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04139000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0417F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x0418C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x041E2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04000000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x050D4000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x053AF000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x053BC000 \SystemRoot\system32\DRIVERS\L1C62x64.sys
0x053D1000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x053D6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x053F4000 \SystemRoot\SysWOW64\Drivers\DKbFltr.sys
0x05000000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x0500F000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x05058000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x0505A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x05069000 \??\C:\Windows\system32\drivers\UBHelper.sys
0x05071000 \??\C:\Windows\system32\drivers\NTIDrvr.sys
0x05079000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x05086000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x0508F000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x0509F000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04F42000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x050B5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04F66000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04024000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x04F95000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04FB6000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x050C1000 \SystemRoot\system32\DRIVERS\swenum.sys
0x03D4A000 \SystemRoot\system32\DRIVERS\ks.sys
0x04FD0000 \SystemRoot\system32\DRIVERS\umbus.sys
0x03D8D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04FE2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04420000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x03FB6000 \SystemRoot\system32\drivers\portcls.sys
0x04800000 \SystemRoot\system32\drivers\drmk.sys
0x04400000 \SystemRoot\system32\drivers\ksthunk.sys
0x04414000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x00080000 \SystemRoot\System32\win32k.sys
0x041F3000 \SystemRoot\System32\drivers\Dxapi.sys
0x00490000 \SystemRoot\System32\TSDDD.dll
0x00730000 \SystemRoot\System32\cdd.dll
0x03AC1000 \SystemRoot\system32\DRIVERS\udfs.sys
0x03B15000 \SystemRoot\system32\drivers\luafv.sys
0x03C00000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02647000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x02763000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x02776000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0278B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x027DE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x02600000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03B38000 \SystemRoot\system32\drivers\HTTP.sys
0x02618000 \SystemRoot\system32\DRIVERS\bowser.sys
0x034FB000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03513000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03540000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0358E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x03400000 \SystemRoot\system32\drivers\peauth.sys
0x034A6000 \SystemRoot\System32\Drivers\secdrv.SYS
0x034B1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x034DE000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0583D000 \SystemRoot\System32\DRIVERS\srv2.sys
0x058A5000 \SystemRoot\System32\DRIVERS\srv.sys
0x0593B000 \SystemRoot\System32\Drivers\N360x64\0308000.029\SRTSP64.SYS
0x077EA000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x059B9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x059C7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x059E0000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x06413000 \SystemRoot\system32\DRIVERS\monitor.sys
0x06421000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100906.024\EX64.SYS
0x065DB000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100906.024\ENG64.SYS
0x07600000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100906.001\IDSvia64.sys
0x77A20000 \Windows\System32\ntdll.dll
0x47860000 \Windows\System32\smss.exe
0xFFD40000 \Windows\System32\apisetschema.dll
0xFFAE0000 \Windows\System32\autochk.exe
0xFFC60000 \Windows\System32\usp10.dll
0xFFA80000 \Windows\System32\setupapi.dll
0xFFA60000 \Windows\System32\imagehlp.dll
0xFF980000 \Windows\System32\advapi32.dll
0xFF960000 \Windows\System32\sechost.dll
0xFF750000 \Windows\System32\ole32.dll
0x77BF0000 \Windows\System32\normaliz.dll
0xFF4F0000 \Windows\System32\iertutil.dll
0x77920000 \Windows\System32\user32.dll
0xFE760000 \Windows\System32\shell32.dll
0xFE750000 \Windows\System32\lpk.dll
0x77800000 \Windows\System32\kernel32.dll
0xFE6B0000 \Windows\System32\msvcrt.dll
0xFE5D0000 \Windows\System32\oleaut32.dll
0xFE5A0000 \Windows\System32\imm32.dll
0xFE530000 \Windows\System32\gdi32.dll
0xFE4B0000 \Windows\System32\difxapi.dll
0xFE460000 \Windows\System32\ws2_32.dll
0xFE410000 \Windows\System32\Wldap32.dll
0xFE290000 \Windows\System32\urlmon.dll
0xFE210000 \Windows\System32\shlwapi.dll
0xFE100000 \Windows\System32\msctf.dll
0x77BE0000 \Windows\System32\psapi.dll
0xFDFD0000 \Windows\System32\wininet.dll
0xFDF30000 \Windows\System32\clbcatq.dll
0xFDF20000 \Windows\System32\nsi.dll
0xFDDF0000 \Windows\System32\rpcrt4.dll
0xFDD50000 \Windows\System32\comdlg32.dll

Processes (total 73):
0 System Idle Process
4 System
296 C:\Windows\System32\smss.exe
448 csrss.exe
488 C:\Windows\System32\wininit.exe
500 csrss.exe
548 C:\Windows\System32\services.exe
556 C:\Windows\System32\lsass.exe
572 C:\Windows\System32\lsm.exe
596 C:\Windows\System32\winlogon.exe
708 C:\Windows\System32\svchost.exe
796 C:\Windows\System32\svchost.exe
884 C:\Windows\System32\svchost.exe
924 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\svchost.exe
440 C:\Windows\System32\svchost.exe
948 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\wlanext.exe
1196 C:\Windows\System32\conhost.exe
1272 C:\Windows\System32\spoolsv.exe
1312 C:\Windows\System32\svchost.exe
1424 C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
1480 C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
1600 C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
1696 C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
1892 C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
1988 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
724 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1620 C:\Windows\System32\SearchIndexer.exe
2084 C:\Windows\System32\svchost.exe
2128 C:\Windows\System32\svchost.exe
2420 C:\Windows\System32\taskhost.exe
2476 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2648 C:\Windows\System32\rundll32.exe
2804 C:\Windows\System32\dwm.exe
2852 C:\Windows\explorer.exe
3024 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3016 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
2788 C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
2384 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2716 C:\Windows\System32\igfxtray.exe
1672 C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
1572 C:\Windows\System32\hkcmd.exe
992 C:\Windows\System32\igfxpers.exe
3168 C:\Windows\System32\igfxsrvc.exe
3244 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
3284 C:\Windows\System32\wbem\unsecapp.exe
3692 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3724 WmiPrvSE.exe
3996 C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
4032 C:\Program Files (x86)\Launch Manager\LManager.exe
2824 C:\Windows\System32\svchost.exe
1280 C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
2448 C:\Program Files\Windows Media Player\wmpnetwk.exe
2864 C:\PROGRA~2\MICROS~2\WkCalRem.exe
4796 C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
2156 C:\Windows\System32\svchost.exe
2204 C:\Program Files (x86)\Internet Explorer\iexplore.exe
4420 C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
4376 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
4368 C:\Program Files (x86)\Internet Explorer\iexplore.exe
2464 C:\Windows\System32\taskeng.exe
3228 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
3192 C:\Windows\System32\audiodg.exe
3060 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3216 C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
5020 C:\Windows\SysWOW64\dllhost.exe
1636 C:\Windows\System32\SearchProtocolHost.exe
4916 C:\Windows\System32\SearchFilterHost.exe
2728 dllhost.exe
152 dllhost.exe
4092 C:\Users\BUTCH\Desktop\MBRCheck.exe
2656 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`069e5800 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500BEVT-22A23T0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 08 September 2010 - 05:22 PM

Hello, ButchSOA.
Hmmm, that's a clean scan. Do you have any other computers connected to the internet they could have been calling about? If so, please run MBR Check and post the logs like you just did. If not, let me know and we can dig deeper...there is a potential for an MBR infection to be hidden unless we do some advanced stuff to look for it. I like to start with the simple approaches. smile.gif

Also, on this machine, please run a Kapersky scan. It will take sveral hours depending on the number of files.

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 ButchSOA

ButchSOA
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 09 September 2010 - 06:38 AM

I ran Kaspersky, and it came back with no infections. So does that mean I'm ok?

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 09 September 2010 - 06:14 PM

Likely, but I'm still concerned since you got a call. Are there other computers connected to your network they may have been calling about?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 ButchSOA

ButchSOA
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 09 September 2010 - 08:17 PM

Yes, there was, but I've since gotten rid of it as it was 4 years old. All I have now is the laptop.

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 10 September 2010 - 05:11 PM

Ok, it could be really well hidden, but I'm inclined to think it was a false alarm, unless you're noticing other issues. Redirected Google searches, pop up advertisements, audio ads that just start playing on their own, system crawling along all of a sudden, that kind of thing. Any of those symptoms?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 ButchSOA

ButchSOA
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 10 September 2010 - 08:16 PM

No, none at all. The only issue, and I'm thinking it's because of all of the bloatware, is it is slow to start up. This laptop is just a backup system used specifically to surf. I think I probably just need to do a clean up of all that stuff, and it will be fine.

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 11 September 2010 - 06:50 AM

Hello, ButchSOA.

Agreed. It appears clean to me based on the lack of symptoms and the logs. Try StartupLite below...it's from the makers of MBAM and help you to improve your boot times.




Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
  4. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 ButchSOA

ButchSOA
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 11 September 2010 - 07:56 AM

Thank you very much! I appreciate you taking the time to help me out.

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 11 September 2010 - 03:49 PM

no problem....safe surfing!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users