Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rikvm_C6F09094.sys


  • This topic is locked This topic is locked
12 replies to this topic

#1 LewofViriginia

LewofViriginia

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 13 November 2011 - 12:38 PM

Hello,

I believe what appears to be an infection of my MBR with rikvm_C6F09094.sys. I discovered this problem using Norton Power Eraser. Unfortunately, NPE does not permanently fix the problem as file reoccurs after a reboot. I used MBRCheck to verify that the file is on my system, see results below. I also used SystemLook, but that program cannot locate it. I lastly tried Windows Explorer, showing hidden files and not hiding nonstandard system files, and still cannot find it. I have read about at least one other infection, which occurred about two months ago, which was fixed using this forum, specifically Combofix. I see plenty of warnings with Combofix, so I prefer to have an expert guide me through a fix. Please help.

Results of MBRCheck:


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Hewlett-Packard
System Product Name: HPE-580t
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 202):
0x02E67000 \SystemRoot\system32\ntoskrnl.exe
0x02E1E000 \SystemRoot\system32\hal.dll
0x00BA4000 \SystemRoot\system32\kdcom.dll
0x00CF7000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00D46000 \SystemRoot\system32\PSHED.dll
0x00D5A000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00E2B000 \SystemRoot\System32\drivers\FLTMGR.SYS
0x00E77000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F1B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F2A000 \SystemRoot\system32\drivers\ACPI.sys
0x00F81000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00F8A000 \SystemRoot\system32\drivers\msisadrv.sys
0x00F94000 \SystemRoot\system32\drivers\pci.sys
0x00FC7000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00FD4000 \SystemRoot\System32\drivers\partmgr.sys
0x00FE9000 \SystemRoot\system32\drivers\volmgr.sys
0x01021000 \SystemRoot\System32\drivers\volmgrx.sys
0x0107D000 \SystemRoot\System32\drivers\mountmgr.sys
0x012C9000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x014D3000 \SystemRoot\system32\DRIVERS\jraid.sys
0x014F1000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x01520000 \SystemRoot\system32\drivers\amdxata.sys
0x0152B000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS
0x0159C000 \SystemRoot\system32\drivers\fileinfo.sys
0x01097000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS
0x01640000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01200000 \SystemRoot\System32\Drivers\msrpc.sys
0x017E3000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0117B000 \SystemRoot\System32\Drivers\cng.sys
0x01600000 \SystemRoot\System32\drivers\pcw.sys
0x01611000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01827000 \SystemRoot\system32\drivers\ndis.sys
0x0191A000 \SystemRoot\system32\drivers\NETIO.SYS
0x0197A000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01ADB000 \SystemRoot\System32\drivers\tcpip.sys
0x01CDF000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01D29000 \SystemRoot\system32\drivers\volsnap.sys
0x01D75000 \SystemRoot\System32\Drivers\spldr.sys
0x01D7D000 \SystemRoot\System32\drivers\rdyboost.sys
0x01DB7000 \SystemRoot\System32\Drivers\mup.sys
0x01DC9000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01A00000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01A3A000 \SystemRoot\system32\DRIVERS\disk.sys
0x01A50000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x048BF000 \SystemRoot\system32\drivers\cdrom.sys
0x048E9000 \SystemRoot\System32\Drivers\Null.SYS
0x048F2000 \SystemRoot\System32\Drivers\Beep.SYS
0x048F9000 \SystemRoot\System32\drivers\vga.sys
0x04907000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x0492C000 \SystemRoot\System32\drivers\watchdog.sys
0x0493C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x04945000 \SystemRoot\system32\drivers\rdpencdd.sys
0x0494E000 \SystemRoot\system32\drivers\rdprefmp.sys
0x04957000 \SystemRoot\System32\Drivers\Msfs.SYS
0x04962000 \SystemRoot\System32\Drivers\Npfs.SYS
0x04973000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04995000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04600000 \SystemRoot\system32\drivers\afd.sys
0x049A2000 \SystemRoot\System32\DRIVERS\netbt.sys
0x049E7000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x01A8E000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04689000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x049F0000 \SystemRoot\system32\DRIVERS\SymIMv.sys
0x01AB4000 \SystemRoot\system32\DRIVERS\netbios.sys
0x01DD2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x01AC3000 \SystemRoot\system32\drivers\termdd.sys
0x0125E000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMNETS.SYS
0x019A5000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x015B0000 \SystemRoot\system32\drivers\NISx64\1206000.01D\Ironx64.SYS
0x019DB000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SRTSPX64.SYS
0x04C72000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04CC3000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04CCF000 \SystemRoot\system32\drivers\mssmbios.sys
0x04CDA000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20111111.030\IDSvia64.sys
0x04D57000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x04DD0000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x04C00000 \SystemRoot\System32\drivers\discache.sys
0x04C0F000 \SystemRoot\System32\Drivers\dfsc.sys
0x04C2D000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04001000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20111027.001\BHDrvx64.sys
0x04120000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04146000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F44F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x100BC000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x100BE000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x101B2000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0F400000 \SystemRoot\system32\drivers\HDAudBus.sys
0x0415C000 \SystemRoot\system32\DRIVERS\e1y62x64.sys
0x0F424000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x041A5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0F431000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04EDE000 \SystemRoot\system32\DRIVERS\netr28x.sys
0x04FDA000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x04E00000 \SystemRoot\system32\drivers\1394ohci.sys
0x04E3E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x04E4B000 \SystemRoot\system32\drivers\CompositeBus.sys
0x04E5B000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04E71000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04E95000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04EA1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04C3E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x01800000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0161B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04FE7000 \SystemRoot\system32\drivers\kbdclass.sys
0x04C59000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04FF6000 \SystemRoot\system32\DRIVERS\serscan.sys
0x04ED0000 \SystemRoot\system32\drivers\ksthunk.sys
0x00DB8000 \SystemRoot\system32\drivers\ks.sys
0x04ED6000 \SystemRoot\system32\drivers\swenum.sys
0x054CA000 \SystemRoot\system32\DRIVERS\MarvinBus64.sys
0x0550E000 \SystemRoot\system32\drivers\umbus.sys
0x05520000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0557A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0558F000 \SystemRoot\system32\drivers\nvhda64v.sys
0x055B2000 \SystemRoot\system32\drivers\portcls.sys
0x05400000 \SystemRoot\system32\drivers\drmk.sys
0x06A14000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x000E0000 \SystemRoot\System32\win32k.sys
0x06C71000 \SystemRoot\System32\drivers\Dxapi.sys
0x06C7D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06C9A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x06C9C000 \SystemRoot\System32\Drivers\nx6000.sys
0x06CA9000 \SystemRoot\System32\Drivers\usbvideo.sys
0x06CD7000 \SystemRoot\system32\drivers\usbaudio.sys
0x06CF2000 \SystemRoot\system32\DRIVERS\monitor.sys
0x06D00000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x06D1B000 \SystemRoot\System32\Drivers\crashdmp.sys
0x0469F000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x06D29000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x06D3C000 \SystemRoot\system32\drivers\hidusb.sys
0x06D4A000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x06D63000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x06D6C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x06D79000 \SystemRoot\system32\drivers\kbdhid.sys
0x004C0000 \SystemRoot\System32\TSDDD.dll
0x00720000 \SystemRoot\System32\cdd.dll
0x00850000 \SystemRoot\System32\ATMFD.DLL
0x06D87000 \SystemRoot\system32\drivers\luafv.sys
0x06DAA000 \SystemRoot\system32\drivers\WudfPf.sys
0x06DCB000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x05422000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x06DE0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x05475000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x06DF3000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x03C83000 \SystemRoot\system32\drivers\HTTP.sys
0x03D4C000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03D6A000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03D82000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03DAF000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x03C00000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0662E000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys
0x06E54000 \SystemRoot\system32\drivers\peauth.sys
0x06EFA000 \SystemRoot\System32\Drivers\secdrv.SYS
0x06F05000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x06F36000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06F48000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07AD4000 \SystemRoot\System32\DRIVERS\srv.sys
0x07A00000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SRTSP64.SYS
0x08001000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20111112.009\EX64.SYS
0x07B6C000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20111112.009\ENG64.SYS
0x07B8C000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x77130000 \Windows\System32\ntdll.dll
0x47CF0000 \Windows\System32\smss.exe
0xFF450000 \Windows\System32\apisetschema.dll
0xFFDF0000 \Windows\System32\autochk.exe
0x77300000 \Windows\System32\psapi.dll
0xFF230000 \Windows\System32\ole32.dll
0x77010000 \Windows\System32\kernel32.dll
0x76F10000 \Windows\System32\user32.dll
0xFF1B0000 \Windows\System32\difxapi.dll
0xFF0E0000 \Windows\System32\usp10.dll
0xFF070000 \Windows\System32\gdi32.dll
0xFF020000 \Windows\System32\ws2_32.dll
0xFEFC0000 \Windows\System32\Wldap32.dll
0xFEEB0000 \Windows\System32\msctf.dll
0x772F0000 \Windows\System32\normaliz.dll
0xFEEA0000 \Windows\System32\lpk.dll
0xFEE00000 \Windows\System32\comdlg32.dll
0xFEDE0000 \Windows\System32\sechost.dll
0xFED60000 \Windows\System32\shlwapi.dll
0xFEC30000 \Windows\System32\rpcrt4.dll
0xFEA50000 \Windows\System32\setupapi.dll
0xFE9B0000 \Windows\System32\clbcatq.dll
0xFE8D0000 \Windows\System32\advapi32.dll
0xFE7F0000 \Windows\System32\oleaut32.dll
0xFE750000 \Windows\System32\msvcrt.dll
0x76D00000 \Windows\System32\iertutil.dll
0xFD9C0000 \Windows\System32\shell32.dll
0xFD9B0000 \Windows\System32\nsi.dll
0x76BB0000 \Windows\System32\urlmon.dll
0xFD980000 \Windows\System32\imm32.dll
0x76A50000 \Windows\System32\wininet.dll
0xFD960000 \Windows\System32\imagehlp.dll
0xFD8F0000 \Windows\System32\KernelBase.dll
0xFD850000 \Windows\System32\comctl32.dll
0xFD830000 \Windows\System32\devobj.dll
0xFD7F0000 \Windows\System32\cfgmgr32.dll
0xFD680000 \Windows\System32\crypt32.dll
0xFD640000 \Windows\System32\wintrust.dll
0xFD630000 \Windows\System32\msasn1.dll
0x766D0000 \Windows\SysWOW64\normaliz.dll

Processes (total 79):
0 System Idle Process
4 System
372 C:\Windows\System32\smss.exe
556 csrss.exe
644 C:\Windows\System32\wininit.exe
668 csrss.exe
708 C:\Windows\System32\winlogon.exe
752 C:\Windows\System32\services.exe
772 C:\Windows\System32\lsass.exe
780 C:\Windows\System32\lsm.exe
880 C:\Windows\System32\svchost.exe
944 C:\Windows\System32\nvvsvc.exe
984 C:\Windows\System32\svchost.exe
388 C:\Windows\System32\svchost.exe
612 C:\Windows\System32\svchost.exe
672 C:\Windows\System32\svchost.exe
1092 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\svchost.exe
1352 C:\Windows\System32\spoolsv.exe
1380 C:\Windows\System32\svchost.exe
1464 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1692 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1820 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1832 C:\Windows\System32\nvvsvc.exe
1908 C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
1944 C:\Program Files\Bonjour\mDNSResponder.exe
2032 C:\Windows\System32\svchost.exe
1160 C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
1480 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
1512 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1756 C:\Program Files\Microsoft LifeCam\MSCamS64.exe
1780 C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
1732 C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
1664 C:\Program Files (x86)\PDF Complete\pdfsvc.exe
2136 svchost.exe
2156 C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
2184 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
2252 C:\Windows\System32\svchost.exe
2276 C:\Windows\System32\Wacom_Tablet.exe
2364 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2468 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2612 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3304 C:\Windows\System32\SearchIndexer.exe
3728 C:\Windows\System32\svchost.exe
2012 WUDFHost.exe
3992 C:\Windows\SysWOW64\svchost.exe
2820 C:\Windows\System32\taskhost.exe
3616 C:\Windows\System32\dwm.exe
3972 C:\Windows\explorer.exe
4020 C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
4256 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
4316 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
4324 C:\Program Files\Windows Sidebar\sidebar.exe
4884 C:\Program Files\Windows Media Player\wmpnetwk.exe
4988 C:\Windows\System32\svchost.exe
1268 C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
4388 C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
4340 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
4224 C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
3384 C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
3372 C:\Program Files (x86)\CodePlex\XPS2OneNote\XPS2OneNote.exe
3368 C:\Program Files (x86)\iTunes\iTunesHelper.exe
3388 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4660 C:\Program Files\iPod\bin\iPodService.exe
2488 dllhost.exe
2556 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
4284 C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
4608 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
4820 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
3204 C:\Windows\System32\taskeng.exe
5320 C:\Windows\System32\audiodg.exe
4248 taskhost.exe
2076 C:\Windows\System32\SearchProtocolHost.exe
896 C:\Windows\System32\SearchFilterHost.exe
5904 C:\Users\Public\Downloads\Norton\{NIS19113-SHPD-FSD21017}\NISDownloader(1).exe
3108 dllhost.exe
4352 dllhost.exe
3496 C:\Users\Lew and Kathy\Downloads\MBRCheck.exe
2644 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000015a`0bc00000 (NTFS)

PhysicalDrive0 Model Number: ST31500341AS, Rev: HP23

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 10DA4C6BE93A6ECFB90BB4DA0ADFBE9D7E11813E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:19 PM

Posted 13 November 2011 - 01:45 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 LewofViriginia

LewofViriginia
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 13 November 2011 - 06:35 PM

When running Norton Power Eraser, I received a message stating that rikvm_C6F09094.sys is in my MBR. NPE erases this file but it reappears the next time I start my computer. After reading several blogs on several websites, I believe that my MBR is infected. In fact after running MBRCheck, I received the following in the print out:

0x0662E000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys

and

PhysicalDrive0 Model Number: ST31500341AS, Rev: HP23

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 10DA4C6BE93A6ECFB90BB4DA0ADFBE9D7E11813E


Found non-standard or infected MBR.



I skipped step 8 of the instructions because I am running a 64-bit version of Windows 7.


DDS.txt shows the following:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Lew and Kathy at 18:06:39 on 2011-11-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8183.6076 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\CodePlex\XPS2OneNote\XPS2OneNote.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=101706&l=dis
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\coIEPlg.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\LEWAND~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\Users\Lew and Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
StartupFolder: C:\Users\LEWAND~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\XPS2ON~1.LNK - C:\Users\Lew and Kathy\AppData\Roaming\Microsoft\Installer\{6DD7A9DA-6732-47D2-8362-6A12BD0EA053}\_FBB2488C0F33C1DFE6AC1F.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{8DA1C02D-8484-4550-9DF2-4BDAA57F5D28} : DhcpNameServer = 192.168.1.1 71.252.0.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\coIEPlg.dll
TB-X64: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [(Default)]
mRun-x64: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Lew and Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\7t1onoai.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1301010.003\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1301010.003\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1301010.003\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1301010.003\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20110901.001\BHDrvx64.sys [2011-11-13 1151096]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1301010.003\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1301010.003\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20110726.001\IDSviA64.sys [2011-11-13 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1301010.003\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1301010.003\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1301010.003\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1301010.003\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2011-9-27 745880]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-8-20 92216]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-2-24 13336]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.1.1.3\ccSvcHst.exe [2011-11-13 138760]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-2-24 1121304]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-4-16 1153368]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\system32\Wacom_Tablet.exe --> C:\Windows\system32\Wacom_Tablet.exe [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y62x64.sys --> C:\Windows\system32\DRIVERS\e1y62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-9 138360]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 CLKMSVC10_C6F09094;CyberLink Product - 2011/02/23 23:25:35;C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2011-2-24 245232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-7 136176]
S2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-8-5 681528]
S2 HPHNDUSVC;HP Home Network Diagnostic Support Service;C:\Windows\system32\svchost.exe -k HPHNDUService [2009-7-13 20992]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-7 136176]
S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2011-11-13 23:01:18 -------- d-----w- C:\Windows\System32\drivers\NISx64\1302000.00A
2011-11-13 16:11:23 729720 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\srtsp64.sys
2011-11-13 16:11:23 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\SymDS64.sys
2011-11-13 16:11:23 401016 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\symnets.sys
2011-11-13 16:11:23 37496 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\srtspx64.sys
2011-11-13 16:11:23 189560 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\Ironx64.sys
2011-11-13 16:11:23 167048 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\ccSetx64.sys
2011-11-13 16:11:23 1084536 ----a-r- C:\Windows\System32\drivers\NISx64\1301010.003\SymEFA64.sys
2011-11-13 16:11:19 -------- d-----w- C:\Windows\System32\drivers\NISx64\1301010.003
2011-11-13 06:09:05 -------- d-----w- C:\Users\Lew and Kathy\AppData\Roaming\Tific
2011-11-13 00:07:21 -------- d-----w- C:\Users\Lew and Kathy\AppData\Local\NPE
2011-11-12 23:43:04 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-11-12 23:42:38 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0401000.00F
2011-11-12 23:42:38 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2011-11-12 23:42:37 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2011-11-09 01:07:42 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 01:07:42 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 01:07:40 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 01:07:39 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-03 01:10:49 -------- d-----w- C:\Users\Lew and Kathy\AppData\Local\Akamai
2011-11-02 00:03:38 -------- d-----w- C:\Users\Lew and Kathy\.idlerc
2011-11-01 23:59:09 -------- d-----w- C:\Python27
.
==================== Find3M ====================
.
2011-11-13 16:11:32 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-10-26 22:20:23 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-17 05:26:46 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-08-17 05:25:08 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-08-17 04:24:12 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-08-17 04:19:27 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
.
============= FINISH: 18:07:13.70 ===============

Attached Files


Edited by Orange Blossom, 14 November 2011 - 02:11 AM.
Merged topics. ~ OB


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 18 November 2011 - 12:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427711 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 LewofViriginia

LewofViriginia
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 November 2011 - 06:24 PM

Hello,

I believe what appears to be an infection of my MBR with rikvm_C6F09094.sys. I discovered this problem using Norton Power Eraser. Unfortunately, NPE does not permanently fix the problem as file reoccurs after a reboot. I used MBRCheck to verify that the file is on my system, see results below. I also used SystemLook, but that program cannot locate it. I lastly tried Windows Explorer, showing hidden files and not hiding nonstandard system files, and still cannot find it. I have read about at least one other infection, which occurred about two months ago, which was fixed using this forum, specifically Combofix. I see plenty of warnings with Combofix, so I prefer to have an expert guide me through a fix. Please help.

OS: Windows 7 Premium - 64 bit

I do NOT have a Windows CD or DVD.

#################################################################################
Select lines from the MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Hewlett-Packard
System Product Name: HPE-580t
Logical Drives Mask: 0x000003fc

0x07C41000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys (this is the file in question that Norton Power Eraser says is an infection)

PhysicalDrive0 Model Number: ST31500341AS, Rev: HP23

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 10DA4C6BE93A6ECFB90BB4DA0ADFBE9D7E11813E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
#########################################################################################



#########################################################################################
Results of DDS.txt


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Lew and Kathy at 18:11:53 on 2011-11-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8183.6008 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\CodePlex\XPS2OneNote\XPS2OneNote.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=101706&l=dis
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\LEWAND~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\Users\Lew and Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
StartupFolder: C:\Users\LEWAND~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\XPS2ON~1.LNK - C:\Users\Lew and Kathy\AppData\Roaming\Microsoft\Installer\{6DD7A9DA-6732-47D2-8362-6A12BD0EA053}\_FBB2488C0F33C1DFE6AC1F.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{8DA1C02D-8484-4550-9DF2-4BDAA57F5D28} : DhcpNameServer = 192.168.1.1 71.252.0.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
TB-X64: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.7\pdfforgeToolbarIE.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [(Default)]
mRun-x64: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Lew and Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\7t1onoai.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20111114.002\BHDrvx64.sys [2011-11-14 1156216]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20111118.030\IDSviA64.sys [2011-11-18 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1302000.00A\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1302000.00A\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2011-9-27 745880]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-2-24 13336]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe [2011-11-13 138760]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-2-24 1121304]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-4-16 1153368]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\system32\Wacom_Tablet.exe --> C:\Windows\system32\Wacom_Tablet.exe [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y62x64.sys --> C:\Windows\system32\DRIVERS\e1y62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-9 138360]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 CLKMSVC10_C6F09094;CyberLink Product - 2011/02/23 23:25:35;C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2011-2-24 245232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-7 136176]
S2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-8-5 681528]
S2 HPHNDUSVC;HP Home Network Diagnostic Support Service;C:\Windows\system32\svchost.exe -k HPHNDUService [2009-7-13 20992]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-7 136176]
S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2011-11-18 00:04:15 -------- d-----w- C:\ProgramData\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-11-18 00:03:44 -------- d-----w- C:\Users\Lew and Kathy\AppData\Roaming\hpqLog
2011-11-14 01:24:03 -------- d-----w- C:\Windows\pss
2011-11-13 23:15:39 729720 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\srtsp64.sys
2011-11-13 23:15:39 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1302000.00A\symds64.sys
2011-11-13 23:15:39 401016 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\symnets.sys
2011-11-13 23:15:39 37496 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\srtspx64.sys
2011-11-13 23:15:39 189560 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\ironx64.sys
2011-11-13 23:15:39 167048 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\ccsetx64.sys
2011-11-13 23:15:39 1084024 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\symefa64.sys
2011-11-13 23:01:18 -------- d-----w- C:\Windows\System32\drivers\NISx64\1302000.00A
2011-11-13 06:09:05 -------- d-----w- C:\Users\Lew and Kathy\AppData\Roaming\Tific
2011-11-13 00:07:21 -------- d-----w- C:\Users\Lew and Kathy\AppData\Local\NPE
2011-11-12 23:43:04 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-11-12 23:42:38 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0401000.00F
2011-11-12 23:42:38 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2011-11-12 23:42:37 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2011-11-09 01:07:42 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 01:07:42 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 01:07:40 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 01:07:39 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-03 01:10:49 -------- d-----w- C:\Users\Lew and Kathy\AppData\Local\Akamai
2011-11-02 00:03:38 -------- d-----w- C:\Users\Lew and Kathy\.idlerc
2011-11-01 23:59:09 -------- d-----w- C:\Python27
.
==================== Find3M ====================
.
2011-11-17 23:28:57 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-13 16:11:32 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
.
============= FINISH: 18:12:36.77 ===============

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:19 PM

Posted 20 November 2011 - 08:07 AM

Hi,

it would seem that the driver is related to CyberLink and not a rootkit.

Please download SystemLook from jpshortstuff and save it to your Desktop
Link 1
Link 2
  • Double-click the SystemLook and copy/paste the following into the box
    :regfind
    rikvm
    C6F09094
    
  • Hit the Look button. Let it finish the scan, this may take a while.
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 LewofViriginia

LewofViriginia
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 22 November 2011 - 05:46 PM

Myrti,

Thank you for the assistance. Here are the results of the scan:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:43 on 22/11/2011 by Lew and Kathy
Administrator - Elevation successful

========== regfind ==========

Searching for "rikvm"
No data found.

Searching for "C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLKMDRV10_C6F09094]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000]
"Service"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000]
"DeviceDesc"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000\Control]
"ActiveService"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CLKMSVC10_C6F09094]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CLKMDRV10_C6F09094]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000]
"Service"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000]
"DeviceDesc"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\CLKMSVC10_C6F09094]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLKMDRV10_C6F09094]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000]
"Service"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000]
"DeviceDesc"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLKMDRV10_C6F09094\0000\Control]
"ActiveService"="CLKMDRV10_C6F09094"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CLKMSVC10_C6F09094]

-= EOF =-

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:19 PM

Posted 22 November 2011 - 05:59 PM

Hi,

yes that definitely belongs to cyberlink (and you have the cyberlink suite installed on your PC).

This is a false positive from Norton.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 LewofViriginia

LewofViriginia
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 22 November 2011 - 08:35 PM

Thank you (with a sigh of relief)!!

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:19 PM

Posted 22 November 2011 - 08:49 PM

Hi,

you're welcome :)
Just to be safe let's run a scan with Eset too:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 LewofViriginia

LewofViriginia
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 23 November 2011 - 06:32 PM

Myrti,

Thanks for the advice. ESET found 5 threats, all associated with Win32/Adware.Toolbar.Delio, see attached. While ESET was running, over 90 minutes, I did some searching on the web regarding this threat. From what I have read, this threat is accompanied by slow computer responses, which I don't suffer from. Secondly, when looking at other sites for manual removal, which I have not done, I was pointed to a number of folders, files and registry keys, which I could not find on my computer. I did find this entry in my Registry, a kwd set to win32/advare.toolbar.dealio. It was in HKEY_CURRENT_USER\Software\AppDataLow\Software\pdfforge\history\1322082089. Based on all this, could this be a false positive?

After running ESET, I ran a full MalwareBytes scan and a Spybot scan. Spybot found two Adware entries, W3i.IQ5.fraud, which infected two registry keys; HKEY_LOCAL_MACHINE\SOFTWARE\Freeze.com and HKEY_LCOAL_MACHINE\SOFTWARE\W3i. (I ran Spybot after ESET and I removed the two infections that if found. If this causes problems with any potential ESET fixes, I can run ESET again.) MalwareBytes found nothing.

Attached Files



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:19 PM

Posted 23 November 2011 - 06:39 PM

Hi

this most likely is the pdfforge Toolbar v4.7, you should be able to uninstall through add/remove. These toolbars have always a shady past and sometimes dubious qualities. Eg they are capable of (but that doens't mean they necessarily do) collecting behavioural data on your PC. They often come bundled with freeware applications because the toolbar creator pays the author to bundle their toolbar with his product (and he has no other income from the application).

regard smyrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:19 PM

Posted 03 December 2011 - 09:25 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users