Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with trojan.zeroaccess.b


  • This topic is locked This topic is locked
12 replies to this topic

#1 Garryholst

Garryholst

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 14 January 2012 - 03:01 AM

Tried malwarebytes and aswMBR.exe. They both id'd the virus but could not remove.
the 3 Error messages from aswMBR.exe that were in red are:

ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80106cd5c4]<<
\Driver\iaStor[0xfffffa800f2a3e70] -> IRP_MJ_CREATE -> 0xfffffa80106cd5c4
File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]

running on a 64-bit Windows 7 Ultimate system

DSS.txt log =
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by HPE-180 Truckee at 23:36:33 on 2012-01-13
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.18423.15094 [GMT -8:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Home Server\esClient.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iBryte\playbryte\iBryteDesktop.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe
C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~2\COMMON~1\X10\Common\X10nets.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\WUDFHost.exe
-netsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
BHO: PlayBryte BHO: {61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd} - mscoree.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
TB: {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\HPE-180 Truckee\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Spotify] "C:\Users\HPE-180 Truckee\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe"
mRun: [iBryte playbryte Desktop] C:\Program Files (x86)\iBryte\playbryte\ibrytedesktop.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AMAZON~1.LNK - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROT~1.LNK - C:\Program Files (x86)\Microtek\ScanWizard 5\ScannerFinder.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{7CDB18A5-8B9B-4DD4-B8C9-09B9EFA1072A} : DhcpNameServer = 10.0.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: PlayBryte BHO: {61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd} - mscoree.dll
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: StartNow Toolbar Helper: {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
BHO-X64: StartNow Toolbar Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO-X64: WeCareReminder - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
TB-X64: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
TB-X64: {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun-x64: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe"
mRun-x64: [iBryte playbryte Desktop] C:\Program Files (x86)\iBryte\playbryte\ibrytedesktop.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
IE-X64: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-11-30 1157240]
R1 ccHP;Symantec Hash Provider;C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys --> C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20120113.002\IDSviA64.sys [2012-1-13 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [?]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\system32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS --> C:\Windows\system32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [?]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/12/17 14:05:55];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-12-17 146928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 231280]
R2 esClient;Windows Media Center Client Service;C:\Program Files\Windows Home Server\esClient.exe [2011-1-10 109936]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPMSSConnectorSvc;HPMSSConnectorService;C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-26 20992]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-17 13336]
R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-7-1 151552]
R2 MediaCollectorService;MediaCollectorService;C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-26 81920]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe [2011-10-11 126400]
R2 NovacomD;Palm Novacom;C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-3-15 71168]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
R2 WHSConnector;Windows Home Server Connector Service;C:\Program Files\Windows Home Server\WHSConnector.exe [2011-1-10 489840]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y62x64.sys --> C:\Windows\system32\DRIVERS\e1y62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-9 138360]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys --> C:\Windows\system32\drivers\HCW85BDA.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-5 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-5 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);C:\Windows\system32\drivers\WsAudio_DeviceS(1).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(1).sys [?]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);C:\Windows\system32\drivers\WsAudio_DeviceS(2).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(2).sys [?]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);C:\Windows\system32\drivers\WsAudio_DeviceS(3).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(3).sys [?]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);C:\Windows\system32\drivers\WsAudio_DeviceS(4).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(4).sys [?]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);C:\Windows\system32\drivers\WsAudio_DeviceS(5).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(5).sys [?]
.
=============== Created Last 30 ================
.
2012-01-14 05:48:56 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Roaming\Malwarebytes
2012-01-14 05:48:50 -------- d-----w- C:\ProgramData\Malwarebytes
2012-01-14 05:48:49 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-01-14 05:48:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-14 05:40:37 -------- d-----w- C:\Windows\pss
2012-01-14 04:56:05 -------- d-----w- C:\Program Files (x86)\Ask.com
2012-01-14 04:45:13 -------- d-----w- C:\ProgramData\Ask
2012-01-14 04:35:36 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\NPE
2012-01-14 04:29:38 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{F92C0F63-EFBC-455C-9591-54F3AE840B9F}
2012-01-14 04:29:14 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{6E40361A-845E-48DF-B22C-626D32198E85}
2012-01-13 15:20:08 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{45A70ED7-85B4-457B-B0F9-F7994308CF03}
2012-01-13 03:12:06 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{37AD698B-F3F3-4A41-A22C-E27F8D31B048}
2012-01-13 03:11:56 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{665A6E15-9287-49E4-A19E-289767FE4192}
2012-01-12 13:52:43 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{BCE169B6-7B86-4C5E-A4FD-19834388DACA}
2012-01-12 13:52:03 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{965640AE-A13E-43BF-AB2E-2F40B3C44FDD}
2012-01-11 18:04:43 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{007AA9F4-B8E9-4604-827E-444D8972C416}
2012-01-11 17:53:14 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-11 17:53:14 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-01-11 17:53:14 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-01-11 17:53:14 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-01-11 17:53:14 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-01-11 17:53:14 1572864 ----a-w- C:\Windows\System32\quartz.dll
2012-01-11 17:53:14 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll
2012-01-11 17:53:14 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-01-11 06:04:19 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{85E43E79-4906-4032-8DD6-B973F85A2530}
2012-01-11 06:04:08 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{BC40884B-8F48-4181-A79B-7D291621F230}
2012-01-10 18:03:12 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{0584CF9B-FC01-45E6-B43A-A5F401022898}
2012-01-10 18:02:53 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{824F26E9-3EC6-4FE4-A159-BD3BD170DE15}
2012-01-10 03:06:25 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{C7E54874-8F3F-4E1E-861E-B275D1C80BD6}
2012-01-09 15:05:49 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{73636B84-5175-44E2-82CB-61F53E67DA93}
2012-01-09 15:05:38 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{35A9315D-046B-4187-BCD4-0D09CD40F6E0}
2012-01-08 23:26:28 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{DFB7551A-93D5-4799-BFBE-98BE83D1A7D4}
2012-01-08 23:26:17 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{2511BE97-DFEB-4B98-9C9B-71759BF4FB40}
2012-01-08 23:09:43 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{AEF97A4D-9ED6-42C3-9EDA-50AECC4509F5}
2012-01-08 05:18:45 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{485038EC-0775-48CE-B128-6059606FDD50}
2012-01-08 05:18:32 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{566485C3-E513-4B0B-9CEB-4C48BF013DDA}
2012-01-07 16:51:41 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{2CBC1E02-237D-4355-B95C-4D0D355BAE54}
2012-01-07 16:50:55 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{9F2A8126-44A6-45B4-A2EF-7A7E5ACC4954}
2012-01-07 16:47:15 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{DC2AA118-3088-4FDA-8CCB-1DA09D33D8DA}
2012-01-06 19:28:03 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{78A95425-9CA5-43A4-87D8-16B11DFA98D9}
2012-01-06 06:13:32 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{C74ECFBF-EB25-46D8-A8C3-B2760A020B3F}
2012-01-05 18:13:09 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{0108A3CC-D4F3-4007-8CEC-9301A1791602}
2012-01-05 03:45:47 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{D50F2B3F-CA9B-4574-BC2E-934252580CC5}
2012-01-05 03:45:35 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{AD0D1169-08C0-4D74-B759-B2125A8506EF}
2012-01-04 15:30:21 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{496FCABD-BBAD-4C75-B693-9699D9640C2A}
2012-01-04 03:29:24 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{D5E34C3D-360C-4FC6-842F-8ED9DFCC89FC}
2012-01-03 13:56:00 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Roaming\Tific
2012-01-03 13:55:28 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\Symantec
2012-01-03 13:54:04 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{218D39A2-E152-4FA8-9CE6-9C58CD98FE0A}
2012-01-03 13:53:50 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{4189D7AF-5303-4236-A8EA-444AE607E19A}
2012-01-03 04:47:28 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{BDFD91D3-2272-480A-A834-1903009F4CB3}
2012-01-03 04:47:17 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{582B2575-A4A8-417B-A42A-62FACCBAE750}
2012-01-02 15:43:34 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{235FFDB7-F549-48A5-9174-B2E189D97347}
2012-01-02 15:43:23 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{61DEEAEC-676C-41E6-B11C-2DF4B50B866D}
2012-01-02 03:41:28 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{D61577F8-8705-4E1E-95E7-46C78B627870}
2012-01-01 09:42:48 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{ADCA4FB1-C624-4A38-928A-09F137FEE06C}
2012-01-01 09:42:29 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{8C8A8825-4FDB-485D-B8A1-B6FEF7932C55}
2012-01-01 03:00:49 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{0784800C-695D-4F1E-8180-BC58BDF1156F}
2012-01-01 03:00:38 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{35004E5D-FAC5-4089-A368-3BAB19DC4D73}
2011-12-31 15:00:13 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{BA84E4BE-06E8-43EB-B5AD-6E59451819F1}
2011-12-30 20:44:23 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{D1A66F76-10A2-4FEC-BBBF-73793BB4CB40}
2011-12-30 08:43:59 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{849D28E3-7A83-445D-822F-D3EAE26B235D}
2011-12-29 20:43:35 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{44553C6F-9729-4F77-9A11-77A55770D2F8}
2011-12-29 03:56:14 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{2FD097F8-DCD7-4E68-B64A-A3C8DDE210F2}
2011-12-28 15:52:49 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{F0B5ACB8-EB4C-455A-9071-5EA072714433}
2011-12-28 15:52:38 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{3C55BF91-C4DB-4A8C-B99A-77C1CEBF9A82}
2011-12-28 03:51:29 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{B79B8F17-9BD0-4CF3-8DF8-EC4D60CAA5F3}
2011-12-28 03:50:52 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{85F03693-8A03-4572-A889-E35D4ABF3DD4}
2011-12-24 15:29:20 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{17CEB16D-5FF6-4DDB-8B6C-CAB7F7F959FA}
2011-12-24 15:29:09 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{9D4C01DE-8B17-460F-A0FA-AE04E5445E00}
2011-12-24 03:28:57 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{033DD5FC-6E3B-40D1-8F44-AF8BF447F33D}
2011-12-24 03:28:46 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{8A806817-7088-4E12-9B49-11B6C335D55B}
2011-12-23 15:28:34 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{48615F00-FEC9-4030-B622-4F3A5EEB4493}
2011-12-23 15:28:23 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{84C09A18-C36E-4AF4-B9FC-9CC777BF4396}
2011-12-23 03:28:11 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{0FC5D683-6C5A-4267-88FF-4BBF2F320FBD}
2011-12-23 00:15:32 -------- d-----w- C:\Program Files (x86)\CDex
2011-12-23 00:04:14 29288 ----a-w- C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys
2011-12-23 00:02:59 29288 ----a-w- C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys
2011-12-23 00:02:34 29288 ----a-w- C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys
2011-12-23 00:02:06 29288 ----a-w- C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys
2011-12-23 00:01:40 29288 ----a-w- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys
2011-12-23 00:01:36 892928 ----a-w- C:\Windows\SysWow64\iconv.dll
2011-12-23 00:01:36 675840 ----a-w- C:\Windows\SysWow64\ac3filter.ax
2011-12-23 00:01:36 496640 ----a-w- C:\Windows\SysWow64\xvid.ax
2011-12-23 00:01:35 -------- d-----w- C:\Program Files (x86)\Aimersoft
2011-12-22 15:27:47 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{239AABA6-B73D-4EC1-9B5F-06871C715AD0}
2011-12-22 03:27:08 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{8FEFFC9B-8E15-400F-BE68-6883AA0842EB}
2011-12-22 03:26:51 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{54095B9F-C758-46E9-B485-07EA2FFB4D22}
2011-12-22 03:23:59 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{D2E340F4-FCF4-4FCC-9FE1-949EE0F39AE3}
2011-12-22 03:23:30 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{536CA764-181B-4292-8BEC-311BDEAEED90}
2011-12-21 14:02:32 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{9D879804-03AD-4D2D-96D0-1BB1D2C1794B}
2011-12-21 02:01:52 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{4DF1B62A-D9F0-46DE-AEA5-C43D8E8242D0}
2011-12-21 02:01:34 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{9A3E919C-182D-48E8-B3E7-9701DE13DEDA}
2011-12-21 01:58:13 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{7FCABD6D-596C-49B9-AA37-AEA42DAFFB71}
2011-12-21 01:57:58 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{5B994EE0-A9F0-4ECA-B8E7-FC500CA891E6}
2011-12-21 01:53:57 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{80B5321E-1B9E-4B86-8733-09C6CEA17C63}
2011-12-21 01:53:04 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{B03D7AC6-7569-47ED-801C-BBDC421F379A}
2011-12-20 12:16:30 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-12-20 10:40:42 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{99913370-8F98-482D-BBB4-68070EC52B90}
2011-12-20 10:40:16 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{874C8208-05FD-4D12-8156-54E022DEAB12}
2011-12-20 10:35:01 20480 ----a-w- C:\Windows\svchost.exe
2011-12-16 08:56:54 -------- d-----w- C:\Windows\Hewlett-Packard
2011-12-15 18:49:26 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{171D19A0-2A84-4CB3-BC12-A4CEE3BFB246}
2011-12-15 18:49:15 -------- d-----w- C:\Users\HPE-180 Truckee\AppData\Local\{99D71D17-D69B-40D6-915F-F8B2609332D0}
.
==================== Find3M ====================
.
2012-01-03 13:54:32 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-10 13:54:13 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 23:37:18.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 14 January 2012 - 07:52 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Garryholst

Garryholst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 15 January 2012 - 07:02 PM

Thanks for the help!

Ran the Combofix program and the log is below:
ComboFix 12-01-15.01 - HPE-180 Truckee 01/15/2012 15:01:46.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.18423.15880 [GMT -8:00]
Running from: c:\users\HPE-180 Truckee\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\StartNow Toolbar
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files (x86)\StartNow Toolbar\Resources\installer.xml
c:\program files (x86)\StartNow Toolbar\Resources\protect\index.html
c:\program files (x86)\StartNow Toolbar\Resources\protect\NotIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\protect\OnlyIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
c:\program files (x86)\StartNow Toolbar\Resources\protect\window.css
c:\program files (x86)\StartNow Toolbar\Resources\protect\window.js
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\index.html
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\LeftImage.png
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\NotIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\window.css
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\window.js
c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml
c:\program files (x86)\StartNow Toolbar\Resources\update.xml
c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files (x86)\StartNow Toolbar\ToOLbar32.dll
c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
c:\program files (x86)\StartNow Toolbar\uninstall.dat
c:\users\HPE-180 Truckee\AppData\Roaming\.#
c:\users\HPE-180 Truckee\Documents\~WRL0005.tmp
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\security\Database\tmp.edb
c:\windows\svchost.exe
c:\windows\system32\result.txt
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Updater Service for StartNow Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 23:06 . 2012-01-15 23:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-14 05:48 . 2012-01-14 05:48 -------- d-----w- c:\users\HPE-180 Truckee\AppData\Roaming\Malwarebytes
2012-01-14 05:48 . 2012-01-14 05:48 -------- d-----w- c:\programdata\Malwarebytes
2012-01-14 05:48 . 2012-01-14 08:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-14 04:56 . 2012-01-14 08:19 -------- d-----w- c:\program files (x86)\Ask.com
2012-01-14 04:45 . 2012-01-14 04:45 -------- d-----w- c:\programdata\Ask
2012-01-14 04:35 . 2012-01-14 04:43 -------- d-----w- c:\users\HPE-180 Truckee\AppData\Local\NPE
2012-01-11 17:53 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 17:53 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-11 17:53 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 17:53 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 17:53 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 17:53 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 17:53 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 17:53 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-03 13:56 . 2012-01-03 13:56 -------- d-----w- c:\users\HPE-180 Truckee\AppData\Roaming\Tific
2012-01-03 13:55 . 2012-01-03 13:55 -------- d-----w- c:\users\HPE-180 Truckee\AppData\Local\Symantec
2012-01-03 13:54 . 2012-01-03 13:54 -------- d-----w- c:\windows\system32\Macromed
2011-12-23 00:15 . 2011-12-23 00:20 -------- d-----w- c:\program files (x86)\CDex
2011-12-23 00:04 . 2010-12-24 23:27 29288 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2011-12-23 00:02 . 2010-12-24 23:27 29288 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2011-12-23 00:02 . 2010-12-24 23:27 29288 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2011-12-23 00:02 . 2010-12-24 23:27 29288 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2011-12-23 00:01 . 2010-12-24 23:27 29288 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2011-12-23 00:01 . 2010-12-24 23:27 892928 ----a-w- c:\windows\SysWow64\iconv.dll
2011-12-23 00:01 . 2010-12-24 23:27 675840 ----a-w- c:\windows\SysWow64\ac3filter.ax
2011-12-23 00:01 . 2010-12-24 23:27 496640 ----a-w- c:\windows\SysWow64\xvid.ax
2011-12-23 00:01 . 2011-12-23 00:12 -------- d-----w- c:\program files (x86)\Aimersoft
2011-12-20 12:16 . 2011-12-20 12:16 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-12-20 10:35 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 13:54 . 2011-05-22 04:50 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-14 03:53 . 2009-12-26 03:11 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-12-04 03:55 . 2009-12-24 02:39 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-24 04:52 . 2011-12-14 19:28 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 13:54 . 2011-09-24 20:33 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-11-05 05:32 . 2011-12-14 19:28 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 04:26 . 2011-12-14 19:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-04 01:53 . 2011-12-15 11:01 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-11-04 01:44 . 2011-12-15 11:01 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 01:44 . 2011-12-15 11:01 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 01:34 . 2011-12-15 11:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-03 22:47 . 2011-12-15 11:01 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-11-03 22:40 . 2011-12-15 11:01 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-11-03 22:39 . 2011-12-15 11:01 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-03 22:31 . 2011-12-15 11:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-26 05:21 . 2011-12-14 19:28 43520 ----a-w- c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}]
2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-10-16 2363392]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-11 98304]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"iBryte playbryte Desktop"="c:\program files (x86)\iBryte\playbryte\ibrytedesktop.exe" [2011-08-22 167936]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384]
Microtek Scanner Finder.lnk - c:\program files (x86)\Microtek\ScanWizard 5\ScannerFinder.exe [2011-9-26 344064]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-9-24 666992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\L:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-01-10 231280]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-06 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-06 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [x]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [x]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [x]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [x]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-12-01 1157240]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20120113.002\IDSvia64.sys [2011-08-23 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [x]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/12/17 14:05];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 01:41 146928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2011-01-10 109936]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-29 94264]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-26 20992]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-07-01 151552]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-26 81920]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [2011-08-04 126400]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-03-15 71168]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 489840]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-09 138360]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-06 00:30]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-06 00:30]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-580186474-3822886051-1101551932-1003Core.job
- c:\users\HPE-180 Truckee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-26 15:49]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-580186474-3822886051-1101551932-1003UA.job
- c:\users\HPE-180 Truckee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-26 15:49]
.
2012-01-15 c:\windows\Tasks\HPCeeScheduleForHPE-180 Truckee.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
2011-11-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-15 610360]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-06-01 660360]
"combofix"="c:\combofix\CF17917.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{b278d9f8-0fa9-465e-9938-0c392605d8e3} - (no file)
Wow6432Node-HKCU-Run-Spotify - c:\users\HPE-180 Truckee\AppData\Roaming\Spotify\Spotify.exe
Wow6432Node-HKLM-Run-StartNowToolbarHelper - c:\program files (x86)\StartNow Toolbar\ToolbarHelper.exe
AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
AddRemove-HP webOS® Doctor™ Build 109-108 webOS 2.1.0 - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\progra~2\COMMON~1\X10\Common\X10nets.exe
c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\\.\globalroot\systemroot\svchost.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-01-15 15:18:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 23:18
.
Pre-Run: 784,104,910,848 bytes free
Post-Run: 784,207,982,592 bytes free
.
- - End Of File - - C9B86F999A3CC38A3EF6EB14C2ECAEE8

Attached Files

  • Attached File  log.txt   24.07KB   0 downloads


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 15 January 2012 - 09:09 PM

Garryholst:

Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
Please include the following in your next post:
  • MBAM log
  • MBRCheck log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Garryholst

Garryholst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 16 January 2012 - 06:31 PM

Malwarebytes log:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.16.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
HPE-180 Truckee :: HPE-180TRUCKEE [administrator]

1/16/2012 11:34:09 AM
mbam-log-2012-01-16 (11-34-09).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 385180
Time elapsed: 43 minute(s), 37 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 8700 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

MBRCheck_01.16.12_15.24.49.txt:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: HP-Pavilion
System Product Name: AZ222AV-ABA HPE-180t
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 165):
0x02E1E000 \SystemRoot\system32\ntoskrnl.exe
0x03407000 \SystemRoot\system32\hal.dll
0x00BC4000 \SystemRoot\system32\kdcom.dll
0x00CAE000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CFD000 \SystemRoot\system32\PSHED.dll
0x00D11000 \SystemRoot\system32\CLFS.SYS
0x00EAB000 \SystemRoot\system32\CI.dll
0x00E00000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F6B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F7A000 \SystemRoot\system32\drivers\ACPI.sys
0x00FD1000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00FDA000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D6F000 \SystemRoot\system32\drivers\pci.sys
0x00FE4000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00DA2000 \SystemRoot\System32\drivers\partmgr.sys
0x00DB7000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00C5C000 \SystemRoot\system32\DRIVERS\jraid.sys
0x00C7D000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x00DCC000 \SystemRoot\System32\drivers\mountmgr.sys
0x01096000 \SystemRoot\system32\drivers\vmbus.sys
0x010D2000 \SystemRoot\system32\drivers\winhv.sys
0x012D5000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x013F1000 \SystemRoot\system32\drivers\amdxata.sys
0x01200000 \SystemRoot\system32\drivers\fltmgr.sys
0x0124C000 \SystemRoot\system32\drivers\fileinfo.sys
0x01260000 \SystemRoot\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS
0x010E6000 \SystemRoot\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS
0x0141D000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01121000 \SystemRoot\System32\Drivers\msrpc.sys
0x015C0000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0117F000 \SystemRoot\System32\Drivers\cng.sys
0x015DB000 \SystemRoot\System32\drivers\pcw.sys
0x015EC000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x016E5000 \SystemRoot\system32\drivers\ndis.sys
0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01863000 \SystemRoot\System32\drivers\tcpip.sys
0x01A67000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01AB1000 \SystemRoot\system32\drivers\vmstorfl.sys
0x01AC1000 \SystemRoot\system32\drivers\volsnap.sys
0x01B0D000 \SystemRoot\System32\Drivers\spldr.sys
0x01B15000 \SystemRoot\system32\drivers\sbp2port.sys
0x01B32000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B6C000 \SystemRoot\System32\Drivers\mup.sys
0x01B7E000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01B87000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01BC1000 \SystemRoot\system32\DRIVERS\disk.sys
0x01800000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x03F5E000 \SystemRoot\system32\drivers\cdrom.sys
0x03F88000 \SystemRoot\System32\Drivers\Null.SYS
0x03F91000 \SystemRoot\System32\Drivers\Beep.SYS
0x03F98000 \SystemRoot\System32\drivers\vga.sys
0x03FA6000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03FCB000 \SystemRoot\System32\drivers\watchdog.sys
0x03FDB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03FE4000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03FED000 \SystemRoot\system32\drivers\rdprefmp.sys
0x03E00000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03E0B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x0183E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03E1C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x01000000 \SystemRoot\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS
0x0168B000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x0461A000 \SystemRoot\system32\drivers\afd.sys
0x046A3000 \SystemRoot\System32\DRIVERS\netbt.sys
0x046E8000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x046F3000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x046FC000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04722000 \SystemRoot\system32\DRIVERS\netbios.sys
0x04731000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0474C000 \SystemRoot\system32\drivers\termdd.sys
0x04760000 \SystemRoot\system32\drivers\NISx64\1109000.00C\Ironx64.SYS
0x04787000 \SystemRoot\system32\drivers\NISx64\1109000.00C\SRTSPX64.SYS
0x0479B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x047EC000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04600000 \SystemRoot\system32\drivers\mssmbios.sys
0x04AF3000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20120113.002\IDSvia64.sys
0x04B70000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x04A00000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x04A26000 \SystemRoot\System32\drivers\discache.sys
0x04A35000 \SystemRoot\system32\drivers\csc.sys
0x04AB8000 \SystemRoot\System32\Drivers\dfsc.sys
0x02E8B000 \SystemRoot\system32\drivers\NISx64\1109000.00C\ccHPx64.sys
0x02F22000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04C95000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20111223.001\BHDrvx64.sys
0x04DB4000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04DDA000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x05054000 \SystemRoot\system32\drivers\HCW85BDA.sys
0x051F6000 \SystemRoot\system32\drivers\BdaSup.SYS
0x05000000 \SystemRoot\system32\drivers\ks.sys
0x05043000 \SystemRoot\system32\drivers\ksthunk.sys
0x04C00000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x05806000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x052BC000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x053B0000 \SystemRoot\System32\drivers\dxgmms1.sys
0x05200000 \SystemRoot\system32\drivers\HDAudBus.sys
0x05224000 \SystemRoot\system32\DRIVERS\e1y62x64.sys
0x0526D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x02F33000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0527A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x05FC1000 \SystemRoot\system32\drivers\1394ohci.sys
0x0528B000 \SystemRoot\system32\drivers\CompositeBus.sys
0x0529B000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04C4A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04C6E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x02F89000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04C7A000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x02FB8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x02FD9000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x052B1000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x04DF0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x02E00000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x053F6000 \SystemRoot\system32\drivers\swenum.sys
0x02E0F000 \SystemRoot\system32\DRIVERS\circlass.sys
0x02E21000 \SystemRoot\system32\DRIVERS\umbus.sys
0x06821000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0687B000 \SystemRoot\system32\drivers\hcw85cir3.sys
0x0688A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0689F000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x068C1000 \SystemRoot\system32\drivers\portcls.sys
0x068FE000 \SystemRoot\system32\drivers\drmk.sys
0x078A5000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x07B02000 \SystemRoot\system32\DRIVERS\hidir.sys
0x07B13000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x07B2C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x07B35000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x07B43000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x07B50000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03E29000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x07B5E000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x07B71000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x07B7F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x000E0000 \SystemRoot\System32\win32k.sys
0x07B81000 \SystemRoot\System32\drivers\Dxapi.sys
0x07B8D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x07BA8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x07BC5000 \SystemRoot\system32\DRIVERS\monitor.sys
0x004B0000 \SystemRoot\System32\TSDDD.dll
0x00600000 \SystemRoot\System32\cdd.dll
0x00950000 \SystemRoot\System32\ATMFD.DLL
0x07BD3000 \SystemRoot\system32\drivers\luafv.sys
0x07800000 \SystemRoot\system32\drivers\WudfPf.sys
0x07821000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x07836000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x06920000 \SystemRoot\system32\drivers\HTTP.sys
0x0784E000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x0787F000 \SystemRoot\system32\DRIVERS\bowser.sys
0x02E33000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04863000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x048B1000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x048D5000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0493E000 \SystemRoot\System32\DRIVERS\srv.sys
0x08EEA000 \SystemRoot\system32\drivers\peauth.sys
0x08F90000 \SystemRoot\System32\Drivers\secdrv.SYS
0x08F9B000 \SystemRoot\System32\drivers\tcpipreg.sys
0x08FAD000 \??\c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl
0x08E00000 \SystemRoot\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS
0x0A006000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20120116.002\EX64.SYS
0x08E86000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20120116.002\ENG64.SYS
0x08EA6000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x0A1FE000 \SystemRoot\system32\drivers\MSPQM.sys
0x77860000 \Windows\System32\ntdll.dll
0x47980000 \Windows\System32\smss.exe
0xFFB80000 \Windows\System32\apisetschema.dll

Processes (total 86):
0 System Idle Process
4 System
384 C:\Windows\System32\smss.exe
604 csrss.exe
668 C:\Windows\System32\wininit.exe
684 csrss.exe
752 C:\Windows\System32\services.exe
764 C:\Windows\System32\lsass.exe
772 C:\Windows\System32\lsm.exe
944 C:\Windows\System32\svchost.exe
972 C:\Windows\System32\winlogon.exe
540 C:\Windows\System32\svchost.exe
812 C:\Windows\System32\atiesrxx.exe
728 C:\Windows\System32\svchost.exe
528 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\svchost.exe
1236 C:\Windows\System32\svchost.exe
1356 C:\Windows\System32\svchost.exe
1384 C:\Windows\System32\atieclxx.exe
1568 C:\Windows\System32\spoolsv.exe
1624 C:\Windows\System32\svchost.exe
1920 C:\Windows\System32\taskhost.exe
1532 C:\Windows\System32\dwm.exe
1856 C:\Windows\explorer.exe
1036 C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
2192 C:\Program Files\Windows Home Server\esClient.exe
2288 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
2392 C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
2464 C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
2540 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
2588 C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
2636 C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe
2748 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
2796 C:\Windows\WindowsMobile\wmdcBase.exe
2816 C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe
2824 C:\Program Files\Windows Sidebar\sidebar.exe
2872 C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
2884 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2916 C:\Program Files (x86)\Microtek\ScanWizard 5\ScannerFinder.exe
2928 C:\Program Files\Windows Home Server\WHSTrayApp.exe
2212 C:\Windows\System32\svchost.exe
1632 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
2332 C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
2596 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
2936 C:\Program Files (x86)\iBryte\playbryte\iBryteDesktop.exe
2996 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
1540 C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
3144 C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
3356 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
3500 C:\Windows\System32\svchost.exe
3576 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
3836 C:\PROGRA~2\COMMON~1\X10\Common\X10nets.exe
3888 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3968 C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
3984 WmiPrvSE.exe
1672 C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe
3124 C:\Program Files\Windows Home Server\WHSConnector.exe
4376 C:\Program Files\Windows Media Player\wmpnetwk.exe
4468 C:\Windows\System32\svchost.exe
4716 C:\Windows\System32\SearchIndexer.exe
4852 C:\Windows\System32\svchost.exe
5092 WUDFHost.exe
2148 C:\Windows\svchost.exe
2280 C:\Windows\System32\conhost.exe
4812 C:\Windows\System32\taskeng.exe
4784 C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
5588 C:\Windows\System32\svchost.exe
5160 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
5768 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3572 C:\Windows\ehome\ehrecvr.exe
5532 C:\Windows\ehome\ehmsas.exe
4696 C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
1508 C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
6676 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
7080 C:\Program Files (x86)\Internet Explorer\iexplore.exe
7120 C:\Program Files (x86)\Internet Explorer\iexplore.exe
6316 C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
3612 C:\Windows\servicing\TrustedInstaller.exe
6184 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
6208 C:\Windows\SysWOW64\notepad.exe
7624 C:\Program Files (x86)\Internet Explorer\iexplore.exe
8280 C:\Windows\System32\SearchProtocolHost.exe
8584 C:\Windows\System32\SearchFilterHost.exe
2380 C:\Users\HPE-180 Truckee\Desktop\MBRCheck.exe
416 C:\Windows\System32\conhost.exe
2868 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x000000e6`14a00000 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHDT721010SLA360, Rev: ST6OA39D
PhysicalDrive1 Model Number: HitachiHDT721010SLA360, Rev: ST6OA39D

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: BA75403ED90B1FB7D0AE7D4273F06FF7BF510E86
931 GB \\.\PhysicalDrive1 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 16 January 2012 - 10:33 PM

Garryholst:

Please do this next:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Garryholst

Garryholst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 16 January 2012 - 10:51 PM

Here is the TDSSKiller Log. Thanks for sticking with it!

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 16 January 2012 - 11:14 PM

Garryholst:

Please do this next:

How is your computer running now? Please do this next:

Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Garryholst

Garryholst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 17 January 2012 - 02:38 AM

Cannot tell how it is running. Am not doing much with it other than a few emails. Using another computer.

Eset log file attached.

Thanks,

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 17 January 2012 - 05:31 PM

Garryholst:

Please do this, then use the computer normally and let me know how it's running:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above ClearJavaCache::

ClearJavaCache::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Please include the following in your next post:
  • ComboFix log
  • How is the computer running now?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Garryholst

Garryholst
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 20 January 2012 - 12:40 PM

I have been running for a couple of days now and everything seems to be working well. I ran a full scan with Norton and then agan with Malwarebytes both in safe mode and they both came up clean.
Thanks very much for your help! It is (or seems to me ) to be amazingly complex and it is too bad these guys cannot be caught and charged.

Appreciate your help soooooo much,

Garry

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 20 January 2012 - 02:56 PM

You're welcome Garry. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 AM

Posted 21 January 2012 - 10:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users