Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 x86 Won't boot past Bios


  • This topic is locked This topic is locked
22 replies to this topic

#1 mwbrightwell

mwbrightwell

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 24 April 2013 - 05:11 PM

Good afternoon,

 

 This morning after having run my weekly virus scan and such last night my laptop refused to boot past the bios.  All I get is a black screen with a white "_" flashing in the top left corner.  I'm fairly competent with computers however this one is well beyond me.  My Gaming rig is still unfazed so I do have a second healthy computer within arms reach of the sickly one.  I have already attempted running the windows 7 system restore disc, however it was unable to repair the boot issue.  In looking over other topics similar to mine I have already created a xPud bootable USB.  Any help on this matter would be greatly appreciated.

 

Marcus



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 25 April 2013 - 08:58 PM

after having run my weekly virus scan and such last night my laptop refused to boot


what programs did you run and what was deleted (if you noticed)

please try a system restore from the recovery environment

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.


As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

(if the Recovery environment is not pre-installed, then you will need your installation disc to access RE)

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.


On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select system restore > hit next

choose the restore point from before this occurred > next
the machine should start the restore, when finished reboot normally,

let me know if that helps

 
 
If not, please run the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 25 April 2013 - 09:45 PM

Hello CatByte!!! Thank you very much for your help;

 

I'm not sure what was deleted.  I ran Symantec and Kaspersky.  Running a system restore yields no OS's in the OS selection portion of the system recovery tool.  I am currently getting to the recovery tool through boot selection in bios off of a bootable USB as my HDDVD drive has been dead for some time.  The log begins:::

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-04-2013
Ran by SYSTEM on 25-04-2013 21:36:27
Running from G:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-18] (Apple Inc.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: []  [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [System] 
HKU\Marcus\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Marcus\...\Policies\system: [LogonHoursAction] 2
HKU\Marcus\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Startup: C:ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
 
========================== Services (Whitelisted) =================
 
S2 HPSLPSVC; C:\Users\Marcus\AppData\Local\Temp\7zS5A9E\hpslpsvc32.dll [701288 2012-11-14] (Hewlett-Packard Co.)
S2 N360; C:\Program Files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll [535416 2012-10-11] (Symantec Corporation)
S2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2010-06-30] ()
S2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [218464 2010-07-26] ()
S2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-03-19] (Skype Technologies S.A.)
 
==================== Drivers (Whitelisted) ====================
 
S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [1000024 2013-04-12] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360\1402000.013\ccSetx86.sys [134304 2012-10-03] (Symantec Corporation)
S0 CplIR; C:\Windows\System32\DRIVERS\CplIR.SYS [14848 2007-03-06] (COMPAL ELECTRONIC INC.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130419.001\IDSvix86.sys [386720 2013-02-22] (Symantec Corporation)
S3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [40720 2009-06-17] (Logitech, Inc.)
S3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [10384 2009-06-17] (Logitech, Inc.)
S3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [37392 2009-06-17] (Logitech, Inc.)
S0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [25896 2008-05-07] (COMPAL ELECTRONIC INC.)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130421.007\NAVENG.SYS [93296 2013-02-23] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130421.007\NAVEX15.SYS [1603824 2013-02-23] (Symantec Corporation)
S1 SRTSP; C:\Windows\System32\Drivers\N360\1402000.013\SRTSP.SYS [586400 2012-10-08] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360\1402000.013\SRTSPX.SYS [32888 2012-05-24] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360\1402000.013\SYMDS.SYS [368288 2012-10-03] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360\1402000.013\SYMEFA.SYS [927904 2012-10-03] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-02-14] (Symantec Corporation)
S1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [36512 2012-08-08] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360\1402000.013\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\N360\1402000.013\SYMNETS.SYS [338592 2012-07-22] (Symantec Corporation)
S3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [17960 2009-04-10] (Chicony Electronics Co., Ltd.)
S3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [60160 2009-08-13] (Microsoft Corporation)
S3 cpuz132; \??\C:\Users\Marcus\AppData\Local\Temp\cpuz132\cpuz132_x32.sys [x]
S3 EagleNT; \??\C:\Users\Marcus\AppData\Local\Temp\EagleNT.sys [x]
S3 EraserUtilDrv11110; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [x]
S3 Tosrfcom; No ImagePath
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 9EBBBA55060F786F0FCAA3893BFA2806
C:\Windows\System32\DRIVERS\AGRSM.sys 7E10E3BB9B258AD8A9300F91214D67B9
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D320BF87125326F996D4904FE24300FC
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 46387FB17B086D16DEA267D5BE23A2F2
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys 89BF5550E4FC31E3FE728E68C558BF10
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bridge.sys 77361D72A04F18809D0EFB6CCEB74D4B
C:\Windows\System32\DRIVERS\bridge.sys 77361D72A04F18809D0EFB6CCEB74D4B
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\system32\drivers\N360\1402000.013\ccSetx86.sys 1277AD8F053CC60C17CAFAB411F3CF40
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 42F158036BD4C2FF3122BF142E60E6FD
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CplIR.SYS C3156B712E3873AAD354F1696B2B2925
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Dot4.sys B5E479EB83707DD698F66953E922042C
C:\Windows\System32\DRIVERS\Dot4Prt.sys CAEFD09B6A6249C53A67D55A9A9FCABF
C:\Windows\System32\DRIVERS\dot4usb.sys CF491FF38D62143203C065260567E2F7
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\evbdx.sys ==> MD5 is legit
C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 85B8B4032A895A746D46A288A9B30DED
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys B5A8A04A6E5B4E86B95B1553AA918F5F
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 7DAE5EBCC80E45D3253F4923DC424D05
C:\Windows\System32\DRIVERS\fvevol.sys E306A24D9694C724FA2491278BF50FDB
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\GEARAspiWDM.sys 185ADA973B5020655CEE342059A86CBB
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys A5EF29D5315111C80A5C1ABAD14C8972
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys 5CD5F9A5444E6CDCB0AC89BD62D8B76E
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130419.001\IDSvix86.sys 404FB2AAF532BC7BBACC8880BE401C74
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHDA.sys E4A2E810CB2607C9C159C0DFB0BD4C88
C:\Windows\System32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys B7895B4182C0D16F6EFADEB8081E8D36
C:\Windows\System32\Drivers\ksecpkg.sys 5FE1ABF1AF591A3458C9CF24ED9A4D35
C:\Windows\System32\Drivers\LEqdUsb.Sys 70035567754BED4E6AD353CA3F175127
C:\Windows\System32\Drivers\LHidEqd.Sys 32491B6BAE0AFAD1D7A62C0EF0AF4321
C:\Windows\System32\DRIVERS\LHidFilt.Sys 7F9C7B28CF1C859E1C42619EEA946DC8
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\LMouFilt.Sys AB33792A87285344F43B5CE23421BAB0
C:\Windows\System32\DRIVERS\LPCFilter.sys 31F74D5D47EEA83E5E89447586917774
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys 5D16C921E3671636C0EBA3BBAAC5FD25
C:\Windows\System32\DRIVERS\mrxsmb10.sys 6D17A4791ACA19328C685D256349FEFC
C:\Windows\System32\DRIVERS\mrxsmb20.sys B81F204D146000BE76651A50670A5E9E
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130421.007\NAVENG.SYS 7D7A3BC6640C1A0D1442816B30856928
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130421.007\NAVEX15.SYS 28494C43D62AA7584BDCA2FADFBC4D11
C:\Windows\System32\drivers\ndis.sys 8C9C922D71F1CD4DEF73F186416B7896
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netw5v32.sys 58218EC6B61B1169CF54AAB0D00F5FE2
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys 0D87503986BB3DFED58E343FE39DDE13
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nvlddmkm.sys D3F22DA8F670EFD15D348B5952769CEF
C:\Windows\system32\drivers\nvraid.sys B3E25EE28883877076E0E1FF877D02E0
C:\Windows\system32\drivers\nvstor.sys 4380E59A170D88C4F1022EFF6719A8A4
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys 3F34A1B4C5F6475F320C275E63AFCE9B
C:\Windows\system32\DRIVERS\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys 65375DF758CA1872AB7EBBBA457FD5E6
C:\Windows\System32\Drivers\RDPWD.sys F031683E6D1FEA157ABB2FF260B51E61
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt86win7.sys 26A9D6227D12B9D9DA5A81BB9B55D810
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\system32\drivers\sdbus.sys 0328BE1C7F1CBA23848179F8762E391C
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\Drivers\N360\1402000.013\SRTSP.SYS 26C1B59C80FEF94B025DF5C3C1B791A7
C:\Windows\system32\drivers\N360\1402000.013\SRTSPX.SYS 21AC3AE81E8263061624C4ED3B11509A
C:\Windows\System32\DRIVERS\srv.sys E4C2764065D66EA1D2D3EBC28FE99C46
C:\Windows\System32\DRIVERS\srv2.sys 03F0545BD8D4C77FA0AE1CEEDFCC71AB
C:\Windows\System32\DRIVERS\srvnet.sys BE6BD660CAA6F291AE06A718A4FA8ABC
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\N360\1402000.013\SYMDS.SYS FB69A67FEEE3026C7F99774A1C405326
C:\Windows\System32\drivers\N360\1402000.013\SYMEFA.SYS 28C5FAFA7FD1C522B8DCD59694D39412
C:\Windows\system32\Drivers\SYMEVENT.SYS C940F10C31E2C60CC967FFD6A370720C
C:\Windows\System32\DRIVERS\SymIMv.sys 3DAAD401453F5A46CAE076F9D9D1458E
C:\Windows\system32\drivers\N360\1402000.013\Ironx86.SYS 8C9B9036E301A9965CF15BEC91C58A12
C:\Windows\System32\Drivers\N360\1402000.013\SYMNETS.SYS 21698476A90ACAA056B8CFE09A82785F
C:\Windows\System32\DRIVERS\SynTP.sys 964524A9EDCCE945E82419ABE9DB94EE
C:\Windows\System32\drivers\tcpip.sys 7C0507D2391AF5933600CBCED799F277
C:\Windows\System32\DRIVERS\tcpip.sys 7C0507D2391AF5933600CBCED799F277
C:\Windows\System32\drivers\tcpipreg.sys 3EEBD3BD93DA46A26E89893C7AB2FF3B
C:\Windows\System32\Drivers\tcusb.sys 56F3F2EA80865A888192F556DDA98155
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 2C2C5AFE7EE4F620D69C23C0617651A8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\tifm21.sys 78213F01CE781F93180BEF5EB5B3AD81
C:\Windows\System32\DRIVERS\tosrfec.sys 9EE240F7029771B21CC6200BE6516D60
C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\tsusbflt.sys 9CE253214ACAA5A7D323327D2055EFAA
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\TVALZ_O.SYS FC24015B4052600C324C43E3A79C0664
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\Drivers\usbaapl.sys 6E421CCC57059B0186C6259CA3B6DFC9
C:\Windows\System32\drivers\usbaudio.sys 1D9F2BD026E8E2D45033A4DF3F16B78C
C:\Windows\System32\DRIVERS\usbccgp.sys BD9C55D7023C5DE374507ACC7A14E2AC
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys F92DE757E4B7CE9C07C5E65423F3AE3B
C:\Windows\System32\DRIVERS\usbhub.sys 8DC94AEC6A7E644A06135AE7506DC2E9
C:\Windows\system32\DRIVERS\usbohci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys 576096CCBC07E7C4EA4F5E6686D6888F
C:\Windows\System32\DRIVERS\USBSTOR.SYS F991AB9CC6B908DB552166768176896A
C:\Windows\System32\DRIVERS\usbuhci.sys 68DF884CF41CDADA664BEB01DAF67E3D
C:\Windows\System32\Drivers\usbvideo.sys 45F4E7BF43DB40A6C6B4D92C76CBC3F2
C:\Windows\System32\Drivers\UVCFTR_S.SYS 237C444FBD1C697A2E3FA60F02C61F22
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vwifibus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys A840213F1ACDCC175B4D1D5AAEAC0D7A
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUSB.sys A67E5F9A400F3BD1BE3D80613B45F708
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF
C:\Windows\System32\DRIVERS\xusb21.sys C26C68BCBAC1F33F890C226769759209
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-04-25 21:36 - 2013-04-25 21:36 - 00000000 ____D C:\FRST
2013-04-24 06:56 - 2013-04-24 06:57 - 00000000 ____D C:\Users\Marcus\AppData\Local\{9ED004F7-9533-431A-B4E3-549AE2D0CCD0}
2013-04-23 18:56 - 2013-04-23 18:56 - 00000000 ____D C:\Users\Marcus\AppData\Local\{7744B3B1-66AE-48FB-ACF3-3BF719520242}
2013-04-23 06:56 - 2013-04-23 06:56 - 00000000 ____D C:\Users\Marcus\AppData\Local\{A5A8EE61-1090-4897-BF62-0EC6CDBA3BFF}
2013-04-22 09:03 - 2013-04-22 09:03 - 00000000 ____D C:\Users\Marcus\AppData\Local\{05ECDF8C-D10B-44CB-ABDE-968886BD3F46}
2013-04-21 21:02 - 2013-04-21 21:02 - 00000000 ____D C:\Users\Marcus\AppData\Local\{53428C23-30EF-4BFE-8D24-E408A190129B}
2013-04-20 12:33 - 2013-04-20 12:34 - 00000000 ____D C:\Users\Marcus\AppData\Local\{5DCE1177-15D4-491E-8D39-CF27AD7A4B90}
2013-04-19 06:50 - 2013-04-19 06:50 - 00000000 ____D C:\Users\Marcus\AppData\Local\{52FC371A-EFB6-475A-BC0D-F5D63DE9C5C0}
2013-04-18 07:28 - 2013-04-18 07:28 - 00000000 ____D C:\Users\Marcus\AppData\Local\{43AC7EF1-769D-4E09-A9E5-06F1E00C06D1}
2013-04-17 13:23 - 2013-04-17 13:23 - 00000000 ____D C:\Users\Marcus\AppData\Local\{C701E919-48D9-4EF8-A08C-A00BE82CAD80}
2013-04-17 11:34 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-17 11:34 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-17 11:34 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-17 11:34 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-17 11:34 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-17 11:34 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-17 11:34 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-17 11:34 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-17 11:34 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-17 11:34 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-17 11:34 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-17 11:34 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-17 11:34 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-17 11:34 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-17 11:34 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-17 11:34 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-16 14:25 - 2013-04-16 14:25 - 00000000 ____D C:\Users\Marcus\AppData\Local\{35B36591-2454-487B-96AF-566BAE94D8CE}
2013-04-16 00:07 - 2013-04-24 15:25 - 00000000 ____D C:\5d608acffb524a6f185208957e1e
2013-04-15 15:59 - 2013-04-15 15:59 - 00000000 ____D C:\Users\Marcus\AppData\Local\{59E353DB-145E-4124-B5DE-361C0DBB55B3}
2013-04-15 14:29 - 2013-02-28 19:09 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-15 14:29 - 2013-01-23 20:47 - 00196328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-04-15 14:18 - 2013-02-11 19:32 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-04-14 16:16 - 2013-04-14 16:16 - 00000000 ____D C:\Users\Marcus\AppData\Local\{4D37D16C-A8F9-4701-87F4-3CBF63FA1B53}
2013-04-14 04:15 - 2013-04-14 04:16 - 00000000 ____D C:\Users\Marcus\AppData\Local\{03674970-BF00-483F-9D35-95B617E965C3}
2013-04-13 16:15 - 2013-04-13 16:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{413A5DC7-A283-4F1E-B81B-BB151DFC6430}
2013-04-13 04:15 - 2013-04-13 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{FB04BE8A-956F-4DA4-AD15-C09D8A654618}
2013-04-12 16:15 - 2013-04-12 16:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{59B3169B-F815-447A-91CF-A0290FEF038C}
2013-04-12 04:15 - 2013-04-12 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{D54EF11F-81CA-46AD-AD43-1137F1253FBD}
2013-04-11 16:14 - 2013-04-11 16:14 - 00000000 ____D C:\Users\Marcus\AppData\Local\{6D36365C-FCD2-46AF-A768-6DF015638989}
2013-04-11 04:14 - 2013-04-11 04:14 - 00000000 ____D C:\Users\Marcus\AppData\Local\{4947D0D8-407F-49B6-BC89-E62BF42E1B39}
2013-04-10 11:48 - 2013-04-10 11:48 - 00000000 ____D C:\Users\Marcus\AppData\Local\{E93245A6-9D53-494B-B51A-93F172DF6E44}
2013-04-09 13:16 - 2013-04-09 13:17 - 00000000 ____D C:\Users\Marcus\AppData\Local\{781B3E93-B983-4B54-90F7-783E24EB421B}
2013-04-08 04:04 - 2013-04-08 04:05 - 00000000 ____D C:\Users\Marcus\AppData\Local\{10B9D726-CAFC-4FBA-9E43-4024C319EBBC}
2013-04-07 07:00 - 2013-04-07 07:00 - 00000000 ____D C:\Users\Marcus\AppData\Local\{B21AF391-16CE-47A3-9593-597688B53D2F}
2013-04-06 12:31 - 2013-04-06 12:31 - 00000000 ____D C:\Users\Marcus\AppData\Local\{4CF3529C-7D23-4694-99AC-792C7E25775B}
2013-04-05 08:28 - 2013-04-05 08:28 - 00000000 ____D C:\Users\Marcus\AppData\Local\{792FE036-9918-4507-AB41-E6FA4EC783F1}
2013-04-04 06:22 - 2013-04-04 06:22 - 00000000 ____D C:\Users\Marcus\AppData\Local\{C8163D5C-0FCE-4AC1-A398-DA551623A7C6}
2013-04-03 11:31 - 2013-04-03 11:31 - 00000000 ____D C:\Users\Marcus\AppData\Local\{D17387BA-D971-4AC7-93A6-C24FEE9C5161}
2013-04-02 17:01 - 2013-04-02 17:01 - 00000000 ____D C:\Users\Marcus\AppData\Local\{1444AB93-393E-413B-BCD2-246685CB53BA}
2013-04-02 12:44 - 2013-04-02 12:44 - 00000000 ____D C:\Users\Marcus\AppData\Local\{06B1D257-2B04-45CC-82A7-FE42D8DF970A}
2013-04-01 18:33 - 2013-04-01 18:33 - 00000000 ____D C:\Users\Marcus\AppData\Local\{B39D9DDE-4ADC-404F-A468-BE21E94B668F}
2013-04-01 04:06 - 2013-04-01 04:06 - 00000000 ____D C:\Users\Marcus\AppData\Local\{2DCFE982-3445-4742-AAAE-E5AB1416B849}
2013-03-31 06:19 - 2013-03-31 06:19 - 00000000 ____D C:\Users\Marcus\AppData\Local\{0DD48B9A-4492-48CF-87D7-E706B49CC745}
2013-03-30 18:19 - 2013-03-30 18:19 - 00000000 ____D C:\Users\Marcus\AppData\Local\{866E0DA3-44D9-4AD1-85E8-8F04D039F949}
2013-03-30 04:15 - 2013-03-30 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{BB767351-34E4-433F-8C87-ED565A88DEE3}
2013-03-29 07:53 - 2013-03-29 07:53 - 00000000 ____D C:\Users\Marcus\AppData\Local\Macromedia
2013-03-29 07:51 - 2013-03-29 07:52 - 00000000 ____D C:\Users\Marcus\AppData\Local\{D7767255-D1D6-48BA-8A82-BC698E9EA135}
2013-03-28 07:19 - 2013-03-28 07:19 - 00000000 ____D C:\Users\Marcus\AppData\Local\{E89516C1-5C4B-4F1C-848F-07BD65AE8710}
2013-03-27 19:00 - 2013-03-27 19:00 - 00000000 ____D C:\Users\Marcus\AppData\Local\{ACDADA53-03E3-46DE-946A-30F52A860EBB}
2013-03-27 03:07 - 2013-03-27 03:08 - 00000000 ____D C:\Users\Marcus\AppData\Local\{1EE900DA-B3B7-4A06-9446-BEA58AEE00A1}
2013-03-26 13:21 - 2013-03-26 13:21 - 00000000 ____D C:\Users\Marcus\AppData\Local\{DB91F218-43DB-47D0-8AAD-DCED03C50340}
2013-03-26 04:07 - 2013-03-26 04:07 - 00000000 ____D C:\Users\Marcus\AppData\Local\{A6EE8A36-4DF3-49A2-A09F-67E6C166879E}
 
==================== One Month Modified Files and Folders ========
 
2013-04-25 21:36 - 2013-04-25 21:36 - 00000000 ____D C:\FRST
2013-04-25 16:16 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\winevt
2013-04-24 15:25 - 2013-04-16 00:07 - 00000000 ____D C:\5d608acffb524a6f185208957e1e
2013-04-24 15:25 - 2013-02-23 14:57 - 00000000 ____D C:ProgramData\HP
2013-04-24 15:25 - 2012-04-05 18:18 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\FixZeroAccess
2013-04-24 15:25 - 2011-06-22 13:39 - 00000000 ____D C:\Users\Marcus\Downloads\The.Hangover.Part.II.2011.TS.XViD-EP1C
2013-04-24 15:25 - 2010-06-22 15:14 - 00000000 ____D C:\users\Guest
2013-04-24 15:25 - 2010-04-22 04:46 - 00000000 ____D C:ProgramData\Norton
2013-04-24 15:25 - 2010-03-29 15:14 - 00000000 ____D C:\Users\Marcus\Downloads\Halo.Legends.2010.DVDRip.XviD-ViSiON.[www.FilmsBT.com]
2013-04-24 15:25 - 2010-02-17 05:52 - 00000000 ____D C:ProgramData\Spybot - Search & Destroy
2013-04-24 15:25 - 2009-10-24 11:51 - 00000000 ____D C:\users\Marcus
2013-04-24 15:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-04-24 15:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-04-24 15:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-04-24 15:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-04-24 15:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-04-24 15:25 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-04-24 06:57 - 2013-04-24 06:56 - 00000000 ____D C:\Users\Marcus\AppData\Local\{9ED004F7-9533-431A-B4E3-549AE2D0CCD0}
2013-04-23 18:56 - 2013-04-23 18:56 - 00000000 ____D C:\Users\Marcus\AppData\Local\{7744B3B1-66AE-48FB-ACF3-3BF719520242}
2013-04-23 06:56 - 2013-04-23 06:56 - 00000000 ____D C:\Users\Marcus\AppData\Local\{A5A8EE61-1090-4897-BF62-0EC6CDBA3BFF}
2013-04-22 09:03 - 2013-04-22 09:03 - 00000000 ____D C:\Users\Marcus\AppData\Local\{05ECDF8C-D10B-44CB-ABDE-968886BD3F46}
2013-04-22 00:00 - 2009-10-24 13:28 - 02065587 ____A C:\Windows\WindowsUpdate.log
2013-04-21 23:25 - 2013-02-23 14:34 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-21 21:02 - 2013-04-21 21:02 - 00000000 ____D C:\Users\Marcus\AppData\Local\{53428C23-30EF-4BFE-8D24-E408A190129B}
2013-04-20 12:34 - 2013-04-20 12:33 - 00000000 ____D C:\Users\Marcus\AppData\Local\{5DCE1177-15D4-491E-8D39-CF27AD7A4B90}
2013-04-19 11:51 - 2009-10-24 11:50 - 00743922 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-19 07:12 - 2010-04-03 14:35 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-19 06:50 - 2013-04-19 06:50 - 00000000 ____D C:\Users\Marcus\AppData\Local\{52FC371A-EFB6-475A-BC0D-F5D63DE9C5C0}
2013-04-18 07:28 - 2013-04-18 07:28 - 00000000 ____D C:\Users\Marcus\AppData\Local\{43AC7EF1-769D-4E09-A9E5-06F1E00C06D1}
2013-04-18 00:35 - 2009-07-13 20:34 - 00013472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-18 00:35 - 2009-07-13 20:34 - 00013472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-18 00:21 - 2012-04-25 07:53 - 00010128 ____A C:\Windows\setupact.log
2013-04-18 00:21 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-18 00:21 - 2009-07-13 20:33 - 00418224 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-18 00:02 - 2009-10-24 15:08 - 00000000 ____D C:ProgramData\Microsoft Help
2013-04-17 13:23 - 2013-04-17 13:23 - 00000000 ____D C:\Users\Marcus\AppData\Local\{C701E919-48D9-4EF8-A08C-A00BE82CAD80}
2013-04-17 13:05 - 2009-10-24 12:18 - 00829076 ____A C:\Windows\PFRO.log
2013-04-16 14:25 - 2013-04-16 14:25 - 00000000 ____D C:\Users\Marcus\AppData\Local\{35B36591-2454-487B-96AF-566BAE94D8CE}
2013-04-16 00:07 - 2009-10-24 11:56 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-15 15:59 - 2013-04-15 15:59 - 00000000 ____D C:\Users\Marcus\AppData\Local\{59E353DB-145E-4124-B5DE-361C0DBB55B3}
2013-04-14 16:16 - 2013-04-14 16:16 - 00000000 ____D C:\Users\Marcus\AppData\Local\{4D37D16C-A8F9-4701-87F4-3CBF63FA1B53}
2013-04-14 04:16 - 2013-04-14 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{03674970-BF00-483F-9D35-95B617E965C3}
2013-04-13 16:15 - 2013-04-13 16:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{413A5DC7-A283-4F1E-B81B-BB151DFC6430}
2013-04-13 04:15 - 2013-04-13 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{FB04BE8A-956F-4DA4-AD15-C09D8A654618}
2013-04-12 16:15 - 2013-04-12 16:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{59B3169B-F815-447A-91CF-A0290FEF038C}
2013-04-12 04:15 - 2013-04-12 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{D54EF11F-81CA-46AD-AD43-1137F1253FBD}
2013-04-11 16:14 - 2013-04-11 16:14 - 00000000 ____D C:\Users\Marcus\AppData\Local\{6D36365C-FCD2-46AF-A768-6DF015638989}
2013-04-11 04:14 - 2013-04-11 04:14 - 00000000 ____D C:\Users\Marcus\AppData\Local\{4947D0D8-407F-49B6-BC89-E62BF42E1B39}
2013-04-10 11:48 - 2013-04-10 11:48 - 00000000 ____D C:\Users\Marcus\AppData\Local\{E93245A6-9D53-494B-B51A-93F172DF6E44}
2013-04-09 13:17 - 2013-04-09 13:16 - 00000000 ____D C:\Users\Marcus\AppData\Local\{781B3E93-B983-4B54-90F7-783E24EB421B}
2013-04-08 04:05 - 2013-04-08 04:04 - 00000000 ____D C:\Users\Marcus\AppData\Local\{10B9D726-CAFC-4FBA-9E43-4024C319EBBC}
2013-04-07 07:00 - 2013-04-07 07:00 - 00000000 ____D C:\Users\Marcus\AppData\Local\{B21AF391-16CE-47A3-9593-597688B53D2F}
2013-04-06 15:02 - 2011-08-27 13:44 - 00000000 ____D C:ProgramData\Hero Lab
2013-04-06 12:31 - 2013-04-06 12:31 - 00000000 ____D C:\Users\Marcus\AppData\Local\{4CF3529C-7D23-4694-99AC-792C7E25775B}
2013-04-05 11:31 - 2013-02-28 16:43 - 00000000 ____D C:\Users\Marcus\AppData\Local\CutePDF Writer
2013-04-05 11:31 - 2011-12-02 15:55 - 00000000 ____D C:\Users\Marcus\Documents\New folder
2013-04-05 08:28 - 2013-04-05 08:28 - 00000000 ____D C:\Users\Marcus\AppData\Local\{792FE036-9918-4507-AB41-E6FA4EC783F1}
2013-04-04 06:22 - 2013-04-04 06:22 - 00000000 ____D C:\Users\Marcus\AppData\Local\{C8163D5C-0FCE-4AC1-A398-DA551623A7C6}
2013-04-03 11:31 - 2013-04-03 11:31 - 00000000 ____D C:\Users\Marcus\AppData\Local\{D17387BA-D971-4AC7-93A6-C24FEE9C5161}
2013-04-02 17:01 - 2013-04-02 17:01 - 00000000 ____D C:\Users\Marcus\AppData\Local\{1444AB93-393E-413B-BCD2-246685CB53BA}
2013-04-02 12:44 - 2013-04-02 12:44 - 00000000 ____D C:\Users\Marcus\AppData\Local\{06B1D257-2B04-45CC-82A7-FE42D8DF970A}
2013-04-01 18:33 - 2013-04-01 18:33 - 00000000 ____D C:\Users\Marcus\AppData\Local\{B39D9DDE-4ADC-404F-A468-BE21E94B668F}
2013-04-01 07:28 - 2010-10-06 13:26 - 00000000 ___RD C:\Program Files\Skype
2013-04-01 07:28 - 2010-10-06 13:26 - 00000000 ____D C:ProgramData\Skype
2013-04-01 04:06 - 2013-04-01 04:06 - 00000000 ____D C:\Users\Marcus\AppData\Local\{2DCFE982-3445-4742-AAAE-E5AB1416B849}
2013-03-31 06:19 - 2013-03-31 06:19 - 00000000 ____D C:\Users\Marcus\AppData\Local\{0DD48B9A-4492-48CF-87D7-E706B49CC745}
2013-03-30 18:19 - 2013-03-30 18:19 - 00000000 ____D C:\Users\Marcus\AppData\Local\{866E0DA3-44D9-4AD1-85E8-8F04D039F949}
2013-03-30 04:15 - 2013-03-30 04:15 - 00000000 ____D C:\Users\Marcus\AppData\Local\{BB767351-34E4-433F-8C87-ED565A88DEE3}
2013-03-29 07:53 - 2013-03-29 07:53 - 00000000 ____D C:\Users\Marcus\AppData\Local\Macromedia
2013-03-29 07:52 - 2013-03-29 07:51 - 00000000 ____D C:\Users\Marcus\AppData\Local\{D7767255-D1D6-48BA-8A82-BC698E9EA135}
2013-03-28 07:19 - 2013-03-28 07:19 - 00000000 ____D C:\Users\Marcus\AppData\Local\{E89516C1-5C4B-4F1C-848F-07BD65AE8710}
2013-03-27 19:00 - 2013-03-27 19:00 - 00000000 ____D C:\Users\Marcus\AppData\Local\{ACDADA53-03E3-46DE-946A-30F52A860EBB}
2013-03-27 03:08 - 2013-03-27 03:07 - 00000000 ____D C:\Users\Marcus\AppData\Local\{1EE900DA-B3B7-4A06-9446-BEA58AEE00A1}
2013-03-26 13:21 - 2013-03-26 13:21 - 00000000 ____D C:\Users\Marcus\AppData\Local\{DB91F218-43DB-47D0-8AAD-DCED03C50340}
2013-03-26 04:07 - 2013-03-26 04:07 - 00000000 ____D C:\Users\Marcus\AppData\Local\{A6EE8A36-4DF3-49A2-A09F-67E6C166879E}
 
==================== Known DLLs (ALL) =========================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-04-05 21:01:45
Restore point made on: 2013-04-13 21:00:20
Restore point made on: 2013-04-16 00:06:43
Restore point made on: 2013-04-17 11:33:48
Restore point made on: 2013-04-18 00:00:59
Restore point made on: 2013-04-19 00:00:36
Restore point made on: 2013-04-20 00:00:29
Restore point made on: 2013-04-21 00:00:30
Restore point made on: 2013-04-22 00:00:27
Restore point made on: 2013-04-23 00:00:28
Restore point made on: 2013-04-24 00:00:29
Restore point made on: 2013-04-24 06:27:22
Restore point made on: 2013-04-24 08:16:49
 
==================== Memory info =========================== 
 
Percentage of memory in use: 14%
Total physical RAM: 3070.43 MB
Available physical RAM: 2625.28 MB
Total Pagefile: 3068.71 MB
Available Pagefile: 2627.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.7 MB
 
==================== Drives ================================
 
Drive c: (SQ004517V04) (Fixed) (Total:147.58 GB) (Free:30.87 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: () (Fixed) (Total:149.05 GB) (Free:27.39 GB) NTFS
Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
Drive g: () (Removable) (Total:7.79 GB) (Free:7.59 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB      0 B         
  Disk 1    Online          149 GB  1024 KB         
  Disk 2    Online         7981 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: B500FBA3
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery          1500 MB  1024 KB
  Partition 2    Primary            147 GB  1501 MB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     E   TOSHIBA SYS  NTFS   Partition   1500 MB  Healthy    Hidden  
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   SQ004517V04  NTFS   Partition    147 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 5D379805
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 0    Extended           149 GB  1024 KB
  Partition 1    Logical            149 GB  2048 KB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D                NTFS   Partition    149 GB  Healthy            
 
=========================================================
 
Partitions of Disk 2:
===============
 
Disk ID: 00000000
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7980 MB  1024 KB
 
==================================================================================
 
Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                NTFS   Removable   7980 MB  Healthy            
 
=========================================================
============================== MBR & Partition Table ==================
 
====================================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: B500FBA3)
Partition 1: (Active) - (Size=0 byte) - (Type=00)
ATTENTION ===> 0 byte partition bootkit on partition 1
Partition 2: (Not Active) - (Size=1 GB) - (Type=27)
Partition 3: (Active) - (Size=148 GB) - (Type=07) (NTFS)
 
====================================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: 5D379805)
Partition 1: (Not Active) - (Size=149 GB) - (Type=OF) (Extended)
 
====================================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 8 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=8 GB) - (Type=07) (NTFS)
 
 
Last Boot: 2013-04-23 21:44
 
==================== End Of Log ============================


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 26 April 2013 - 04:59 PM

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Last Boot: 2013-04-23 21:44
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 April 2013 - 05:10 PM

No improvements as to booting past Bios as of yet.  Still getting the white flashing command input line.
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-04-2013
Ran by SYSTEM at 2013-04-26 17:07:15 Run:1
Running from G:\
Boot Mode: Recovery
 
==============================================
 
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.
 
==== End of Fixlog ====


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 26 April 2013 - 05:23 PM

Please run the following:
  • Download the appropriate version of ListParts to a USB flash drive.
  • Plug the USB drive into the infected machine.
Boot your computer into Recovery Environment
  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...
W7InstallDisk2.png
  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.
  • Back in the command window ....
    • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • ListParts will start to run.
      • check the "list BCD" box
      • Press the Scan button.
      • When finished scanning it will make a log Result.txt on the flash drive.
  • Close the command window.
  • Boot back into normal mode and post me the Result.txt log please.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 April 2013 - 05:37 PM

ListParts by Farbar Version: 24-04-2013
Ran by SYSTEM (administrator) on 26-04-2013 at 17:34:03
Windows 7 (X86)
Running From: G:\
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 11%
Total physical RAM: 3070.43 MB
Available physical RAM: 2724.39 MB
Total Pagefile: 3068.71 MB
Available Pagefile: 2714.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.52 MB
 
======================= Partitions =========================
 
1 Drive c: (SQ004517V04) (Fixed) (Total:147.58 GB) (Free:30.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Fixed) (Total:149.05 GB) (Free:27.39 GB) NTFS
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
5 Drive g: () (Removable) (Total:7.79 GB) (Free:7.59 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB      0 B         
  Disk 1    Online          149 GB  1024 KB         
  Disk 2    Online         7981 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: B500FBA3
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery          1500 MB  1024 KB
  Partition 2    Primary            147 GB  1501 MB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     E   TOSHIBA SYS  NTFS   Partition   1500 MB  Healthy    Hidden  
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   SQ004517V04  NTFS   Partition    147 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 5D379805
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 0    Extended           149 GB  1024 KB
  Partition 1    Logical            149 GB  2048 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D                NTFS   Partition    149 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 2:
===============
 
Disk ID: 00000000
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7980 MB  1024 KB
 
======================================================================================================
 
Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                NTFS   Removable   7980 MB  Healthy            
 
======================================================================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: B500FBA3
Partition 1: (Active) - (Size=0 byte) - (Type=00)
ATTENTION ===> 0 byte partition bootkit on partition 1
Partition 2: (Not Active) - (Size=1 GB) - (Type=27)
Partition 3: (Active) - (Size=148 GB) - (Type=07) (NTFS)
 
==============================
Partitions of Disk 1:
===============
Disk ID: 5D379805
Partition 1: (Not Active) - (Size=149 GB) - (Type=OF) (Extended)
 
==============================
Partitions of Disk 2:
===============
Disk ID: 00000000
Partition 1: (Active) - (Size=8 GB) - (Type=07) (NTFS)
 
The boot configuration data store could not be opened.
The requested system device cannot be found.
 
 
****** End Of Log ****** 


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 26 April 2013 - 08:28 PM

Please do the following:
  • Download
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".
  • run ListParts by typing g:\listparts.exe in the command prompt and pressing Enter
    Click Fix. Close the pop up after the fix is done.
  • Please restart, let it boot normally and then post the FixLog.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 April 2013 - 08:57 PM

That got it farther than it was.  It progressed past the black screen with the flashing command input line to a blue screen with the Windows Memory Diagnostics Tool. ::::::
=========================================================
Windows is checking for memory problems...
this might take several minutes.
 
Running test pass 1 of 2:   XX% complete
Overall test status:  XX% complete
 
Status:
No problems have been detected yet.
 
Although the test may appear inactive at times, it is sstill running.  Please
Wait until testing is complete...
 
Windows will restart the computer automatically. Test results will be displayed again after you log on.
 
============================================================================
 
I will reply after the computer reboots with the status of the memory diagnostics.  Below is the attached Fixlog.txt output to my flash drive.
 
=====================================================
Script used: "Disk=0 partition=2 inactive"
Script used: "Disk=0 partition=2 active"
Script used: "Disk=0 partition=2 inactive"
Script used: "Disk=0 partition=2 active"
Script used: "custom."
 
The boot configuration data store could not be opened.
The requested system device cannot be found.
==============================================================


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 26 April 2013 - 09:02 PM

ok,

that's progress

I'll await your reply :)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 April 2013 - 09:17 PM

It never did pop up with a report for the memory scan(I'm assuming this is good)  However we have made it back into the windows environment!

 

My norton popped up with an error: 3048, 3 (it ran the self repair and seems to have righted itself)

 

I do notice two rogue svchost.exe taking up a large amount of processor power and consistently growing in size.  The worst one is over 233000k and growing by the second.

 

 

 

 

 

 

 

Edit::::::: After reaching ~ 500000k the svchost.exe disappeared off the process list


Edited by mwbrightwell, 26 April 2013 - 09:30 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 26 April 2013 - 09:28 PM

OK,

Let's investigate that further then

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 April 2013 - 10:06 PM

Nothing was found or needed to be cleaned:

 

 

1

 

=========================================================

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.04.26.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Marcus :: MARCUSLAPTOP [administrator]

4/26/2013 9:50:15 PM
mbar-log-2013-04-26 (21-50-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 30396
Time elapsed: 15 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

===========================================================================

 

2

 

===========================================================================

 

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.04.26.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Marcus :: MARCUSLAPTOP [administrator]

4/26/2013 10:02:11 PM
mbar-log-2013-04-26 (22-02-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 30334
Time elapsed: 11 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

==============================================================================



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 27 April 2013 - 08:11 AM

That's good news,

There are just a couple more scans to run to make sure there are no leftovers, please run the following:

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
cfRC_screen_2.png
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 mwbrightwell

mwbrightwell
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 27 April 2013 - 09:25 AM

ComboFix 13-04-27.04 - Marcus 04/27/2013   8:59.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3070.1619 [GMT -5:00]
Running from: c:\users\Marcus\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marcus\AppData\Local\Temp\7zS5A9E\HPSLPSVC32.DLL
c:\windows\RazorDOX
c:\windows\RazorDOX\RazorDOX.dll
c:\windows\RazorDOX\RazorDOX.ini
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
D:\install.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_HPSLPSVC
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-27 to 2013-04-27  )))))))))))))))))))))))))))))))
.
.
2013-04-27 08:00 . 2013-04-27 08:00 -------- d-----w- c:\windows\CheckSur
2013-04-26 05:36 . 2013-04-26 05:36 -------- d-----w- C:\FRST
2013-04-16 08:07 . 2013-04-24 23:25 -------- d-----w- C:\5d608acffb524a6f185208957e1e
2013-04-15 22:29 . 2013-03-01 03:09 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-15 22:29 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-15 22:29 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-15 22:29 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-15 22:29 . 2013-03-19 04:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-15 22:29 . 2013-03-19 02:49 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-15 22:18 . 2013-02-12 03:32 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-29 15:53 . 2013-03-29 15:53 -------- d-----w- c:\users\Marcus\AppData\Local\Macromedia
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 19:25 . 2013-02-23 22:33 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 19:25 . 2011-08-12 03:07 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-14 19:00 . 2010-04-22 12:51 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-02-12 04:48 . 2013-03-13 07:52 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 07:52 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-18 152392]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe" [2013-03-13 706776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152]
.
[HKLM\~\startupfolder\C:^Users^Marcus^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk.disabled]
path=c:\users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk.disabled
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.disabled.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2009-07-22 18:40 83336 ----a-w- c:\program files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"
"Security Protection"=c:\programdata\defender.exe
"Steam"="c:\program files\Steam\Steam.exe" -silent
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
"KeNotify"=c:\program files\TOSHIBA\Utilities\KeNotify.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"RtHDVCpl"=c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [x]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 CplIR;Embedded IR Driver;c:\windows\system32\DRIVERS\CplIR.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [x]
S1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccSetx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130426.001\IDSvix86.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\1402000.013\SYMNETS.SYS [x]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ    HPSLPSVC
GPSvcGroup REG_MULTI_SZ    GPSvc
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-23 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{1216CD08-FF00-4A7D-933D-770894DF8A7A}: NameServer = 4.2.2.2,4.2.2.1
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxp://lazboy3d.icovia.com/PLANNER/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\1wlbe9id.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
FF - Ext: 20-20 3D Viewer - WEB: 2020Player_WEB@2020Technologies.com - %profile%\extensions\2020Player_WEB@2020Technologies.com
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2207100919-2931676142-1606076186-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a7,d9,ca,8e,a8,b3,ff,eb,60,05,43,68,d3,6f,64,51,53,2f,3a,91,47,3c,e8,
   ae,76,3a,35,78,27,97,3b,7a,34,2b,28,69,d4,4b,27,a7,89,ac,a0,8e,b9,40,24,c0,\
"??"=hex:00,a4,20,e4,9f,49,ea,a0,5e,71,84,d2,01,1e,00,1a
.
[HKEY_USERS\S-1-5-21-2207100919-2931676142-1606076186-1001\Software\SecuROM\License information*]
"datasecu"=hex:1b,d2,3a,aa,2e,3d,68,0d,af,6b,83,95,75,d8,94,8d,bc,b1,05,9f,09,
   18,4e,ee,b4,47,2a,1a,5c,38,c6,c4,2d,ec,63,93,16,5d,a7,b0,1b,95,e8,1c,f5,76,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\WUDFHost.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2013-04-27  09:23:03 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-27 14:23
.
Pre-Run: 33,738,825,728 bytes free
Post-Run: 34,841,088,000 bytes free
.
- - End Of File - - 25FD58C38EC416B92ACC71B462767804






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users