Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New version of FBI Hijack infection?


  • Please log in to reply
3 replies to this topic

#1 Maveej

Maveej

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 12 May 2013 - 12:06 PM

Hello everyone.  I currently am working on a friends machine that seems to have a version of a FBi virus that is not removable by means posted else where on the internet.

Things I have tried:

Farbar, USB Bootable Microsoft Essentials, HitmanPro Kick Start, and Kaspersky Rescue Disk (Booted into and attempt to use built in software to remove malware)

 

I am not able to get one step past this FBI Hijack.  Traditionally in my experience the Hijack malware can be easily bypassed with a safe mode boot/command prompt and go through the steps to create a new user and boot into that user under safe mode to run a few scans.

 

If none of these tricks are working where else should I look or what else should I try?  Scouring through the internet I find nothing talking about what to do next if these steps fail.  Booting into any form of safe mode from the start and until this point has resulted in the machine shutting down after attempting to log into the user.

 

Thanks to anyone who has any advice.  I will post the Farbar log in a few minutes.


Edited by Maveej, 12 May 2013 - 12:07 PM.


BC AdBot (Login to Remove)

 


#2 Maveej

Maveej
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 12 May 2013 - 12:17 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-05-2013 01
Ran by SYSTEM on 12-05-2013 13:14:23
Running from F:\
Windows 7 Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [9726568 2010-09-07] (Realtek Semiconductor)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup [2778424 2013-02-28] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: []  [x]
HKLM\...\Run: [InboxToolbar] "C:\PROGRA~1\INBOXT~1\Inbox.exe" /STARTUP [1713312 2013-04-11] (Inbox.com, Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot [295512 2013-04-25] (RealNetworks, Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)
HKU\todd\...\Run: [Google Update] "C:\Users\todd\AppData\Local\Google\Update\GoogleUpdate.exe" /c [ 2011-02-12] (Google Inc.)
HKU\todd\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
HKU\todd\...\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe [ 2011-03-10] (Intuit Inc.)
HKU\todd\...\Run: [DW7] "C:\Program Files\The Weather Channel\The Weather Channel App\TWCApp.exe" [x]
HKU\todd\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [ 2013-01-29] (SUPERAntiSpyware.com)
HKU\todd\...\Run: [SpeedUpMyPC] "C:\Program Files\Uniblue\SpeedUpMyPC\launcher.exe" -d 20000  [ 2012-07-08] (Uniblue Systems Ltd)
HKU\todd\...\Run: [Consumer Input Update] C:\Program Files\Consumer Input\dca-ua.exe [ 2012-09-10] (Compete, Inc.)
HKU\todd\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"  /MINIMIZED [ 2012-11-28] (BitTorrent, Inc.)
HKU\todd\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex [ 2013-03-12] (Adobe Systems Incorporated)
HKU\todd\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [26624 2010-11-20] (Microsoft Corporation)
HKU\todd\...\Winlogon: [Shell] cmd.exe [26624 2010-11-20] (Microsoft Corporation)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Constant Guard.lnk
ShortcutTarget: Constant Guard.lnk -> C:\Program Files\Constant Guard Protection Suite\IDVault.exe (White Sky, Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk
ShortcutTarget: NETGEAR WNDA3100v2 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Secure Backup and Share Status.lnk
ShortcutTarget: Secure Backup and Share Status.lnk -> C:\Program Files\SecureBackupShare\ComcastSecureBackupSharestat.exe (Secure Backup and Share)
BootExecute: autocheck autochk * bootdelete
 
========================== Services (Whitelisted) =================
 
S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-09-08] (SUPERAntiSpyware.com)
S2 atnthost; C:\ProgramData\webex\MyWebEx\319\atnthost.exe [18592 2012-07-19] (WebEx Communications, Inc.)
S2 ComcastSecureBackupSharebackup; C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe [15592 2011-12-15] (Secure Backup and Share)
S2 DefaultTabSearch; C:\Program Files\DefaultTab\DefaultTabSearch.exe [572928 2013-02-10] ()
S2 DefaultTabUpdate; C:\Users\todd\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2012-09-22] ()
S2 IDVaultSvc; C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe [66600 2013-01-14] (White Sky, Inc.)
S2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [109728 2010-12-06] (Intel Corporation)
S2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-06-30] (Intuit Inc.)
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-05] ()
S2 WSWNDA3100; C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe [278528 2009-11-04] ()
 
==================== Drivers (Whitelisted) ====================
 
S1 AntiLog32; C:\Windows\system32\drivers\AntiLog32.sys [82320 2013-01-29] (Zemana Ltd.)
S3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh6.sys [1092160 2011-04-19] (Broadcom Corporation)
S1 ComcastSecureBackupShareFilter; C:\Windows\System32\DRIVERS\ComcastSecureBackupShare.sys [54776 2011-12-15] (Mozy, Inc.)
S3 FVNETusbXP; C:\Windows\System32\DRIVERS\bkusbxp.sys [99584 2003-05-07] (Belkin Components)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30464 2013-05-11] ()
S3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt32.sys [25936 2013-01-05] (Zemana Ltd.)
S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [21504 2011-10-07] (http://libusb-win32.sourceforge.net)
S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [50704 2009-10-20] (CACE Technologies, Inc.)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [21728 2007-01-19] (Windows ® Codename Longhorn DDK provider)
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 9EBBBA55060F786F0FCAA3893BFA2806
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D320BF87125326F996D4904FE24300FC
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 46387FB17B086D16DEA267D5BE23A2F2
C:\Windows\system32\drivers\AntiLog32.sys A595832D7708BC26372BF5FDD73963C9
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bcmwlhigh6.sys E0E8890117E701EA6D787C1D0624D6B7
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 247B4CE2DAB1160CD422D532D5241E1F
C:\Windows\System32\DRIVERS\ComcastSecureBackupShare.sys B8E08BFCAB2BE31804CEA983D2094FAF
C:\Windows\system32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\e1k6232.sys 715D53B361EC4CE3C8697559AAADDE78
C:\Windows\system32\DRIVERS\evbdx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 7DAE5EBCC80E45D3253F4923DC424D05
C:\Windows\System32\DRIVERS\fvevol.sys E306A24D9694C724FA2491278BF50FDB
C:\Windows\System32\DRIVERS\bkusbxp.sys 21DB115BB123A0C29F6B7ED9C76BFBD6
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\GEARAspiWDM.sys 185ADA973B5020655CEE342059A86CBB
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys A5EF29D5315111C80A5C1ABAD14C8972
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECI.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\hitmanpro37.sys 05E0D8EE7D6FAB5CB672FEC3AAD93AA0
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys 5CD5F9A5444E6CDCB0AC89BD62D8B76E
C:\Windows\System32\DRIVERS\igdkmd32.sys 8266AE06DF974E5BA047B3E9E9E70B3F
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHDA.sys C877ECC52D2279818CFB0A7DD3DCB906
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\KeyCrypt32.sys 073F64AE093C96CA7ED4BC4F80996261
C:\Windows\System32\Drivers\ksecdd.sys B7895B4182C0D16F6EFADEB8081E8D36
C:\Windows\System32\Drivers\ksecpkg.sys D30159AC9237519FBC62C6EC247D2D46
C:\Windows\System32\drivers\libusb0.sys B280C4608AC389DA9515A35AC4CAB0FD
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lvrs.sys A1857FBB9B4930EEB2FD92386C45C529
C:\Windows\System32\DRIVERS\lvuvc.sys 3703406AF0726BADD24C5E552493E5B1
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys 5D16C921E3671636C0EBA3BBAAC5FD25
C:\Windows\System32\DRIVERS\mrxsmb10.sys 6D17A4791ACA19328C685D256349FEFC
C:\Windows\System32\DRIVERS\mrxsmb20.sys B81F204D146000BE76651A50670A5E9E
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 8C9C922D71F1CD4DEF73F186416B7896
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\npf.sys B9730495E0CF674680121E34BD95A73B
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys 5E43D2B0EE64123D4880DFA6626DEFDE
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys B3E25EE28883877076E0E1FF877D02E0
C:\Windows\system32\drivers\nvstor.sys 4380E59A170D88C4F1022EFF6719A8A4
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys 3F34A1B4C5F6475F320C275E63AFCE9B
C:\Windows\system32\DRIVERS\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\System32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys F031683E6D1FEA157ABB2FF260B51E61
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 39763504067962108505BFF25F024345
C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 77B9FC20084B48408AD3E87570EB4A85
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scmndisp.sys 3B68015683C27CB00C7A6B60A37CBCFD
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys E4C2764065D66EA1D2D3EBC28FE99C46
C:\Windows\System32\DRIVERS\srv2.sys 03F0545BD8D4C77FA0AE1CEEDFCC71AB
C:\Windows\System32\DRIVERS\srvnet.sys BE6BD660CAA6F291AE06A718A4FA8ABC
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 7C0507D2391AF5933600CBCED799F277
C:\Windows\System32\DRIVERS\tcpip.sys 7C0507D2391AF5933600CBCED799F277
C:\Windows\System32\drivers\tcpipreg.sys 3EEBD3BD93DA46A26E89893C7AB2FF3B
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 2C2C5AFE7EE4F620D69C23C0617651A8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\tpm.sys 5AD05191DC8B444A7BA4D79B76C42A30
C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\Drivers\usbaapl.sys 6E421CCC57059B0186C6259CA3B6DFC9
C:\Windows\system32\drivers\usbaudio.sys 1D9F2BD026E8E2D45033A4DF3F16B78C
C:\Windows\System32\DRIVERS\usbccgp.sys BD9C55D7023C5DE374507ACC7A14E2AC
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys F92DE757E4B7CE9C07C5E65423F3AE3B
C:\Windows\System32\DRIVERS\usbhub.sys 8DC94AEC6A7E644A06135AE7506DC2E9
C:\Windows\system32\drivers\usbohci.sys E185D44FAC515A18D9DEDDC23C2CDF44
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys 576096CCBC07E7C4EA4F5E6686D6888F
C:\Windows\System32\DRIVERS\USBSTOR.SYS F991AB9CC6B908DB552166768176896A
C:\Windows\system32\drivers\usbuhci.sys 68DF884CF41CDADA664BEB01DAF67E3D
C:\Windows\System32\Drivers\usbvideo.sys 45F4E7BF43DB40A6C6B4D92C76CBC3F2
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys 7090D3436EEB4E7DA3373090A23448F7
C:\Windows\System32\DRIVERS\vwifimp.sys A3F04CBEA6C2A10E6CB01F8B47611882
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys A840213F1ACDCC175B4D1D5AAEAC0D7A
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys A67E5F9A400F3BD1BE3D80613B45F708
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-05-11 19:42 - 2013-05-11 19:42 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-05-11 19:01 - 2013-05-11 19:01 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-11 18:53 - 2013-05-11 19:35 - 00164938 ____A C:\Windows\System32\.crusader
2013-05-11 18:37 - 2013-05-12 00:05 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-11 18:13 - 2013-05-11 18:13 - 56598528 ____A C:\Windows\System32\config\SOFTWARE.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 18874368 ____A C:\Windows\System32\config\SYSTEM.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 00262144 ____A C:\Windows\System32\config\SAM.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bhv
2013-05-11 18:11 - 2013-05-11 18:11 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-11 17:52 - 2013-05-12 00:05 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-05-11 15:41 - 2013-05-11 15:41 - 00000000 ____D C:\FRST
2013-05-11 14:32 - 2013-05-11 14:32 - 00000000 ____D C:\users\Test
2013-05-10 17:12 - 2013-05-10 17:12 - 01096053 ____A C:\Users\todd\AppData\Local\2433f433
2013-05-10 17:12 - 2013-05-10 17:12 - 01096028 ____A C:\Users\todd\AppData\Roaming\2433f433
2013-05-10 17:12 - 2013-05-10 17:12 - 01096005 ____A C:\ProgramData\2433f433
2013-05-10 17:11 - 2013-05-10 17:11 - 00030208 ____A C:\Users\todd\Documents\5ff47bdf.dll
2013-05-03 10:46 - 2013-05-11 20:40 - 00000000 ____D C:\Users\todd\AppData\Local\Ask.com
2013-05-03 09:09 - 2013-05-03 09:09 - 00001073 ____A C:\Users\todd\Desktop\Documents.lnk
2013-05-03 08:54 - 2013-05-03 09:06 - 00000000 ____D C:\Users\todd\Documents\Bank Statements
2013-05-02 09:49 - 2013-05-02 09:49 - 04308992 ____A C:\Users\todd\Desktop\Rental Properties-2013-05-02.QDF-backup
2013-04-25 13:11 - 2013-04-29 15:24 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-04-25 11:11 - 2013-05-10 13:53 - 00000438 ___AH C:\Windows\Tasks\Norton Security Scan for todd.job
2013-04-25 11:11 - 2013-04-25 11:11 - 00001415 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-04-25 11:11 - 2013-04-25 11:11 - 00000000 ____D C:\Windows\System32\Drivers\NSS
2013-04-25 11:11 - 2013-04-25 11:11 - 00000000 ____D C:\ProgramData\Symantec
2013-04-25 11:11 - 2013-04-25 11:11 - 00000000 ____D C:\Program Files\Norton Security Scan
2013-04-25 10:39 - 2013-04-25 10:39 - 00001016 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-04-25 10:39 - 2013-04-25 10:39 - 00000000 ____D C:\Users\todd\AppData\Roaming\RealNetworks
2013-04-25 10:39 - 2013-04-25 10:39 - 00000000 ____D C:\ProgramData\RealNetworks
2013-04-25 10:39 - 2013-04-25 10:39 - 00000000 ____D C:\Program Files\RealNetworks
2013-04-25 10:38 - 2013-04-25 10:38 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00201872 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00000000 ____D C:\Program Files\Common Files\xing shared
2013-04-25 10:37 - 2013-04-25 10:37 - 00000000 ____D C:\Users\todd\AppData\Local\Real
2013-04-24 00:43 - 2013-04-12 05:45 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-18 12:16 - 2013-04-18 12:16 - 00000001 ____A C:\ProgramData\S4Ve2bIv.exe_.b
2013-04-18 12:16 - 2013-04-18 12:16 - 00000001 ____A C:\ProgramData\S4Ve2bIv.exe.b
2013-04-18 12:16 - 2013-04-18 12:16 - 00000000 ____A C:\ProgramData\GEP64d.dat
 
==================== One Month Modified Files and Folders ========
 
2013-05-12 00:05 - 2013-05-11 18:37 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-12 00:05 - 2013-05-11 17:52 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-05-12 00:05 - 2012-11-28 16:46 - 00000000 ____D C:\Users\todd\AppData\Roaming\uTorrent
2013-05-12 00:05 - 2011-03-29 11:27 - 00000000 ____D C:\Users\todd\AppData\Local\Microsoft Help
2013-05-12 00:05 - 2011-03-29 11:27 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-12 00:05 - 2011-02-07 16:33 - 00000000 ____D C:\users\todd
2013-05-12 00:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-05-12 00:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-05-12 00:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-05-12 00:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-05-11 20:40 - 2013-05-03 10:46 - 00000000 ____D C:\Users\todd\AppData\Local\Ask.com
2013-05-11 19:55 - 2012-08-08 06:04 - 00000322 ____A C:\Windows\Tasks\SpeedUpMyPC.job
2013-05-11 19:55 - 2011-02-07 12:12 - 02042232 ____A C:\Windows\WindowsUpdate.log
2013-05-11 19:49 - 2009-07-13 20:34 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-11 19:49 - 2009-07-13 20:34 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-11 19:46 - 2011-02-07 16:34 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-11 19:45 - 2011-02-13 19:11 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-11 19:44 - 2011-02-13 19:11 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-11 19:44 - 2011-02-12 16:15 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1779651558-3728973907-1540447641-1000UA.job
2013-05-11 19:42 - 2013-05-11 19:42 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-05-11 19:42 - 2012-11-24 15:42 - 00000000 ____D C:\ProgramData\webex
2013-05-11 19:42 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-11 19:42 - 2009-07-13 20:39 - 00036249 ____A C:\Windows\setupact.log
2013-05-11 19:38 - 2012-08-12 15:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-11 19:35 - 2013-05-11 18:53 - 00164938 ____A C:\Windows\System32\.crusader
2013-05-11 19:35 - 2013-04-07 08:57 - 00000000 ____D C:\Program Files\Delta
2013-05-11 19:01 - 2013-05-11 19:01 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-11 18:53 - 2012-09-22 11:12 - 00000000 ____D C:\Users\todd\AppData\Local\RivalGaming
2013-05-11 18:13 - 2013-05-11 18:13 - 56598528 ____A C:\Windows\System32\config\SOFTWARE.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 18874368 ____A C:\Windows\System32\config\SYSTEM.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 00262144 ____A C:\Windows\System32\config\SAM.bhv
2013-05-11 18:13 - 2013-05-11 18:13 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bhv
2013-05-11 18:11 - 2013-05-11 18:11 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-11 15:41 - 2013-05-11 15:41 - 00000000 ____D C:\FRST
2013-05-11 14:32 - 2013-05-11 14:32 - 00000000 ____D C:\users\Test
2013-05-11 13:38 - 2009-07-13 20:53 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-11 06:37 - 2011-02-12 12:39 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2013-05-11 06:27 - 2011-04-15 09:26 - 00000000 ____D C:\Users\todd\Documents\Outlook Files
2013-05-11 06:14 - 2013-01-31 02:41 - 00000000 ____A C:\END
2013-05-11 04:04 - 2011-12-15 17:44 - 00003478 ____A C:\Windows\ComcastSecureBackupShare.blk
2013-05-11 04:04 - 2011-12-15 17:44 - 00000988 ____A C:\Windows\ComcastSecureBackupShare.flt
2013-05-10 17:12 - 2013-05-10 17:12 - 01096053 ____A C:\Users\todd\AppData\Local\2433f433
2013-05-10 17:12 - 2013-05-10 17:12 - 01096028 ____A C:\Users\todd\AppData\Roaming\2433f433
2013-05-10 17:12 - 2013-05-10 17:12 - 01096005 ____A C:\ProgramData\2433f433
2013-05-10 17:11 - 2013-05-10 17:11 - 00030208 ____A C:\Users\todd\Documents\5ff47bdf.dll
2013-05-10 15:48 - 2012-08-08 05:59 - 00000000 ____D C:\Users\todd\AppData\Roaming\Real
2013-05-10 13:53 - 2013-04-25 11:11 - 00000438 ___AH C:\Windows\Tasks\Norton Security Scan for todd.job
2013-05-10 13:53 - 2011-03-02 16:15 - 00000000 ____D C:\Users\todd\AppData\Local\CrashDumps
2013-05-10 08:44 - 2011-02-12 16:15 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1779651558-3728973907-1540447641-1000Core.job
2013-05-06 19:30 - 2011-03-07 17:53 - 00000454 ___AH C:\Windows\Tasks\Bandit Signs 1299549180.job
2013-05-06 03:09 - 2011-02-14 16:21 - 01088762 ____A C:\Windows\PFRO.log
2013-05-06 03:07 - 2011-07-02 04:05 - 00000000 ____D C:\Users\todd\AppData\Roaming\ID Vault
2013-05-03 10:59 - 2011-03-01 18:05 - 00000000 ____D C:\Users\todd\AppData\Local\Intuit
2013-05-03 10:46 - 2011-07-02 18:22 - 00000000 ____D C:\Users\todd\AppData\Local\Kobo
2013-05-03 09:09 - 2013-05-03 09:09 - 00001073 ____A C:\Users\todd\Desktop\Documents.lnk
2013-05-03 09:06 - 2013-05-03 08:54 - 00000000 ____D C:\Users\todd\Documents\Bank Statements
2013-05-02 09:49 - 2013-05-02 09:49 - 04308992 ____A C:\Users\todd\Desktop\Rental Properties-2013-05-02.QDF-backup
2013-05-01 22:06 - 2011-02-12 12:31 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-29 15:24 - 2013-04-25 13:11 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-04-25 11:11 - 2013-04-25 11:11 - 00001415 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-04-25 11:11 - 2013-04-25 11:11 - 00000000 ____D C:\Windows\System32\Drivers\NSS
2013-04-25 11:11 - 2013-04-25 11:11 - 00000000 ____D C:\ProgramData\Symantec
2013-04-25 11:11 - 2013-04-25 11:11 - 00000000 ____D C:\Program Files\Norton Security Scan
2013-04-25 11:11 - 2011-02-24 16:41 - 00000000 ____D C:\ProgramData\Norton
2013-04-25 10:39 - 2013-04-25 10:39 - 00001016 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-04-25 10:39 - 2013-04-25 10:39 - 00000000 ____D C:\Users\todd\AppData\Roaming\RealNetworks
2013-04-25 10:39 - 2013-04-25 10:39 - 00000000 ____D C:\ProgramData\RealNetworks
2013-04-25 10:39 - 2013-04-25 10:39 - 00000000 ____D C:\Program Files\RealNetworks
2013-04-25 10:38 - 2013-04-25 10:38 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00201872 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2013-04-25 10:38 - 2013-04-25 10:38 - 00000000 ____D C:\Program Files\Common Files\xing shared
2013-04-25 10:38 - 2012-08-08 05:59 - 00000000 ____D C:\Program Files\Real
2013-04-25 10:38 - 2012-08-08 05:56 - 00000000 ____D C:\ProgramData\Real
2013-04-25 10:38 - 2003-03-18 17:14 - 00499712 ____A (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
2013-04-25 10:38 - 2003-02-21 01:42 - 00348160 ____A (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
2013-04-25 10:37 - 2013-04-25 10:37 - 00000000 ____D C:\Users\todd\AppData\Local\Real
2013-04-18 12:16 - 2013-04-18 12:16 - 00000001 ____A C:\ProgramData\S4Ve2bIv.exe_.b
2013-04-18 12:16 - 2013-04-18 12:16 - 00000001 ____A C:\ProgramData\S4Ve2bIv.exe.b
2013-04-18 12:16 - 2013-04-18 12:16 - 00000000 ____A C:\ProgramData\GEP64d.dat
2013-04-12 22:34 - 2012-08-29 12:17 - 00000000 ____D C:\Program Files\Inbox Toolbar
2013-04-12 05:45 - 2013-04-24 00:43 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
 
ZeroAccess:
C:\Users\todd\AppData\Local\Temp\sipeyvi\sxyxuob\wow.dll
 
Other Malware:
===========
C:\ProgramData\GEP64d.dat
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-04-10 23:00:25
Restore point made on: 2013-04-11 04:17:53
Restore point made on: 2013-04-16 14:37:31
Restore point made on: 2013-04-17 04:18:48
Restore point made on: 2013-04-18 04:18:53
Restore point made on: 2013-04-23 01:27:16
Restore point made on: 2013-04-23 04:45:08
Restore point made on: 2013-04-24 23:00:23
Restore point made on: 2013-04-25 04:45:10
Restore point made on: 2013-04-26 01:01:32
Restore point made on: 2013-04-26 04:45:07
Restore point made on: 2013-04-28 04:45:35
Restore point made on: 2013-04-30 00:57:53
Restore point made on: 2013-04-30 04:45:46
Restore point made on: 2013-05-03 03:35:16
Restore point made on: 2013-05-03 05:07:30
Restore point made on: 2013-05-07 03:55:33
Restore point made on: 2013-05-07 04:03:21
Restore point made on: 2013-05-10 04:04:20
Restore point made on: 2013-05-11 04:04:07
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
path                    \bootmgr
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {676c4f88-29c5-11e0-877c-f18c7d05ef0a}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {299f98ae-34bb-11e0-866c-da7415ba1e0b}
device                  partition=C:
path                    \$WINDOWS.~BT\Windows\system32\winload.exe
description             Windows ™ Code Name "Longhorn" Preinstallation Environment (recovered) 
locale                  en-US
osdevice                partition=C:
systemroot              \$WINDOWS.~BT\Windows
winpe                   Yes
 
Windows Boot Loader
-------------------
identifier              {299f98af-34bb-11e0-866c-da7415ba1e0b}
device                  ramdisk=[C:]\Recovery\676c4f86-29c5-11e0-877c-f18c7d05ef0a\Winre.wim,{299f98b0-34bb-11e0-866c-da7415ba1e0b}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment (recovered) 
locale                  
osdevice                ramdisk=[C:]\Recovery\676c4f86-29c5-11e0-877c-f18c7d05ef0a\Winre.wim,{299f98b0-34bb-11e0-866c-da7415ba1e0b}
systemroot              \windows
winpe                   Yes
 
Windows Boot Loader
-------------------
identifier              {676c4f86-29c5-11e0-877c-f18c7d05ef0a}
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {676c4f8a-29c5-11e0-877c-f18c7d05ef0a}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {676c4f88-29c5-11e0-877c-f18c7d05ef0a}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {676c4f8a-29c5-11e0-877c-f18c7d05ef0a}
 
Resume from Hibernate
---------------------
identifier              {676c4f88-29c5-11e0-877c-f18c7d05ef0a}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {299f98b0-34bb-11e0-866c-da7415ba1e0b}
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\676c4f86-29c5-11e0-877c-f18c7d05ef0a\boot.sdi
 
Device options
--------------
identifier              {676c4f87-29c5-11e0-877c-f18c7d05ef0a}
description             Ramdisk Options
ramdisksdidevice        unknown
ramdisksdipath          \Recovery\676c4f86-29c5-11e0-877c-f18c7d05ef0a\boot.sdi
 
Device options
--------------
identifier              {676c4f8b-29c5-11e0-877c-f18c7d05ef0a}
description             Ramdisk Options
ramdisksdidevice        unknown
ramdisksdipath          \Recovery\676c4f8a-29c5-11e0-877c-f18c7d05ef0a\boot.sdi
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 13%
Total physical RAM: 3893.08 MB
Available physical RAM: 3374.95 MB
Total Pagefile: 3891.36 MB
Available Pagefile: 3383.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.6 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.78 GB) (Free:147.13 GB) NTFS
Drive e: (GSP1RMCHPFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
Drive f: (HITMANPRO) (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 54A1BF52)
Partition 1: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 8EBFFF2B)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
 
 
Last Boot: 2013-05-07 11:48
 
==================== End Of Log ============================


#3 Maveej

Maveej
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 12 May 2013 - 12:28 PM

Update*

I performed another Farbar fix on the Zero Access and Other malware listed above.  These appeared the first time I performed this so I figured I was stuck at that point.  After attempting a second shot, I have now been able to boot into safemode/command prompt.  However, I am not able to perform any commands without the machine shutting down after entering a command.

 

Example... "control.exe" will cause the machine to shut down while @ c:\windows\system32\


Edited by Maveej, 12 May 2013 - 12:28 PM.


#4 Maveej

Maveej
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 12 May 2013 - 12:39 PM

Update*

Without using control.exe for a graphical UI.  I instead used CMD to add a new user.  Which worked,  Now performing malware removal scans.

 

This thread can be deleted if Moderators find it to be redundant with other content.  I believed I was running into a brick wall.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users