TechSpot

Svchost.exe trojan.agent malware removal help?

Inactive
By rwhite1954
Apr 2, 2012
Topic Status:
Not open for further replies.
  1. Malwarebytes is detecting 2 trojan.agent items tied to c:\windows\svchost.exe. When I select to remove it via Malwarebytes, it tries to remove it, but after rebooting, the windows\svchost.exe file is still there, and a Malwarebytes scan detects it again.

    Sure hope someone can help me get this removed.

    AV, Malware & DDS logs coming in next post.

    Thanks in advance for any help that you can provide!
  2. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Malwarebytes log

    Malwarebytes Anti-Malware (PRO) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.04.02.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Ryan :: RYAN-HP [administrator]

    Protection: Enabled

    4/1/2012 10:02:43 PM
    mbam-log-2012-04-01 (22-02-43).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 189974
    Time elapsed: 2 minute(s), 58 second(s)

    Memory Processes Detected: 1
    C:\Windows\svchost.exe (Trojan.Agent) -> 4484 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

    (end)
  3. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    DDS logs

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Ryan at 23:19:56 on 2012-04-01
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3563.2076 [GMT -5:00]
    .
    AV: Norton 360 Premier Edition *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton 360 Premier Edition *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton 360 Premier Edition *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k WbioSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Windows\SysWOW64\ezSharedSvcHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\ccSvcHst.exe
    C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\ccSvcHst.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
    -netsvcs
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe
    C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
    C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://my.yahoo.com/?_bc=1
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\IPS\IPSBHO.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [<NO NAME>]
    mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
    mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{2F506DBF-52B8-468F-B465-5D8E1A207FE8} : DhcpNameServer = 150.100.2.6
    TCP: Interfaces\{8F29B21D-9C19-45BA-A762-2D1D333A7290} : DhcpNameServer = 192.168.1.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
    BHO-X64: Symantec NCO BHO - No File
    BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\IPS\IPSBHO.DLL
    BHO-X64: Symantec Intrusion Prevention - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
    BHO-X64: TSBHO Class - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [(Default)]
    mRun-x64: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
    mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    SEH-X64: EasyBits ShellExecute Hook: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
    R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
    R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS [?]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS [?]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [2012-3-17 1157240]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120330.002\IDSviA64.sys [2012-3-30 488568]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS [?]
    R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0502000.00D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0502000.00D\SYMNETS.SYS [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-10-15 89600]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-2 365568]
    R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-8-29 514232]
    R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-2-18 265544]
    R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]
    R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-2-28 92216]
    R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
    R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
    R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-10-15 2375168]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-1 652360]
    R2 N360;Norton 360;C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\ccsvchst.exe [2012-4-1 130008]
    R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
    R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\amdhub30.sys --> C:\Windows\system32\DRIVERS\amdhub30.sys [?]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\amdxhc.sys --> C:\Windows\system32\DRIVERS\amdxhc.sys [?]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-4-1 138360]
    R3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-04-02 03:13:59 20480 ------w- C:\Windows\svchost.exe
    2012-04-02 02:14:20 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
    2012-04-02 00:55:26 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Malwarebytes
    2012-04-02 00:55:18 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-04-02 00:55:17 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-04-02 00:55:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-04-02 00:30:03 912504 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\symefa64.sys
    2012-04-02 00:30:03 450680 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\symds64.sys
    2012-04-02 00:30:03 386168 ----a-w- C:\Windows\System32\drivers\N360x64\0502000.00D\symnets.sys
    2012-04-02 00:30:02 744568 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\srtsp64.sys
    2012-04-02 00:30:02 40568 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\srtspx64.sys
    2012-04-02 00:30:02 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\ironx64.sys
    2012-04-02 00:29:54 -------- d-----w- C:\Windows\System32\drivers\N360x64\0502000.00D
    2012-04-02 00:19:30 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
    2012-04-02 00:19:27 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
    2012-04-02 00:19:27 -------- d-----w- C:\Program Files\Symantec
    2012-04-02 00:19:27 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
    2012-04-02 00:19:15 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
    2012-04-02 00:19:15 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
    2012-04-02 00:18:18 -------- d-----w- C:\Windows\System32\drivers\N360x64
    2012-04-02 00:18:03 -------- d-----w- C:\Program Files (x86)\Norton 360 Premier Edition
    2012-04-02 00:14:48 -------- d-----w- C:\ProgramData\PCSettings
    2012-04-02 00:12:51 -------- d-----w- C:\Users\Ryan\AppData\Local\AMD
    2012-04-02 00:07:53 -------- d-----w- C:\Users\Ryan\AppData\Local\ATI
    2012-04-02 00:06:50 -------- d-----w- C:\Users\Ryan\AppData\Roaming\hpqLog
    2012-04-02 00:06:43 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Synaptics
    2012-04-02 00:05:44 -------- d-----w- C:\Users\Ryan\AppData\Local\RemEngine
    2012-04-02 00:00:48 -------- d-----w- C:\Users\Ryan\AppData\Local\Hewlett-Packard
    2012-04-02 00:00:18 -------- d-----w- C:\Users\Ryan\AppData\Local\Hewlett-Packard_Company
    2012-04-02 00:00:00 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    2012-04-02 00:00:00 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-04-02 00:00:00 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-04-01 23:59:58 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-04-01 23:59:58 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-04-01 23:59:58 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-04-01 23:59:58 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-04-01 23:56:08 -------- d-----w- C:\Users\Ryan\AppData\Local\VirtualStore
    .
    ==================== Find3M ====================
    .
    2012-04-02 01:43:20 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    .
    ============= FINISH: 23:20:35.71 ===============
  4. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    DDS Attach file

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/1/2012 6:55:38 PM
    System Uptime: 4/1/2012 10:24:07 PM (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 358B
    Processor: AMD A8-3500M APU with Radeon(tm) HD Graphics | Socket FS1 | 1500/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 449 GiB total, 421.042 GiB free.
    D: is FIXED (NTFS) - 17 GiB total, 1.857 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP3: 4/1/2012 6:58:34 PM - First_User_Boot
    RP4: 4/1/2012 7:06:53 PM - Windows Update
    RP5: 4/1/2012 8:42:19 PM - Installed Java(TM) 6 Update 31
    .
    ==== Installed Programs ======================
    .
    ActiveCheck component for HP Active Support Library
    Adobe Flash Player 10 ActiveX
    Adobe Reader X MUI
    Adobe Shockwave Player 11.5
    Agatha Christie - Peril at End House
    AMD System Monitor
    AMD VISION Engine Control Center
    Bejeweled 2 Deluxe
    Bejeweled 3
    Bing Bar
    Blackhawk Striker 2
    Blasterball 3
    Blio
    Bounce Symphony
    Build-a-lot 2
    Cake Mania
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Chuzzle Deluxe
    CyberLink YouCam
    D3DX10
    Diner Dash 2 Restaurant Rescue
    Dora's World Adventure
    Energy Star Digital Logo
    ESU for Microsoft Windows 7
    Evernote v. 4.2.2
    Farm Frenzy
    FATE - The Traitor Soul
    HP Connection Manager
    HP Customer Experience Enhancements
    HP DVB-T TV Tuner 8.0.64.43
    HP Games
    HP MovieStore
    HP On Screen Display
    HP Power Manager
    HP Quick Launch
    HP Setup
    HP Setup Manager
    HP SimplePass 2011
    HP Software Framework
    HP Support Assistant
    HPAsset component for HP Active Support Library
    IDT Audio
    Java Auto Updater
    Java(TM) 6 Update 31
    Junk Mail filter update
    Magic Desktop
    Mah Jong Medley
    Malwarebytes Anti-Malware version 1.60.1.1000
    Mesh Runtime
    Microsoft Office 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WSE 3.0 Runtime
    MSVCRT
    MSVCRT_amd64
    Mystery P.I. - Stolen in San Francisco
    Namco All-Stars PAC-MAN
    Norton 360 Premier Edition
    Penguins!
    Plants vs. Zombies - Game of the Year
    PlayReady PC Runtime x86
    Poker Superstars III
    Polar Bowler
    Polar Golfer
    Ralink RT5390 802.11b/g/n WiFi Adapter
    Realtek Ethernet Controller Driver
    Realtek PCIE Card Reader
    Recovery Manager
    RoxioNow Player
    Slingo Supreme
    Update Installer for WildTangent Games App
    Virtual Villagers 4 - The Tree of Life
    Wheel of Fortune 2
    WildTangent Games App (HP Games)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Zuma Deluxe
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/1/2012 9:08:59 PM, Error: Service Control Manager [7034] - The HP Client Services service terminated unexpectedly. It has done this 1 time(s).
    4/1/2012 9:08:54 PM, Error: Service Control Manager [7034] - The TrueSuiteService service terminated unexpectedly. It has done this 1 time(s).
    4/1/2012 8:03:37 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002f9316a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040112-44226-01.
    4/1/2012 7:48:27 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the N360 service.
    4/1/2012 10:13:43 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    .
    ==== End Of File ===========================
  5. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    GMER = clean

    Forgot to mention that GMER didn't find anything, so it was an empty log.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you have any antivirus program before you added Norton on 4/2/2012?

    Are you having or noticing any system problems at this time?

    Do you understand that svchost.exe is also a legitimate process and you may observe multiple svchost.ese in the Task Manager- I usually have 7-9) But malware can also hide in the name so we look further.

    The more information I have from you, the easier it is to help.
    =================================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
    ===================================
    Please leave the logs in your next reply.
  7. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Problems experiencing...

    Bobbye, many thanks for the quick response!

    This is my son's laptop we gave him new @ Christmas. Had Norton Antivirus activated on it at that time, but very likely could have been a 60-day trial version that may have expired sometime in February, but don't know for sure.

    He had what I'm assuming was a malware "fake" antivirus notification pop up and hit the "fix it" button, which launched off multiple repeat windows and basically rendered his laptop unusable - eventually driving it to a "blue screen" when trying to shut down.

    I managed to get it rebooted in Safe Mode, and did a "recover to factory condition" option, which deleted all prior installed software and restored it to the condition it was in when new. After the restore, the laptop appeared to be working ok, but when I put Malwarebytes Pro on and ran the scan, it detected the Trojan.Agent in svchost.exe.

    Malwarebytes now frequently pops up a message stating that it blocks malicious outgoing traffic to IP addresses 89.114.9.96 & 89.114.9.97. It also occasionally pops up another Trojan.Agent detection message providing the option to quarantine the malware.

    I realize that svchost.exe is also a valid Windows application. However, the valid Windows application is in the Windows/System32 folder. The rogue application is in the Windows folder (not Windows/System32). The rogue application also is made to appear as if it was created/modified at the same time/date as the valid "Windows/System32/svchost.exe", but the properties on the rogue application state a create date of "4/1/2012".

    I can identify the rogue Svshost.exe process and, if I'm quick enough, I can halt the process, and delete the rogue application. However, the process somehow starts back up again and the application appears in the c:Windows folder.

    Not sure how the virus survived the "restore to factory condition" option - other than I'm guessing that option didn't perform a full reformatting of the hard-drive and OS install?

    Hope the additional info helps. Thanks for the additional steps to follow. I'll be available to run them later on tonight and will post the results. If any additional questions, let me know.

    Many thanks again for all the help!
  8. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Task Manager info for Svchost.exe rogue service.

    Forgot to add that the rogue svchost.exe service appears in Task Manager as "svchost.exe *32", and when I also display the Image Path Name and Command Line columns in the Task Manager view, this rogue service shows:

    Image Path Name of "c:\Windows\svchost.exe" (other valid svchost services show "c:\Windows\System32\svchost.exe").

    Command Line of "-netsvcs" (other valid svchost services list command line of "c:\windows\system32\svchost.exe -k .......".

    The rogue service description also lists "winrscmde".

    Will be downloading your recommended utilities and posting results in an hour or so. Thanks!
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The IP 89.114.9.96 is a site in Romania. If it's incoming, something is trying to access the system. If it's outgoing, something in the system is trying to access the remote server. Either way, Malwarebytes is acting correctly blocking it.

    If your son hit FIX on the popup, he most likely activated malware.
    ========================================
    Since we are now trying to find and remove the malware, please don't do any restores. We will work what is on the system now. Once you run Combofix and the Eset scan, I'll have more to go on.

    Additionally, let the svchost.exe processes run. We need to find it to remove it. Here's the bad guy: 2012-04-02 03:13:59 20480 ------w- C:\Windows\svchost.exe

    But we have to find what's generating it.

    There is a possibility you need to be aware of: if the malware had a Backdoor in it, that could be why it survived the factory reset. If that turns out to be correct, it's possible the system has been compromised.

    Be sure that Norton is disabled when you run Combofix so we get a good scan.
    =============================
    Are you only able to boot into Safe Mode, not Normal Mode? If Yes, make sure it's Safe Mode with Networking. I believe that will allow the Recovery Console in Combofix and it will be best to get that on the system.
  10. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Combofix & ESET Results

    I tried Combofix and it got hung up after completing step 4. I let it go for hours (actually overnight), but the cursor remained blinking after stating that it completed Step 4.

    I finally closed it this morning. When I downloaded it, a warning message popped up at the bottom of my screen stating it was a potentially harmful program, and gave me 2 options - delete the program, or allow it to remain, but don't allow it to launch. I chose the latter, and it appeared to download to the desktop just fine.

    I also disabled Northon 360 Antivirus Auto Protect and Malwarebytes protection settings via right-clicking on the systray icons for both. However, when I launched Combofix, it stated that Norton 360 scanning options were still enabled. So, I went into Norton 360 and turned off a couple additional scanning settings. I also tried to exit out of the Combofix pop-up message, thinking it might halt Combofix, but Combofix proceeded and I didn't want to stop it.

    End result = Combofix continued running, but never completed after running for hours.

    After ending Combofix this morning, I did run ESET. Here's the results of the ESET text file:
    C:\Users\Ryan\AppData\Local\Temp\Av-test.txt Eicar test file

    2 other pieces of relevant information....

    I CAN boot up to the regular Windows (not just Safe mode). You had asked about that. When I did the original "restore to factory settings" in recovery mode, the system booted up fine and seemed fine (other than Malwarebytes detecting the problems). If I hadn't installed Malwarebytes pro and enabled protect mode, I likely wouldn't have found anything wrong. Fyi, Malwarebytes continues to periodically block outgoing traffic to the 2 IP addresses I posted to you earlier.

    Also, Windows update downloaded updates and forced a restart on me yesterday (prior to me doing anything with Combofix & ESET). One of the items it installed was "Windows Malicious Software Removal Tool - KB890830". After rebooting, that tool launched automatically and popped up a results box that stated it detected "Trojan:DOS/Alureon.A" and said it partially removed it, followed by this recommendation. Fyi, I didn't perform any of these steps - will wait for your advice.:

    This virus may cause damage to the Master Boot Record (MBR) and Boot Configuration Data (BCD). You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:

    bootrec /fixmbr

    bootrec /fixboot

    bootrec /rebuildbcd

    For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".
  11. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    TDSSKiller & MBRCheck Results

    Ran TDSSKiller as instructed. There wasn't an option called "Quarantine", but there was an option called "Copy to Quarantine". I selected that option, but it didn't require a reboot as you eluded to. So, I reran the TDSSKiller scan and selected "Cure". After running "Cure", it prompted for a reboot.

    After reboot, I rean MBRCheck. Here are the results from MBRCheck:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Home Premium Edition
    Windows Information: Service Pack 1 (build 7601), 64-bit
    Base Board Manufacturer: Hewlett-Packard
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP Pavilion dv6 Notebook PC
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 218):
    0x02C1F000 \SystemRoot\system32\ntoskrnl.exe
    0x03208000 \SystemRoot\system32\hal.dll
    0x00BAA000 \SystemRoot\system32\kdcom.dll
    0x00C4A000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
    0x00C57000 \SystemRoot\system32\PSHED.dll
    0x00C6B000 \SystemRoot\system32\CLFS.SYS
    0x00CC9000 \SystemRoot\system32\CI.dll
    0x00EC3000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00F67000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00F76000 \SystemRoot\system32\drivers\ACPI.sys
    0x00FCD000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x00FD6000 \SystemRoot\system32\drivers\msisadrv.sys
    0x00E00000 \SystemRoot\system32\drivers\pci.sys
    0x00E33000 \SystemRoot\system32\drivers\vdrvroot.sys
    0x00E40000 \SystemRoot\System32\drivers\partmgr.sys
    0x00E55000 \SystemRoot\system32\drivers\compbatt.sys
    0x00E5E000 \SystemRoot\system32\drivers\BATTC.SYS
    0x00E6A000 \SystemRoot\system32\drivers\volmgr.sys
    0x00D89000 \SystemRoot\System32\drivers\volmgrx.sys
    0x00E7F000 \SystemRoot\system32\drivers\pciide.sys
    0x00E86000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x00E96000 \SystemRoot\System32\drivers\mountmgr.sys
    0x00EB0000 \SystemRoot\system32\drivers\atapi.sys
    0x00C00000 \SystemRoot\system32\drivers\ataport.SYS
    0x00FE0000 \SystemRoot\system32\drivers\msahci.sys
    0x00C2A000 \SystemRoot\system32\DRIVERS\amd_sata.sys
    0x01017000 \SystemRoot\system32\DRIVERS\storport.sys
    0x0107A000 \SystemRoot\system32\DRIVERS\amd_xata.sys
    0x01088000 \SystemRoot\system32\drivers\amdxata.sys
    0x01093000 \SystemRoot\system32\drivers\fltmgr.sys
    0x010DF000 \SystemRoot\system32\drivers\N360x64\0502010.003\SYMDS64.SYS
    0x01150000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01260000 \SystemRoot\system32\drivers\N360x64\0502010.003\SYMEFA64.SYS
    0x0144D000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01344000 \SystemRoot\System32\Drivers\msrpc.sys
    0x01400000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01164000 \SystemRoot\System32\Drivers\cng.sys
    0x0141B000 \SystemRoot\System32\drivers\pcw.sys
    0x0142C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x01656000 \SystemRoot\system32\drivers\ndis.sys
    0x01749000 \SystemRoot\system32\drivers\NETIO.SYS
    0x017A9000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x01847000 \SystemRoot\System32\drivers\tcpip.sys
    0x01A4B000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x01A95000 \SystemRoot\system32\drivers\volsnap.sys
    0x01AE1000 \SystemRoot\System32\Drivers\spldr.sys
    0x01AE9000 \SystemRoot\System32\drivers\rdyboost.sys
    0x01B23000 \SystemRoot\System32\Drivers\mup.sys
    0x01B35000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x01B3E000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
    0x01B48000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x01B82000 \SystemRoot\system32\drivers\disk.sys
    0x01B98000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x01813000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x0183D000 \SystemRoot\System32\Drivers\Null.SYS
    0x01BF7000 \SystemRoot\System32\Drivers\Beep.SYS
    0x017D4000 \SystemRoot\System32\drivers\vga.sys
    0x01600000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x01625000 \SystemRoot\System32\drivers\watchdog.sys
    0x01635000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x0163E000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x01647000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x017E2000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x017ED000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x013A2000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x01436000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x02EC9000 \SystemRoot\system32\drivers\afd.sys
    0x02F52000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x02F97000 \SystemRoot\system32\drivers\ws2ifsl.sys
    0x02FA2000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x02FAB000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x02FD1000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x02FE7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x02E00000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x02E1B000 \SystemRoot\system32\drivers\termdd.sys
    0x02E2F000 \SystemRoot\System32\Drivers\N360x64\0502010.003\SYMNETS.SYS
    0x013C4000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
    0x02E96000 \SystemRoot\system32\drivers\N360x64\0502010.003\Ironx64.SYS
    0x01200000 \SystemRoot\system32\drivers\N360x64\0502010.003\SRTSPX64.SYS
    0x040A9000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x040FA000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x04106000 \SystemRoot\system32\drivers\mssmbios.sys
    0x04111000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120404.002\IDSvia64.sys
    0x04000000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
    0x04079000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0x0418E000 \SystemRoot\System32\drivers\discache.sys
    0x0419D000 \SystemRoot\System32\Drivers\dfsc.sys
    0x041BB000 \SystemRoot\system32\drivers\blbdrive.sys
    0x04276000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120317.002\BHDrvx64.sys
    0x04395000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x043BB000 \SystemRoot\system32\DRIVERS\amdppm.sys
    0x04200000 \SystemRoot\system32\DRIVERS\atikmpag.sys
    0x04A1D000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x04448000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x0453C000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x04582000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x05344000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
    0x05842000 \SystemRoot\system32\DRIVERS\netr28x.sys
    0x05992000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x0599F000 \SystemRoot\system32\DRIVERS\RtsPStor.sys
    0x05800000 \SystemRoot\system32\DRIVERS\amdxhc.sys
    0x05831000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x05833000 \SystemRoot\system32\DRIVERS\usbfilter.sys
    0x045A6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x059F5000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x054DE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x05534000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x05545000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x05563000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x05A70000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x05BCD000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x05BDC000 \SystemRoot\system32\drivers\CmBatt.sys
    0x05BE1000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
    0x05BEE000 \SystemRoot\system32\drivers\wmiacpi.sys
    0x05A00000 \SystemRoot\system32\drivers\CompositeBus.sys
    0x05A10000 \SystemRoot\system32\DRIVERS\clwvd.sys
    0x05A16000 \SystemRoot\system32\DRIVERS\ks.sys
    0x05A59000 \SystemRoot\system32\drivers\ksthunk.sys
    0x05572000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x055A8000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x055BE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x05A5F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x05400000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x0542F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x0544A000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x0546B000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x05A6B000 \SystemRoot\system32\drivers\swenum.sys
    0x05485000 \SystemRoot\system32\DRIVERS\amdiox64.sys
    0x05499000 \SystemRoot\system32\DRIVERS\circlass.sys
    0x054AB000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x054BD000 \SystemRoot\system32\DRIVERS\amdhub30.sys
    0x06AFE000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x06B58000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x06B6D000 \SystemRoot\system32\drivers\AtihdW76.sys
    0x06B8D000 \SystemRoot\system32\drivers\portcls.sys
    0x06BCA000 \SystemRoot\system32\drivers\drmk.sys
    0x06A00000 \SystemRoot\system32\DRIVERS\stwrt64.sys
    0x06A83000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x06AA0000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x06AAE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x06AC7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x06AD0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x06ADE000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x00030000 \SystemRoot\System32\win32k.sys
    0x06AEB000 \SystemRoot\System32\drivers\Dxapi.sys
    0x06BEC000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x055E2000 \SystemRoot\System32\Drivers\dump_diskdump.sys
    0x045B3000 \SystemRoot\System32\Drivers\dump_amd_sata.sys
    0x055EC000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x045CA000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x04400000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x00530000 \SystemRoot\System32\TSDDD.dll
    0x006A0000 \SystemRoot\System32\cdd.dll
    0x00860000 \SystemRoot\System32\ATMFD.DLL
    0x0440E000 \SystemRoot\system32\drivers\luafv.sys
    0x053AE000 \SystemRoot\system32\drivers\WudfPf.sys
    0x04431000 \SystemRoot\system32\DRIVERS\WinUSB.sys
    0x053CF000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x04A00000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x07A87000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x07ADA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x07AED000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x07B05000 \SystemRoot\system32\drivers\HTTP.sys
    0x07BCE000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x07A00000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x07A18000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x08E5A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x08EA8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x08ECC000 \SystemRoot\system32\drivers\peauth.sys
    0x08F72000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x08F7D000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x08FAE000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x096FE000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x09767000 \SystemRoot\System32\DRIVERS\srv.sys
    0x09600000 \SystemRoot\System32\Drivers\N360x64\0502010.003\SRTSP64.SYS
    0x0AE08000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120404.033\EX64.SYS
    0x096C0000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120404.033\ENG64.SYS
    0x096E0000 \??\C:\Windows\system32\drivers\mbam.sys
    0x778B0000 \Windows\System32\ntdll.dll
    0x47F50000 \Windows\System32\smss.exe
    0xFFBD0000 \Windows\System32\apisetschema.dll
    0xFFCC0000 \Windows\System32\autochk.exe
    0x777B0000 \Windows\System32\user32.dll
    0xFF9B0000 \Windows\System32\ole32.dll
    0xFF910000 \Windows\System32\msvcrt.dll
    0x77690000 \Windows\System32\kernel32.dll
    0x77A80000 \Windows\System32\normaliz.dll
    0xFF800000 \Windows\System32\msctf.dll
    0x77A70000 \Windows\System32\psapi.dll
    0x77480000 \Windows\System32\iertutil.dll
    0xFF730000 \Windows\System32\usp10.dll
    0xFF650000 \Windows\System32\oleaut32.dll
    0x77320000 \Windows\System32\wininet.dll
    0xFF5E0000 \Windows\System32\gdi32.dll
    0xFE850000 \Windows\System32\shell32.dll
    0xFE7B0000 \Windows\System32\clbcatq.dll
    0xFE760000 \Windows\System32\ws2_32.dll
    0xFE740000 \Windows\System32\imagehlp.dll
    0xFE560000 \Windows\System32\setupapi.dll
    0xFE540000 \Windows\System32\sechost.dll
    0xFE410000 \Windows\System32\rpcrt4.dll
    0xFE370000 \Windows\System32\comdlg32.dll
    0xFE2F0000 \Windows\System32\shlwapi.dll
    0xFE290000 \Windows\System32\Wldap32.dll
    0xFE260000 \Windows\System32\imm32.dll
    0xFE180000 \Windows\System32\advapi32.dll
    0xFE170000 \Windows\System32\lpk.dll
    0xFE0F0000 \Windows\System32\difxapi.dll
    0xFE0E0000 \Windows\System32\nsi.dll
    0x771D0000 \Windows\System32\urlmon.dll
    0xFE0A0000 \Windows\System32\wintrust.dll
    0xFDF30000 \Windows\System32\crypt32.dll
    0xFDEC0000 \Windows\System32\KernelBase.dll
    0xFDEA0000 \Windows\System32\devobj.dll
    0xFDE60000 \Windows\System32\cfgmgr32.dll
    0xFDDC0000 \Windows\System32\comctl32.dll
    0xFDDB0000 \Windows\System32\msasn1.dll
    0x75D30000 \Windows\SysWOW64\normaliz.dll

    Processes (total 86):
    0 System Idle Process
    4 System
    300 C:\Windows\System32\smss.exe
    448 csrss.exe
    512 C:\Windows\System32\wininit.exe
    544 csrss.exe
    576 C:\Windows\System32\services.exe
    592 C:\Windows\System32\lsass.exe
    600 C:\Windows\System32\lsm.exe
    688 C:\Windows\System32\winlogon.exe
    752 C:\Windows\System32\svchost.exe
    816 C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
    876 C:\Windows\System32\svchost.exe
    940 C:\Windows\System32\atiesrxx.exe
    1016 C:\Windows\System32\svchost.exe
    316 C:\Windows\System32\svchost.exe
    568 C:\Windows\System32\svchost.exe
    524 C:\Program Files\IDT\WDM\stacsv64.exe
    1084 C:\Windows\System32\audiodg.exe
    1252 C:\Windows\System32\svchost.exe
    1300 C:\Windows\System32\hpservice.exe
    1356 C:\Windows\System32\atieclxx.exe
    1376 WUDFHost.exe
    1572 C:\Windows\System32\dwm.exe
    1596 C:\Windows\explorer.exe
    1608 C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
    1692 C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
    1796 C:\Windows\System32\svchost.exe
    1932 C:\Windows\System32\spoolsv.exe
    1964 C:\Windows\System32\taskhost.exe
    2012 C:\Windows\System32\svchost.exe
    368 C:\Windows\System32\svchost.exe
    1216 C:\Program Files\IDT\WDM\sttray64.exe
    1200 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2100 C:\Program Files\IDT\WDM\AESTSr64.exe
    2176 C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    2236 C:\Windows\SysWOW64\ezSharedSvcHost.exe
    2324 C:\Windows\System32\svchost.exe
    2360 C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    2408 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    2472 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    2544 C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    2552 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    2632 C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccsvchst.exe
    2656 C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    2664 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    2684 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    2876 C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
    2916 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    2980 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    3032 C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
    2676 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    2844 WmiPrvSE.exe
    3268 C:\Windows\System32\wbem\unsecapp.exe
    3516 C:\Windows\System32\svchost.exe
    3592 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    3620 C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccsvchst.exe
    3680 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    3804 C:\Windows\System32\SearchIndexer.exe
    3904 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3976 C:\Windows\System32\svchost.exe
    4384 C:\Windows\System32\taskeng.exe
    4416 C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
    4500 dllhost.exe
    3296 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    4568 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    3200 C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPConnectionManager.exe
    1908 C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
    4344 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
    4116 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    584 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    2152 C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    192 C:\Program Files (x86)\Internet Explorer\iexplore.exe
    4632 C:\Program Files (x86)\Internet Explorer\iexplore.exe
    4348 C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe
    4152 C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe
    2728 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe
    5396 C:\Windows\servicing\TrustedInstaller.exe
    5216 C:\Windows\System32\wuauclt.exe
    5780 C:\Program Files (x86)\Internet Explorer\iexplore.exe
    3304 C:\Windows\System32\SearchProtocolHost.exe
    2124 C:\Windows\System32\SearchFilterHost.exe
    5932 dllhost.exe
    5728 dllhost.exe
    5524 C:\Users\Ryan\Desktop\MBRCheck.exe
    2836 C:\Windows\System32\conhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000070`2d200000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS547550A9E384, Rev: JE3OA50A

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
     
  12. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Appears to be fixed!

    After the TDSSKiller run & reboot, it appears it took care of the virus. The c:\windows\svchost.exe application is gone, the rogue svchost.exe process no longer shows up in task manager.

    Malwarebytes, Norton360 and TDSSKiller scans all come up clean. I'm assuming this thing is finally blasted!

    Anything else you can think of for me to do?

    Many thanks for all the help - much appreciated!
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. You're looking up! But we're not quite through yet. There is some reason why Combofix isn't completing:

    Let's double check this: Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    ============================================
    You can just delete this file from Eset. It's not malware:
    C:\Users\Ryan\AppData\Local\Temp\Av-test.txt Eicar test file
    ============================================
    I'd really like to get this to run- try one more time:

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode. If it won't run, go one to #2.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    3.See which one of the following runs. You do not need to download all three versions:
    This is a slight variation on the RKill:
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, add the following:

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    (Directions courtesy bleeping computer)

    4. With both RKill and exehelper on board:
    Go right to the renamed (Combofix) and double click on friday.exe to run
    If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

    If successful, please leave RKill, Exehelper and Combofix logs.
  14. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Bootkit Remover results

    Thanks for the extra suggestions. I downloaded and ran bootkit remover, and looks like it is still detecting something. Logs posted below. I didn't try to take any further actions on this item - will wait for your advice on next steps.

    I will also try the other things you asked for and post them after they run.

    Here's bootkit remover results:
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  15. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    rkill.com results

    rkill.com ran successfully. You didn't ask for the log, but here it is in case you needed it. Exehelper log results also listed below. Thought I would post these prior to trying the Combofix run again.

    rkill.com results:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 04/09/2012 at 20:01:49.
    Operating System: Windows 7 Home Premium


    Processes terminated by Rkill or while it was running:



    Rkill completed on 04/09/2012 at 20:02:04.

    =======================================================
    Also, here's the exehelper log results:

    exeHelper by Raktor
    Build 20100414
    Run at 20:06:01 on 04/09/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
  16. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Combofix log

    Combofix completed successfully! Here is the Combofix log:

    ComboFix 12-04-09.06 - Ryan 04/09/2012 20:17:44.4.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3563.2136 [GMT -5:00]
    Running from: c:\users\Ryan\Desktop\friday.exe
    AV: Norton 360 Premier Edition *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton 360 Premier Edition *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton 360 Premier Edition *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-10 01:30 . 2012-04-10 01:30 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-09 02:03 . 2012-04-09 02:03 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
    2012-04-09 02:03 . 2012-04-09 02:03 -------- d-----w- c:\windows\SHELLNEW
    2012-04-09 02:02 . 2012-04-09 02:15 -------- d-----w- c:\programdata\Microsoft Help
    2012-04-09 02:01 . 2012-04-09 02:01 -------- d-----r- C:\MSOCache
    2012-04-09 00:52 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-09 00:52 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-04-09 00:52 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-04-09 00:50 . 2012-04-09 00:51 -------- d--h--w- c:\windows\AxInstSV
    2012-04-08 23:11 . 2012-04-08 23:11 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-02 21:34 . 2012-04-02 21:34 -------- d-----w- c:\windows\SysWow64\Wat
    2012-04-02 21:34 . 2012-04-02 21:34 -------- d-----w- c:\windows\system32\Wat
    2012-04-02 13:12 . 2012-04-02 13:12 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2012-04-02 11:55 . 2012-04-02 11:55 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
    2012-04-02 11:46 . 2011-07-16 05:41 362496 ----a-w- c:\windows\system32\wow64win.dll
    2012-04-02 02:14 . 2012-04-02 02:14 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
    2012-04-02 01:46 . 2012-04-02 01:46 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-04-02 01:43 . 2012-04-02 01:43 -------- d-----w- c:\program files (x86)\Java
    2012-04-02 00:55 . 2012-04-02 00:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-04-02 00:55 . 2012-04-02 00:55 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-04-02 00:55 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-02 00:19 . 2010-08-21 03:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-04-02 00:19 . 2012-04-02 00:19 -------- d-----w- c:\program files\Symantec
    2012-04-02 00:19 . 2012-04-02 00:19 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
    2012-04-02 00:19 . 2012-04-02 00:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-04-02 00:19 . 2010-08-21 03:59 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
    2012-04-02 00:19 . 2010-08-21 03:59 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2012-04-02 00:18 . 2012-04-08 22:59 -------- d-----w- c:\windows\system32\drivers\N360x64
    2012-04-02 00:18 . 2012-04-02 00:18 -------- d-----w- c:\program files (x86)\Norton 360 Premier Edition
    2012-04-02 00:14 . 2012-04-02 00:14 -------- d-----w- c:\programdata\PCSettings
    2012-04-02 00:00 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-02 00:00 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-02 00:00 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-04-01 23:59 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-04-01 23:59 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-04-01 23:59 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-01 23:59 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-04-01 23:55 . 2012-04-05 11:40 -------- d-----w- c:\users\Ryan
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-02 01:43 . 2011-08-30 01:42 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-04-01 23:57 . 2010-06-24 18:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
    "HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
    "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
    "Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2011-03-16 61112]
    "HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-01-27 318520]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "EnableShellExecuteHooks"= 1 (0x1)
    .
    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502010.003\SYMDS64.SYS [x]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502010.003\SYMEFA64.SYS [x]
    S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-04-02 1160824]
    S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120406.002\IDSvia64.sys [2012-03-30 488568]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502010.003\Ironx64.SYS [x]
    S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502010.003\SYMNETS.SYS [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
    S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
    S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
    S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-28 92216]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 N360;Norton 360;c:\program files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccSvcHst.exe [2011-04-17 130008]
    S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
    S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [x]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-04-02 138360]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-11 1128448]
    "Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
    AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
    "ImagePath"="\"c:\program files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SysWOW64\ezSharedSvcHost.exe
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
    c:\program files (x86)\Internet Explorer\IELowutil.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-09 20:52:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-10 01:52
    .
    Pre-Run: 447,268,327,424 bytes free
    Post-Run: 446,879,821,824 bytes free
    .
    - - End Of File - - E8B1D5E09155379E477BC468F867F59D
  17. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Steps completed...

    I think I left you posts with all the things you needed - Bootkit, rkill, exehelper & combofix logs.

    Bootkit logs appeared to detect a rootkit, but as I mentioned in that post, I didn't take any further action that it suggested yet. Will wait for your advice on any next steps.

    Can't thank you enough for all the help you've been providing! Very much appreciated.

    Let me know if any further suggestions!
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome- glad to help!

    Good we ran Bootkit- always helps to be sure: Go ahead and run the following. I'll review Combofix after lunch.

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run bootkit.exe again and post its output.
    =========================================
    Be sure and let me know if there are any changes in the system- good or bad!
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Combofix looks pretty good. There is one Service that you might want to check and make sure it's on Manual Startup Type, not Automatic.

    This is a hidden Services, so you will need to show the files first:
    Show Hidden Files and Folders in Windows Vista and Windows 7:
    • Click on the Start button and select Computer
    • Press the Alt key on your keyboard and click on Tools
    • Select Folder Options
    • Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
    • Next, uncheck the box next to Hide protected operating system files (Recommended)
    • Then, uncheck the box next to Hide extensions for known filetypes
    • Click Apply then click OK

    The Click on Start> Run> type in services.msc> Enter> find this Service>
    ActiveX Installer (AxInstSV)> Set to Manual in Windows 7 Home Premium

    There are 3 Dependencies, but you will most likely have them running: Dependencies: >
    Remote Procedure Call
    DCOM Server Process Launcher
    RPC Endpoint Mapper
    These 3 Services should be set to Automatic Startup.

    Please be sure to re-hide the files and folders.
    ====================================
    I do have a question: there are the following 2 Registry entries:
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
    "EnableShellExecuteHooks"= 1 (0x1)
    .
    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\ex plorer\ShellExecuteHooks]

    I noticed you did Some work with Microsoft on 4/9/2012:
    c:\program files (x86)\Microsoft Analysis Services
    c:\windows\SHELLNEW
    c:\programdata\Microsoft Help
    C:\MSOCache (this one might be after Office install)
    Do you know if the registry entries are policy settings from that?
    =====================================
    Are there any remaining problems?
  20. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    remover.exe fix

    I created the fix.bat file - copying in the code you had in your code box and saving it as a batch file.

    When I run it, the black box appears, then quickly goes away. But I'm not sure it's doing what you hoped it would do. After the black box disappears, it opens up to an explorer window to the C:\windows\system32\boot folder.

    When I re-run boot_cleaner.exe, the logs still show the rootkit in the MBR. Here are the logs:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
    ======================================================
  21. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    Answers to additional questions

    You had asked about a couple of registry entries from combofix.

    After I thought we had things cleaned, I went ahead and re-installed MS Office 2010 (sorry about that, I jumped the gun in thinking we had things completely cleaned up a few days ago :-(). Not sure if that's what can attribut to those 2 registry entries or not.

    I also followed your instructions to verify that ActiveX Installer service was set to Manual startup.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It wasn't my instruction to run TDSSKiller or MBR Check- you did that on your own. and there is a contradiction here:

    "After the TDSSKiller run & reboot, it appears it took care of the virus.

    Malwarebytes, Norton360 and TDSSKiller scans all come up clean. I'm assuming this thing is finally blasted!"
    -----------------------------
    I'd like you to run the Bootkit scans and fix again:
    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    ==================================================
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run bootkit.exe again and post its output.

    Looks like one of the slashes in the fix may have parsed.
  23. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    bootkit remover results

    I apologize if I ran something I wasn't supposed to. Definitely appreciate you sticking with this and helping me out!

    Here are the results of the bootkit remover execution (after running this, I'll copy in and run the .bat file and post those results).

    Bootkit remover results
    ===================================
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, let' see if we can get it this time:

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix  \ \.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run bootkit.exe again and post its output.
  25. rwhite1954

    rwhite1954 TS Rookie Topic Starter Posts: 30

    fix.bat and subsequent bootcleaner results

    Thanks for all the patience, and the quick responses!

    I created the fix.bat file and ran it. However, all it did was opened up a file explorer window pointing to the windows\system32\boot file folder. I think I figured out what was happening. In the code I copied over from the code box, it referenced "boot cleaner.exe". I think anything after the "space" following boot was getting ignored.

    I changed it to "boot_cleaner.exe" in my fix.bat file and it ran the bootcleaner fix that time. I'm posting the results of the fix.bat run and the subsequent bootcleaner run that I ran after a reboot (the fix.bat run recommended an immediate reboot).
    =====================================
    fix.bat run results:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000
    Restoring boot code at \\.\PhysicalDrive0...
    ATA_Write(): DeviceIoControl() ERROR 1
    ERROR: Can't write first sector of the disk.

    Done;
    Press any key to quit...
    ============================================
    After a reboot, here's the results of the subsequent boot_cleaner run:
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...

    =============================================
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.