Solved Yet another svchost.exe virus

E-Will 1.0

Posts: 57   +1
Hi, and thanks. Google brought me here and after reading a few threads I can see I'm in the right place.

I have at least 1 PC infected with a virus that is hidden as SVCHOST.exe. The process will initiate multiple ip connections and uses obscene amounts of bandwidth (2.5 GB one day). Seems also to be allowing pop ups and is possibly interfering with my install of McAfee Enterprise - admittedly a free (and legal) "perk" from work. The on demand scan will not initiate due to an unfound dll.

I said at least 1. I haven't played much with my other but it exhibits similar behaviour. They are both part of the same home network. Both running Win7.

Due to the issues associated with actually allowing network traffic on my PCs I may prefer to d/l some of the recommended tools to a memory stick and then transfer them. This post is from my iPad, which seems fine (not surprisingly).

In addition to support for cleanup I'd appreciate any recommended alternatives to McAfee.

Thanks in advance to whomever replies, you guys are friggen heros in my books.

Eric
 
Am running MBAM now... And the results are in. Lots of Trojans. Will post shortly. I was able to mostly restore my connectivity by suspending the offensive process. Killing it only caused it to re-spawn
 
After running MBAM quick scan
A) the svchost.exe process is gone.
B) if I get to McAfee On-Demand scan as the computer is starting up, before MBAM starts screaming about more quarantined files I can initialize it. Once the quarnatining starts, it won't run. I assume this is an ongoing virus issue.

MBAM Log follows, DDS coming soon...

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org
Database
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
EMW :: EMW-OFFICE [administrator]
Protection: Enabled
04/01/2013 9:20:04 PM
mbam-log-2013-01-04 (21-20-04).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247642
Time elapsed: 6 minute(s), 1 second(s)
Memory Processes Detected: 2
C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> 4156 -> Delete on reboot.
C:\Windows\System32\taskmgr.exe (Trojan.FakeMS) -> 5952 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 12
HKLM\SYSTEM\CurrentControlSet\Services\WSearch (Trojan.FakeMS) -> Quarantined and deleted successfully.
HKCR\CLSID\>{26923b43-4d38-484f-9b9e-de460746276c} (Trojan.FakeMS) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923B43-4D38-484F-9B9E-DE460746276C} (Trojan.FakeMS) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923B43-4D38-484F-9B9E-DE460746276C} (Trojan.FakeMS) -> Quarantined and deleted successfully.
HKCR\TypeLib\{7CDB4C42-D09D-4532-AF9D-B941DF2F3E24} (Trojan.FakeMS) -> Delete on reboot.
HKCR\Interface\{5A6046F6-7B79-435B-908E-0C252F8FFACD} (Trojan.FakeMS) -> Delete on reboot.
HKCR\TypeLib\{8E80422B-CAC4-472B-B272-9635F1DFEF3B} (Trojan.FakeMS) -> Delete on reboot.
HKCR\Interface\{0178FAD1-B361-4B27-96AD-67C57EBF2E1D} (Trojan.FakeMS) -> Delete on reboot.
HKCR\TypeLib\{00A40DB9-D8B4-40B3-8E0C-A8E8C6B3B720} (Trojan.FakeMS) -> Delete on reboot.
HKCR\Interface\{802C03CF-0243-4DAF-BDE5-A1A9071B79D8} (Trojan.FakeMS) -> Delete on reboot.
HKCR\TypeLib\{B0A20F08-4B8A-4BDE-9735-8CFC250A6B4B} (Trojan.FakeMS) -> Delete on reboot.
HKCR\Interface\{4634D64C-B361-4AF9-94BC-FB86A7B18EFF} (Trojan.FakeMS) -> Delete on reboot.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKLM\SYSTEM\CurrentControlSet\SERVICES\COMSYSAPP|Type (Hijack.Comsysapp) -> Bad: (272) Good: (16) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 105
C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\taskmgr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\ie4uinit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Windows Media Player\wmlaunch.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\at.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\bootcfg.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\certreq.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\certutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\chkdsk.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\choice.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\cmdl32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\comp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\ComputerDefaults.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\convert.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\credwiz.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\cttunesvr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\dccw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\ddodiag.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\diskpart.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\diskraid.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\DisplaySwitch.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\dnscacheugc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\dpnsvr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\dvdplay.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\dvdupgrd.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\dxdiag.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\efsui.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\eventvwr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\findstr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\fltMC.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\fontview.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\fsutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\grpconv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\hh.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\ie4uinit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\iexpress.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\instnm.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\logman.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\mfpmp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\mmc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\MRINFO.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\msfeedssync.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\msra.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\MuiUnattend.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\Mystify.scr (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\netiougc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\notepad.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\ocsetup.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\odbcconf.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\print.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\proquota.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\rasautou.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\ReAgentc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\regedit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\regini.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\replace.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\Ribbons.scr (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\RMActivate_ssp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\RMActivate_ssp_isv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\sdchange.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\setup16.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\shrpubw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\shutdown.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\ssText3d.scr (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\subst.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\systeminfo.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemPropertiesAdvanced.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemPropertiesComputerName.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemPropertiesHardware.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemPropertiesProtection.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemPropertiesRemote.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\TCPSVCS.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\TSTheme.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\tzutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\UserAccountControlSettings.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\vssadmin.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wecutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\WerFault.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wevtutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wextract.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\where.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\whoami.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wimserv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\winrs.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\winver.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wlanext.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\write.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\WSManHTTPConfig.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\xcopy.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\com\comrepl.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\com\MigRegDB.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wbem\mofcomp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wbem\WMIC.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\System32\wbem\WmiPrvSE.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\regedit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\winhlp32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
(end)
 
Dds.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by EMW at 22:06:47 on 2013-01-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4095.2392 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Garmin\Training Center\gStart.exe
C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Users\EMW\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Windows\SysWOW64\LVCOMSX.EXE
C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\jusched.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\perfmon.exe
C:\Windows\system32\prevhost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\jucheck.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [gStart] C:\Program Files (x86)\Garmin\Training Center\gStart.exe
uRun: [WeatherEye] C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [LVCOMSX] C:\Windows\System32\LVCOMSX.EXE
mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\EMW\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\EMW\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CINEFO~1.LNK - C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ras.opgonline.com/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{2B13F128-3241-4FDD-813D-A1DC7671828D} : DHCPNameServer = 204.101.237.136 206.47.201.246
TCP: Interfaces\{730C4F2F-384B-4891-8272-EE6923784ED8} : DHCPNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
x64-DPF: {AA570693-00E2-4907-B6F1-60A1199B030C} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
x64-DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
P2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe [2010-10-22 181480]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-10-3 470808]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-3-27 55280]
R1 NEOFLTR_720_21697;Juniper Networks TDI Filter Driver (NEOFLTR_720_21697);C:\Windows\System32\drivers\NEOFLTR_720_21697.SYS [2012-12-15 100728]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-27 239616]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 JobManagerService110;Ansys JobManager Service V11;C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe [2007-1-16 20480]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-4 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-4 682344]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [2010-10-22 20792]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-8-25 262144]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2010-10-22 225280]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2012-10-3 77968]
R2 ScriptHostService110;Ansys ScriptHost Service V11;C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe [2007-1-16 20480]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-3-27 1692480]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-4 24176]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-10-3 120224]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-3-12 36720]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-3-21 452200]
S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2010-12-3 1458176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 288256]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 androidusb;ADB Interface Driver;C:\Windows\System32\drivers\androidusb.sys [2010-4-29 32768]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2010-3-27 138752]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2012-10-3 78768]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2011-5-10 22528]
S3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\System32\drivers\netr7364.sys [2009-6-10 707072]
S3 rt61x64;RT61 Extensible Wireless Driver;C:\Windows\System32\drivers\netr6164.sys [2010-10-24 438784]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-5-21 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-4 1255736]
.
=============== Created Last 30 ================
.
2013-01-05 02:14:01 -------- d-----w- C:\Users\EMW\AppData\Roaming\Malwarebytes
2013-01-05 02:13:41 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-01-05 02:13:41 -------- d-----w- C:\ProgramData\Malwarebytes
2013-01-05 02:13:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-05 02:13:21 -------- d-----w- C:\Users\EMW\AppData\Local\Programs
2013-01-03 00:11:59 -------- d-----w- C:\Windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
2012-12-16 03:24:32 100728 ----a-w- C:\Windows\System32\drivers\NEOFLTR_720_21697.SYS
.
==================== Find3M ====================
.
2012-12-12 12:19:17 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-12 12:19:17 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-03 13:58:31 49664 ----a-w- C:\ProgramData\p25_406265978.dll
2012-10-25 08:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-10-25 08:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-10-23 20:04:38 460288 ----a-w- C:\Windows\WLXPGSS.SCR
2012-10-13 05:34:06 1424896 ----a-w- C:\Windows\System32\CFHD.dll
2012-10-13 05:31:20 1458176 ----a-w- C:\Windows\SysWow64\CFHD.dll
.
============= FINISH: 22:08:34.26 ===============
 
Attach.txt ...

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 05/04/2010 5:31:45 PM
System Uptime: 04/01/2013 9:54:02 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0K83V0
Processor: Pentium(R) Dual-Core CPU E5400 @ 2.70GHz | CPU 1 | 2700/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 219.893 GiB free.
D: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is FIXED (FAT32) - 931 GiB total, 562.904 GiB free.
J: is Removable
X: is FIXED (NTFS) - 15 GiB total, 10.156 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: 802.11g PCI Wireless Adapter
Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\4&2AE74A33&0&08F0
Manufacturer: Ralink Technology Corp.
Name: 802.11g PCI Wireless Adapter
PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\4&2AE74A33&0&08F0
Service: rt61x64
.
==== System Restore Points ===================
.
RP177: 29/10/2012 5:21:45 PM - Installed Java(TM) 6 Update 37
RP178: 12/11/2012 6:58:33 PM - Scheduled Checkpoint
RP179: 20/11/2012 6:43:13 PM - Scheduled Checkpoint
RP180: 27/11/2012 9:36:31 PM - Scheduled Checkpoint
RP181: 15/12/2012 12:02:38 PM - Scheduled Checkpoint
RP182: 31/12/2012 6:26:32 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.2
AMD Accelerated Video Transcoding
AMD APP SDK Runtime
AMD AVIVO64 Codecs
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Media Foundation Decoders
ANSYS CFX 11.0
ANSYS ICEM CFD 11.0
ANSYS Products 11.0
ANSYS Remote Solve Manager (RSM) 11.0
Any Video Converter 3.1.7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
Bing Bar
Bing Bar Platform
Bonjour
Brother HL-2170W
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Citrix XenApp Web Plugin
Compatibility Pack for the 2007 Office system
D3DX10
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Dock
Dell Edoc Viewer
Dell Getting Started Guide
Dropbox
Garmin Training Center
Garmin USB Drivers
Google Earth
Google Update Helper
GoPro CineForm Studio 1.3.1
GoToAssist 8.0.0.514
HydraVision
iCloud
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
ISODisk 1.1
iTunes
Java Auto Updater
Java(TM) 6 Update 17 (64-bit)
Java(TM) 6 Update 35
Juniper Networks Secure Application Manager
Juniper Networks, Inc. Setup Client
Juniper Networks, Inc. Setup Client 64-bit Activex Control
Junk Mail filter update
Logitech® Camera Driver
Malwarebytes Anti-Malware version 1.70.0.1100
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft IntelliPoint 8.1
Microsoft LifeCam
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Standard 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
MSVCRT
MSVCRT_amd64
PowerDVD DX
QuickTime
Ralink RT6x Wireless LAN Card
Realtek High Definition Audio Driver
Roxio Burn
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 4.2
TVersity Codec Pack 1.7
TVersity Media Server 1.9.7
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2586924)
Virtual DJ Pro Full - Atomix Productions
WeatherEye
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices (03/07/2012 )
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.11 (32-bit)
Xiph.Org Open Codecs 0.85.17777
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
04/01/2013 9:56:45 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
04/01/2013 9:56:45 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
04/01/2013 9:56:30 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
04/01/2013 9:56:00 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
04/01/2013 9:55:57 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ISODisk
04/01/2013 9:55:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
04/01/2013 9:54:29 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
04/01/2013 9:54:26 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
04/01/2013 9:54:22 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the ANSYS FLEXlm license manager service to connect.
04/01/2013 9:54:22 PM, Error: Service Control Manager [7000] - The ANSYS FLEXlm license manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/01/2013 9:54:13 PM, Error: rt61x64 [5003] - 802.11g PCI Wireless Adapter : Could not find a network adapter.
04/01/2013 9:54:07 PM, Error: Application Popup [1060] - \SystemRoot\SysWow64\Drivers\ISODisk.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
04/01/2013 10:04:08 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "2" Happened while starting this command: C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
02/01/2013 7:14:10 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 38 time(s).
02/01/2013 7:14:04 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 37 time(s).
02/01/2013 7:13:59 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 36 time(s).
02/01/2013 7:13:53 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 35 time(s).
02/01/2013 7:13:48 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 34 time(s).
02/01/2013 7:13:42 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 33 time(s).
02/01/2013 7:13:37 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 32 time(s).
02/01/2013 7:13:33 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 31 time(s).
02/01/2013 7:13:27 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 30 time(s).
02/01/2013 7:13:22 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 29 time(s).
02/01/2013 7:13:16 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 28 time(s).
02/01/2013 7:13:11 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 27 time(s).
02/01/2013 7:13:05 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 26 time(s).
02/01/2013 7:13:00 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 25 time(s).
02/01/2013 7:12:55 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 24 time(s).
02/01/2013 7:12:50 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 23 time(s).
02/01/2013 7:12:44 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 22 time(s).
02/01/2013 7:12:39 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 21 time(s).
02/01/2013 7:12:33 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 20 time(s).
02/01/2013 7:12:28 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 19 time(s).
02/01/2013 7:12:22 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 18 time(s).
02/01/2013 7:11:07 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 17 time(s).
02/01/2013 7:09:45 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 16 time(s).
02/01/2013 7:09:40 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 15 time(s).
02/01/2013 7:09:34 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 14 time(s).
02/01/2013 7:09:28 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 13 time(s).
02/01/2013 7:09:23 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 12 time(s).
02/01/2013 7:09:17 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 11 time(s).
02/01/2013 7:09:12 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 10 time(s).
02/01/2013 7:09:08 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 9 time(s).
02/01/2013 7:09:02 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 8 time(s).
02/01/2013 7:08:56 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 7 time(s).
02/01/2013 7:08:51 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 6 time(s).
02/01/2013 7:08:45 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 5 time(s).
02/01/2013 7:08:40 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 4 time(s).
02/01/2013 7:08:34 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 3 time(s).
02/01/2013 7:06:28 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s).
02/01/2013 7:01:54 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
02/01/2013 6:34:40 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.
02/01/2013 6:34:28 PM, Error: Service Control Manager [7023] - The iPod Service service terminated with the following error: %%-2147417831
.
==== End Of File ===========================
 
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

********************************************

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
System-log.txt

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
Account is Administrative
Internet Explorer version: 9.0.8112.16421
Java version: 1.6.0_35
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED, X:\ DRIVE_FIXED
CPU speed: 2.693000 GHz
Memory total: 4293902336, free: 2233475072
------------ Kernel report ------------
01/04/2013 22:54:17
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfetdik.sys
\SystemRoot\system32\drivers\TDI.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\??\C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\point64.sys
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\nx6000.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\SysWOW64\WinFLdrv.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\gdi32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\kernel32.dll
\Windows\System32\advapi32.dll
\Windows\System32\lpk.dll
\Windows\System32\nsi.dll
\Windows\System32\setupapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\urlmon.dll
\Windows\System32\oleaut32.dll
\Windows\System32\usp10.dll
\Windows\System32\ole32.dll
\Windows\System32\difxapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\imm32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\shell32.dll
\Windows\System32\user32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\sechost.dll
\Windows\System32\psapi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\msctf.dll
\Windows\System32\imagehlp.dll
\Windows\System32\wininet.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\crypt32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR5
Upper Device Object: 0xfffffa8005e43790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000078\
Lower Device Object: 0xfffffa8005e2a060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xfffffa8005e26060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xfffffa8005e23570
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8005e25060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000075\
Lower Device Object: 0xfffffa8005e087b0
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8005e07060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000074\
Lower Device Object: 0xfffffa8005dc7060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8005e24060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000073\
Lower Device Object: 0xfffffa8005e02150
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80048ba060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004441050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2013.01.05.01
Downloaded database version: v2013.01.04.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80048ba060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80048bab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80048ba060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004441050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a002f24a80, 0xfffffa80048ba060, 0xfffffa8003d2c090
Lower DeviceData: 0xfffff8a0028dc820, 0xfffffa8004441050, 0xfffffa80070f4e40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 78033E78
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 81920 Numsec = 30720000
Partition file system is NTFS
Partition is bootable
Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 30801920 Numsec = 945969200
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 500107862016 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xfffffa8005e24060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005e24b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005e24060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005e02150, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa8005e07060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005e07b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005e07060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005dc7060, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8005e25060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005e25b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005e25060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005e087b0, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xfffffa8005e26060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005e26b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005e26060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005e23570, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 512
Drive: 5, DevicePointer: 0xfffffa8005e43790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005e44790, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005e43790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005e2a060, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xfffff8a0032511a0, 0xfffffa8005e43790, 0xfffffa8004411790
Lower DeviceData: 0xfffff8a00b322260, 0xfffffa8005e2a060, 0xfffffa8006ef82d0
Drive 5
Scanning MBR on drive 5...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E8900690
Partition information:
Partition 0 type is Other (0xc)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
Infected: C:\Windows\System32\services.exe --> [Rootkit.0Access.S]
Backup file found for a file C:\Windows\System32\services.exe
Infected: C:\Windows\SysWOW64\chkntfs.exe --> [Trojan.FakeMS]
Backup file found for a file C:\Windows\SysWOW64\chkntfs.exe
Infected: C:\Windows\SysWOW64\mshta.exe --> [Trojan.FakeMS]
Backup file found for a file C:\Windows\SysWOW64\mshta.exe
Infected: C:\Windows\SysWOW64\SecEdit.exe --> [Trojan.FakeMS]
Backup file found for a file C:\Windows\SysWOW64\SecEdit.exe
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ --> [Backdoor.0Access]
Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Trojan.0access]
Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ --> [Backdoor.0Access]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 --> [Trojan.Zaccess]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\1afb2d56 --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\201d3dde --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\4cce1f70 --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L --> [Backdoor.0Access]
Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ --> [Backdoor.0Access]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
Account is Administrative
Internet Explorer version: 9.0.8112.16421
Java version: 1.6.0_35
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED
CPU speed: 2.693000 GHz
Memory total: 4293902336, free: 3199561728
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
Account is Administrative
Internet Explorer version: 9.0.8112.16421
Java version: 1.6.0_35
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED
CPU speed: 2.693000 GHz
Memory total: 4293902336, free: 2625609728
------------ Kernel report ------------
01/04/2013 23:21:33
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfetdik.sys
\SystemRoot\system32\drivers\TDI.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\??\C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\nx6000.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\point64.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\SysWOW64\WinFLdrv.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\iertutil.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\normaliz.dll
\Windows\System32\advapi32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\setupapi.dll
\Windows\System32\sechost.dll
\Windows\System32\imm32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\kernel32.dll
\Windows\System32\shell32.dll
\Windows\System32\usp10.dll
\Windows\System32\lpk.dll
\Windows\System32\wininet.dll
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\psapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\gdi32.dll
\Windows\System32\ole32.dll
\Windows\System32\nsi.dll
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\crypt32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR5
Upper Device Object: 0xfffffa80068a9790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000078\
Lower Device Object: 0xfffffa8006894b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xfffffa800687f060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xfffffa800686b060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8006887060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000075\
Lower Device Object: 0xfffffa800687c6f0
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8006880060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000074\
Lower Device Object: 0xfffffa800687d660
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8006888790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000073\
Lower Device Object: 0xfffffa800687e060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80047ff790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80043af050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80047ff790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80047ff2c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80047ff790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043af050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a00b465260, 0xfffffa80047ff790, 0xfffffa8004218090
Lower DeviceData: 0xfffff8a00b86c230, 0xfffffa80043af050, 0xfffffa80044b08a0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 78033E78
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 81920 Numsec = 30720000
Partition file system is NTFS
Partition is bootable
Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 30801920 Numsec = 945969200
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 500107862016 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xfffffa8006888790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80068882c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006888790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800687e060, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa8006880060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006880b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006880060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800687d660, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8006887060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006887b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006887060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800687c6f0, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xfffffa800687f060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800687fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800687f060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800686b060, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 512
Drive: 5, DevicePointer: 0xfffffa80068a9790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80068aa040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80068a9790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006894b60, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xfffff8a00d300370, 0xfffffa80068a9790, 0xfffffa800448b5e0
Lower DeviceData: 0xfffff8a00b30b230, 0xfffffa8006894b60, 0xfffffa800427b980
Drive 5
Scanning MBR on drive 5...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E8900690
Partition information:
Partition 0 type is Other (0xc)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
Done!
Scan finished
=======================================
 
'clean' mbar log

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org
Database
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
EMW :: EMW-OFFICE [administrator]
04/01/2013 11:37:53 PM
mbar-log-2013-01-04 (23-37-53).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 29108
Time elapsed: 16 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
 
'dirty' mbar log

Seeming better - no MBAM alerts anymore, McAfee runs 100%

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org
Database
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
EMW :: EMW-OFFICE [administrator]
04/01/2013 11:14:25 PM
mbar-log-2013-01-04 (23-14-25).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 29532
Time elapsed: 18 minute(s), 52 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Delete on reboot.
Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\Users\EMW\AppData\Local\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\n. -> Delete on reboot.
Registry Data Items Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| (Trojan.Zaccess) -> Bad: (C:\Users\EMW\AppData\Local\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Delete on reboot.
Folders Detected: 4
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L (Backdoor.0Access) -> Delete on reboot.
Files Detected: 30
C:\Windows\System32\services.exe (Rootkit.0Access.S) -> Delete on reboot.
C:\Windows\SysWOW64\chkntfs.exe (Trojan.FakeMS) -> Delete on reboot.
C:\Windows\SysWOW64\mshta.exe (Trojan.FakeMS) -> Delete on reboot.
C:\Windows\SysWOW64\SecEdit.exe (Trojan.FakeMS) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\assembly\GAC_32\Desktop.ini (Trojan.0access) -> Delete on reboot.
C:\Windows\assembly\GAC_64\Desktop.ini (Rootkit.0access) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\1afb2d56 (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\201d3dde (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\4cce1f70 (Backdoor.0Access) -> Delete on reboot.
C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot.
(end)
 
Very well...

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

============================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
Rogue Killer Log 1/2

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] WeatherEye.exe -- C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe -> KILLED [TermProc]
¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3198253161-613055380-4240325347-1001[...]\Run : WeatherEye (C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\EMW\Desktop\Cleanup\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3500418AS +++++
--- User ---
[MBR] c93c21bac940425f83f48c33a40e3d2c
[BSP] b689a285b9fb589571be9d69c096bbe2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_01052013_02d1110.txt >>
RKreport[1]_S_01052013_02d1110.txt
 
Rogue Killer log 2/2

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] WeatherEye.exe -- C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe -> KILLED [TermProc]
¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\EMW\Desktop\Cleanup\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3500418AS +++++
--- User ---
[MBR] c93c21bac940425f83f48c33a40e3d2c
[BSP] b689a285b9fb589571be9d69c096bbe2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2]_D_01052013_02d1111.txt >>
RKreport[1]_S_01052013_02d1110.txt ; RKreport[2]_D_01052013_02d1111.txt
 
Am getting most of the way through the aswMBR scan (past \system32\drivers) and then find an infected file. Not long after, I get good 'ole "The instruction at XXX referenced memory at YYY. The memory could not be read - click Close to terminate the program".

This has happened twice and seems to be stalling out at the same point in the process though the file being scanned at the time has been different - image file below
 
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

==============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Okay. I've buggered this up fairly well at this point. With apologies.

I created a restore point and downloaded combofix. I disabled mcafee and MBAM. Ran Combofix and it got partway through but twice halted on a compatibility mode error.
I restarted McAfee and MBAM. Wasn't sure so I ticked Filesystem protection and Malicious website blocking on Protection tab
Re-downloaded Combofix with alt name. Same result. Then realized I should not have run it right away so rebooted.

Downloaded both versions of rkill.
Muddled by my own confusion but thinking I was doing the right thing I successfully ran rkill.exe and immediately realized I should have done so in SafeMode.
Reboot
F8 did not provide a safe mode option (nor has it on subsequent reboots)

Decided it was time to admit my sins

Current behaviour:
MBAM blocking access to "potentially malicious website 208.73.210.29, Port 53610 process mbamscheduler.exe. jusched.exe also being blocked.
I get a UAC message when I envoke the MBAM GUI. Didn't realize that still existed in Win7
On one reboot shortly after running rkill.exe chkdsk ran during startup. I did not initiate it.
I think that's all.

Feel free to fire me as a client. My biggest goal here outside of cleaning my machine was avoiding the Homer Simpson "Listen Carefully" sign. I can feel it coming now.... Sorry
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt
 
Okay. Thanks Broni. Could be until Monday evening before I get to a clean PC I can download to a flash drive.

I appreciate your support and patience. If I have an excuse at all it's the three year old at my ankles yelling "Play with me dad". I guess I should take a break from this and go play anyway. Thx.
 
Home PC network traffic is too slow to post right now (times out) Took some extra time. Thanks

Farbar Recovery Scan Tool (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-07 17:20:36
Running from E:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
====== End Of Search ======
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012 (ATTENTION: FRST version is 7 days old)
Ran by SYSTEM at 07-01-2013 17:18:30
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-13] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [187904 2012-08-09] (Microsoft Corporation)
HKLM-x32\...\Run: [LVCOMSX] C:\Windows\system32\LVCOMSX.EXE [x]
HKLM-x32\...\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun [3695928 2009-08-19] (brother)
HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [276992 2012-08-09] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [217088 2012-12-12] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [412672 2012-10-31] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [294912 2012-12-04] (McAfee, Inc.)
HKLM-x32\...\Run: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [124224 2010-10-22] (McAfee, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [799744 2012-10-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [585728 2012-11-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
HKU\EMW\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [26102056 2010-04-06] (Skype Technologies S.A.)
HKU\EMW\...\Run: [gStart] C:\Program Files (x86)\Garmin\Training Center\gStart.exe [1891416 2008-08-13] (GARMIN Corp.)
HKU\EMW\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [585728 2012-11-21] (Apple Inc.)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-08] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\CineForm Status.lnk
ShortcutTarget: CineForm Status.lnk -> C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe (GoPro)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\EMW\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Guest\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
==================== Services (Whitelisted) ===================
2 ANSYS FLEXlm license manager; C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [1458176 2012-08-08] (Macrovision Corporation)
2 JobManagerService110; "C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe" [20480 2007-01-16] (Ansys, Inc)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [557056 2013-01-04] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [841216 2013-01-05] (Malwarebytes Corporation)
2 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe" [20792 2010-10-22] (McAfee, Inc.)
2 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [262144 2012-10-29] (McAfee, Inc.)
2 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe" [181480 2010-10-22] (McAfee, Inc.)
2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe" [225280 2012-10-29] (McAfee, Inc.)
2 mfevtp; C:\Windows\system32\mfevtps.exe [77968 2010-10-22] (McAfee, Inc.)
2 ScriptHostService110; "C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe" [20480 2007-01-16] (Ansys, Inc.)
2 TVersityMediaServer; "C:\ProgramData\TVersity\Media Server\MediaServer.exe" [1249064 2011-07-29] ()
==================== Drivers (Whitelisted) =====================
3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-29] (Google Inc)
1 ISODisk; C:\Windows\SysWow64\Drivers\ISODisk.sys [9600 2006-04-26] ()
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [98088 2010-10-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [120224 2010-10-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [470808 2010-10-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [78768 2010-10-22] (McAfee, Inc.)
1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [84424 2010-10-22] (McAfee, Inc.)
1 NEOFLTR_720_21697; C:\Windows\System32\Drivers\NEOFLTR_720_21697.sys [100728 2012-08-23] (Juniper Networks)
2 WinFLdrv; C:\Windows\SysWow64\WinFLdrv.sys [21888 2010-09-06] ()
==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========
2013-01-07 17:18 - 2013-01-07 17:18 - 00000000 ____D C:\FRST
2013-01-07 17:15 - 2013-01-07 17:15 - 00008212 ____A C:\Windows\mfebcdata
2013-01-05 13:09 - 2013-01-05 13:09 - 00000000 ____D C:\Users\EMW\Desktop\rkill
2013-01-05 13:08 - 2013-01-05 13:09 - 00003866 ____A C:\Users\EMW\Desktop\Rkill.txt
2013-01-05 13:08 - 2013-01-05 13:08 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\iExplore.exe
2013-01-05 13:07 - 2013-01-05 13:07 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\rkill.exe
2013-01-05 13:05 - 2013-01-05 13:05 - 05019547 ____R (Swearware) C:\Users\EMW\Desktop\MyFile.exe
2013-01-05 12:59 - 2013-01-05 13:06 - 00000000 ___SD C:\32788R22FWJFW
2013-01-05 12:59 - 2013-01-05 12:59 - 00000000 ____D C:\Windows\erdnt
2013-01-05 10:15 - 2013-01-05 10:16 - 04732416 ____A (AVAST Software) C:\Users\EMW\Desktop\aswMBR.exe
2013-01-05 10:11 - 2013-01-05 10:11 - 00002174 ____A C:\Users\EMW\Desktop\RKreport[2]_D_01052013_02d1111.txt
2013-01-05 10:10 - 2013-01-05 10:10 - 00002402 ____A C:\Users\EMW\Desktop\RKreport[1]_S_01052013_02d1110.txt
2013-01-05 10:09 - 2013-01-05 10:11 - 00000000 ____D C:\Users\EMW\Desktop\RK_Quarantine
2013-01-05 10:09 - 2013-01-05 10:09 - 00761856 ____A C:\Users\EMW\Desktop\RogueKiller.exe
2013-01-04 21:04 - 2013-01-04 21:04 - 00688992 ____R (Swearware) C:\Users\EMW\Desktop\dds.com
2013-01-04 20:29 - 2013-01-05 11:11 - 00000000 ____D C:\Users\EMW\Desktop\Cleanup
2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\Application Data\Malwarebytes
2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Malwarebytes
2013-01-04 20:13 - 2013-01-05 13:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2013-01-04 20:13 - 2012-12-14 15:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-01-04 20:11 - 2013-01-04 20:13 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\EMW\Downloads\mbam-setup-1.70.0.1100.exe
2013-01-02 18:11 - 2013-01-02 18:32 - 00000000 ____D C:\Windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
2012-12-15 21:24 - 2012-08-23 20:39 - 00100728 ____A (Juniper Networks) C:\Windows\System32\Drivers\NEOFLTR_720_21697.SYS
==================== One Month Modified Files and Folders =======
2013-01-07 17:15 - 2013-01-07 17:15 - 00008212 ____A C:\Windows\mfebcdata
2013-01-07 17:15 - 2010-04-12 18:55 - 00000000 ____D C:\Users\EMW\Application Data\Skype
2013-01-07 17:15 - 2010-04-12 18:55 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Skype
2013-01-07 17:15 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-07 17:15 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-07 17:14 - 2009-07-13 23:13 - 00730210 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-07 16:57 - 2010-04-12 19:03 - 00000000 ____D C:\Users\EMW\Application Data\skypePM
2013-01-07 16:57 - 2010-04-12 19:03 - 00000000 ____D C:\Users\EMW\AppData\Roaming\skypePM
2013-01-07 16:53 - 2012-04-05 19:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-07 16:53 - 2010-05-02 06:39 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-07 16:09 - 2011-11-20 15:02 - 00000000 ___RD C:\Users\EMW\Dropbox
2013-01-07 16:09 - 2011-11-20 15:00 - 00000000 ____D C:\Users\EMW\Application Data\Dropbox
2013-01-07 16:09 - 2011-11-20 15:00 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Dropbox
2013-01-07 16:09 - 2010-03-27 10:44 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-01-07 16:09 - 2009-07-13 22:51 - 00062747 ____A C:\Windows\setupact.log
2013-01-07 16:08 - 2010-04-15 20:48 - 00000105 ____A C:\Windows\Brownie.ini
2013-01-07 16:07 - 2010-05-02 06:39 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-07 16:07 - 2010-04-05 15:31 - 00000000 ____D C:\Users\EMW\AppData\Local\SoftThinks
2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-01-07 16:07 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-07 16:07 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration
2013-01-05 13:17 - 2013-01-04 20:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-05 13:09 - 2013-01-05 13:09 - 00000000 ____D C:\Users\EMW\Desktop\rkill
2013-01-05 13:09 - 2013-01-05 13:08 - 00003866 ____A C:\Users\EMW\Desktop\Rkill.txt
2013-01-05 13:08 - 2013-01-05 13:08 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\iExplore.exe
2013-01-05 13:07 - 2013-01-05 13:07 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\rkill.exe
2013-01-05 13:06 - 2013-01-05 12:59 - 00000000 ___SD C:\32788R22FWJFW
2013-01-05 13:05 - 2013-01-05 13:05 - 05019547 ____R (Swearware) C:\Users\EMW\Desktop\MyFile.exe
2013-01-05 12:59 - 2013-01-05 12:59 - 00000000 ____D C:\Windows\erdnt
2013-01-05 11:11 - 2013-01-04 20:29 - 00000000 ____D C:\Users\EMW\Desktop\Cleanup
2013-01-05 10:16 - 2013-01-05 10:15 - 04732416 ____A (AVAST Software) C:\Users\EMW\Desktop\aswMBR.exe
2013-01-05 10:11 - 2013-01-05 10:11 - 00002174 ____A C:\Users\EMW\Desktop\RKreport[2]_D_01052013_02d1111.txt
2013-01-05 10:11 - 2013-01-05 10:09 - 00000000 ____D C:\Users\EMW\Desktop\RK_Quarantine
2013-01-05 10:10 - 2013-01-05 10:10 - 00002402 ____A C:\Users\EMW\Desktop\RKreport[1]_S_01052013_02d1110.txt
2013-01-05 10:09 - 2013-01-05 10:09 - 00761856 ____A C:\Users\EMW\Desktop\RogueKiller.exe
2013-01-04 22:17 - 2010-03-27 12:34 - 00586590 ____A C:\Windows\PFRO.log
2013-01-04 22:15 - 2011-05-21 06:47 - 00000000 __SHD C:\Users\EMW\AppData\Local\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}
2013-01-04 21:50 - 2009-07-13 23:10 - 01901240 ____A C:\Windows\WindowsUpdate.log
2013-01-04 21:04 - 2013-01-04 21:04 - 00688992 ____R (Swearware) C:\Users\EMW\Desktop\dds.com
2013-01-04 20:29 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\com
2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\Application Data\Malwarebytes
2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Malwarebytes
2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2013-01-04 20:13 - 2013-01-04 20:11 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\EMW\Downloads\mbam-setup-1.70.0.1100.exe
2013-01-04 20:06 - 2011-11-20 15:02 - 00001017 ____A C:\Users\EMW\Desktop\Dropbox.lnk
2013-01-02 18:32 - 2013-01-02 18:11 - 00000000 ____D C:\Windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
2013-01-02 18:32 - 2012-10-03 16:10 - 00000000 ____D C:\Users\EMW\Desktop\VSE870LMLRP4
2013-01-02 18:32 - 2010-11-21 09:37 - 00000000 ____D C:\users\Guest
2013-01-02 18:32 - 2010-04-18 14:08 - 00000000 ____D C:\Program Files\Microsoft LifeCam
2013-01-02 18:01 - 2012-02-19 14:42 - 00201128 ____A C:\Windows\SysWOW64\TVersityMediaServer.log
2013-01-02 17:33 - 2010-04-05 15:31 - 00000000 ____D C:\users\EMW
2012-12-19 18:53 - 2012-12-04 20:50 - 00000000 ____D C:\Users\All Users\Application Data\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-19 18:53 - 2012-12-04 20:50 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-15 21:24 - 2011-07-17 12:59 - 00000018 ____A C:\pending.un
2012-12-14 15:49 - 2013-01-04 20:13 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-12 06:19 - 2012-04-05 19:15 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-12-12 06:19 - 2011-05-22 10:04 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-12-11 06:12 - 2012-08-08 17:03 - 00000003 ____A C:\Users\All Users\fcdddcja25.nls
2012-12-11 06:12 - 2012-08-08 17:03 - 00000003 ____A C:\Users\All Users\Application Data\fcdddcja25.nls
2012-12-10 18:47 - 2010-06-06 12:08 - 00007608 ____A C:\Users\EMW\AppData\Local\Resmon.ResmonCfg
2012-12-10 17:44 - 2010-04-08 19:46 - 00000000 ____D C:\Users\EMW\My Documents\Excel
2012-12-10 17:44 - 2010-04-08 19:46 - 00000000 ____D C:\Users\EMW\Documents\Excel

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe
[2009-07-13 17:36] - [2012-08-16 23:48] - 0260096 ____A (Microsoft Corporation) 4D203427A115EEA6841A535564F556FB
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe
[2011-05-16 17:08] - [2012-08-16 22:27] - 2780160 ____A (Microsoft Corporation) 67C8D40D91E86F0C43E2FE694EA6B956
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe
[2009-07-13 17:19] - [2012-08-13 18:24] - 0184832 ____A (Microsoft Corporation) 77D090BE39D1C604E2990622E0A7E835
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe
[2011-05-21 06:46] - [2012-08-16 23:40] - 0190464 ____A (Microsoft Corporation) 4F136CAD332D0757202CF23D36F685FE
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-11-12 17:58:49
Restore point made on: 2012-11-20 17:43:26
Restore point made on: 2012-11-27 20:36:52
Restore point made on: 2012-12-15 11:03:08
Restore point made on: 2012-12-31 17:26:57
Restore point made on: 2013-01-04 21:52:06
Restore point made on: 2013-01-04 22:15:41
Restore point made on: 2013-01-05 13:01:02
==================== Memory info ===========================
Percentage of memory in use: 14%
Total physical RAM: 4094.98 MB
Available physical RAM: 3504.77 MB
Total Pagefile: 4093.13 MB
Available Pagefile: 3494.72 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
==================== Partitions =============================
1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:220.42 GB) NTFS
2 Drive d: (WIN_7_HOMEPREMIUM) (CDROM) (Total:5.75 GB) (Free:0 GB) UDF
3 Drive e: (KINGSTON) (Removable) (Total:0.46 GB) (Free:0.46 GB) FAT32
7 Drive I: (My Book) (Fixed) (Total:931.28 GB) (Free:562.9 GB) FAT32
9 Drive k: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 931 GB 0 B
Disk 2 Online 478 MB 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 451 GB 14 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 FAT Partition 39 MB Healthy Hidden
=========================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 K RECOVERY NTFS Partition 14 GB Healthy
=========================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy
=========================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 31 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 I My Book FAT32 Partition 931 GB Healthy
=========================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 477 MB 16 KB
==================================================================================
Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E KINGSTON FAT32 Removable 477 MB Healthy
=========================================================
Last Boot: 2013-01-04 19:02
==================== End Of Log =============================
 
That looks good.

How is computer doing?

=====================

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

============================

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

==============================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Computer is mixed. Programs seem but IE9 is hit and miss. Until today I couldn't get it running well enough to post the last log. Now it seems better, but I haven't really done anything.
MalwareBytes is updating, and occasionally blocks access to "potentially malicious ip addresses" or something like that.

Curiously, the time is out by an hour. But the time zone is correct and it recognizes that we are not in DST. Stuff like that is easy to fix, but I find a little disturbing.

Onwards...

(and IE9 just crashed but recovered when I tried to paste the AdwCleaner log below.)

Question: I take I can allow mbamscheduler.exe access to the site it's searching for?
 
# AdwCleaner v2.105 - Logfile created 01/09/2013 at 21:00:11
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : EMW - EMW-OFFICE
# Boot Mode : Normal
# Running from : C:\Users\EMW\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
*************************
AdwCleaner[S1].txt - [513 octets] - [09/01/2013 21:00:11]
########## EOF - C:\AdwCleaner[S1].txt - [572 octets] ##########
 
Have twice tried JRT.exe first time got a 'this software may not have installed correctly" error. I click 'yes it did' instead of 'reinstall using correct settings' and nothing happened. Second attempt (both Run as Admin) produced no error but all I got was a flash of a dos window and then nothing.

thoughts?

Thanks

McAfee all disabled, MBAM exited.
 
Back