I have been having a lot of problems with my computer. It has been running very slowly. Task Manager shows that the CPU is always working hard and iExplore.exe has multiple instances running at all times. I generally use Chrome. Norton did not find anything. Malware found and deleted Trojan.ZbotR.Gen, but the problem still hasn't been solved. I would greatly appreciate some help! Thanks!
Inactive-A CPU busy, computer slow, and multiple iExplore.exe running
- Thread starter Khoa N
- Start date
- Status
Just to get a head start... Here is the Malware Quick Scan...
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.04.09.09
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
clientb :: TANGPHARMACY4 [administrator]
4/9/2013 4:07:25 PM
mbam-log-2013-04-09 (16-07-25).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249113
Time elapsed: 6 minute(s), 14 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{9BFC5548-EF6C-AD40-6212-113D62D23220} (Trojan.ZbotR.Gen) -> Data: C:\Users\clientb\AppData\Roaming\Oxnig\tyvyqu.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.04.09.09
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
clientb :: TANGPHARMACY4 [administrator]
4/9/2013 4:07:25 PM
mbam-log-2013-04-09 (16-07-25).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249113
Time elapsed: 6 minute(s), 14 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{9BFC5548-EF6C-AD40-6212-113D62D23220} (Trojan.ZbotR.Gen) -> Data: C:\Users\clientb\AppData\Roaming\Oxnig\tyvyqu.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 10.17.2
Run by clientb at 17:20:24 on 2013-04-09
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.414 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\atashost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\ControlCenter4\BrCtrlCntr.exe
C:\Program Files\ControlCenter4\BrCcUxSys.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://connect.mckesson.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\20.2.0.19\ips\ipsbho.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
uRun: [Google Update] "c:\users\clientb\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [VIDEOWMX] rundll32.exe "c:\users\clientb\appdata\local\video wmx moniker class\DevnetPlay.dll",kbdapi80 BthPadplugin
uRun: [Adobe] regsvr32.exe c:\users\clientb\appdata\local\adobe\drfohxkk.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MPSUpg] c:\autotask\update.vbs
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: NoSMBalloonTip = dword:1
uPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableStatusMessages = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: axway.com
Trusted Zone: cyclonecommerce.com
Trusted Zone: deaecom.gov
Trusted Zone: mckesson.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP9-15980/support/ieatgpc1.cab
TCP: Interfaces\{E88E9D34-B211-401B-BA1A-FF54F157AD43} : NameServer = 8.8.8.8,8.8.4.4
Notify: GoToAssist - c:\program files\citrix\gotoassist\822\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\clientb\appdata\roaming\mozilla\firefox\profiles\fjzj6ij7.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\users\clientb\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - ExtSQL: !HIDDEN! 2013-04-09 15:36; {7434560e-996e-4e46-9a9c-4a857b9cbc7d}; c:\users\clientb\appdata\roaming\mozilla\firefox\profiles\fjzj6ij7.default\extensions\{7434560e-996e-4e46-9a9c-4a857b9cbc7d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1402000.013\symds.sys [2013-4-9 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1402000.013\symefa.sys [2013-4-9 927904]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\bashdefs\20130322.001\BHDrvx86.sys [2013-3-22 997464]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\1402000.013\ccsetx86.sys [2013-4-9 134304]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\ipsdefs\20130405.001\IDSvix86.sys [2013-4-5 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1402000.013\ironx86.sys [2013-4-9 175264]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\1402000.013\symnets.sys [2013-4-9 338592]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2013-4-8 137232]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 EraserUtilDrv11220;EraserUtilDrv11220;c:\program files\common files\symantec shared\eengine\EraserUtilDrv11220.sys [2013-4-9 106656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2012-2-2 245760]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
.
=============== Created Last 30 ================
.
2013-04-09 20:03:45--------d-----w-c:\users\clientb\appdata\roaming\Malwarebytes
2013-04-09 20:02:54--------d-----w-c:\programdata\Malwarebytes
2013-04-09 20:02:5121104----a-w-c:\windows\system32\drivers\mbam.sys
2013-04-09 20:02:51--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2013-04-09 20:02:40--------d-----w-c:\users\clientb\appdata\local\Programs
2013-04-09 15:10:59927904----a-w-c:\windows\system32\drivers\n360\1402000.013\symefa.sys
2013-04-09 15:10:59368288----a-w-c:\windows\system32\drivers\n360\1402000.013\symds.sys
2013-04-09 15:10:59338592----a-r-c:\windows\system32\drivers\n360\1402000.013\symnets.sys
2013-04-09 15:10:5921400----a-r-c:\windows\system32\drivers\n360\1402000.013\symelam.sys
2013-04-09 15:10:58586400----a-w-c:\windows\system32\drivers\n360\1402000.013\srtsp.sys
2013-04-09 15:10:5832888----a-r-c:\windows\system32\drivers\n360\1402000.013\srtspx.sys
2013-04-09 15:10:58175264----a-r-c:\windows\system32\drivers\n360\1402000.013\ironx86.sys
2013-04-09 15:10:58134304----a-w-c:\windows\system32\drivers\n360\1402000.013\ccsetx86.sys
2013-04-09 15:10:41--------d-----w-c:\windows\system32\drivers\n360\1402000.013
2013-04-09 15:00:37--------d-----w-C:\N360_BACKUP
2013-04-09 14:51:00142496----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
2013-04-09 14:51:00--------d-----w-c:\program files\Symantec
2013-04-09 14:51:00--------d-----w-c:\program files\common files\Symantec Shared
2013-04-09 14:50:21--------d-----w-c:\windows\system32\drivers\N360
2013-04-09 14:50:19--------d-----w-c:\program files\Norton Security Suite
2013-04-09 14:50:07--------d-----w-c:\program files\NortonInstaller
2013-04-09 08:00:217108640----a-w-c:\programdata\microsoft\windows defender\definition updates\{79fd2c2d-f14a-4e70-bbf8-86c643f474ae}\mpengine.dll
2013-04-08 23:14:13--------d-----w-c:\users\clientb\appdata\local\Mozilla
2013-04-08 22:14:3094112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-04-08 22:04:20--------d-----w-C:\pharmsuite
2013-04-08 21:55:39227344----a-w-c:\windows\system32\atsckernel.exe
2013-04-08 21:55:38137232----a-w-c:\windows\system32\atashost.exe
2013-04-08 21:55:11--------d-----w-c:\programdata\WebEx
2013-04-04 14:21:332347008----a-w-c:\windows\system32\win32k.sys
2013-04-04 14:21:2915872----a-w-c:\windows\system32\drivers\usb8023.sys
2013-04-02 18:22:56--------d-----r-c:\users\clientb\appdata\roaming\Brother
.
==================== Find3M ====================
.
2013-04-08 22:14:24861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-04-08 22:14:24782240----a-w-c:\windows\system32\deployJava1.dll
2013-03-12 05:10:56237088------w-c:\windows\system32\MpSigStub.exe
2013-02-12 04:48:31474112----a-w-c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:262176512----a-w-c:\windows\apppatch\AcGenral.dll
2013-02-02 03:38:351800704----a-w-c:\windows\system32\jscript9.dll
2013-02-02 03:30:321427968----a-w-c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:211129472----a-w-c:\windows\system32\wininet.dll
2013-02-02 03:26:47142848----a-w-c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21420864----a-w-c:\windows\system32\vbscript.dll
2013-02-02 03:23:282382848----a-w-c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:27:32.42 ===============
Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 10.17.2
Run by clientb at 17:20:24 on 2013-04-09
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.414 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\atashost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\ControlCenter4\BrCtrlCntr.exe
C:\Program Files\ControlCenter4\BrCcUxSys.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\clientb\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://connect.mckesson.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\20.2.0.19\ips\ipsbho.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
uRun: [Google Update] "c:\users\clientb\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [VIDEOWMX] rundll32.exe "c:\users\clientb\appdata\local\video wmx moniker class\DevnetPlay.dll",kbdapi80 BthPadplugin
uRun: [Adobe] regsvr32.exe c:\users\clientb\appdata\local\adobe\drfohxkk.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MPSUpg] c:\autotask\update.vbs
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: NoSMBalloonTip = dword:1
uPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableStatusMessages = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: axway.com
Trusted Zone: cyclonecommerce.com
Trusted Zone: deaecom.gov
Trusted Zone: mckesson.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP9-15980/support/ieatgpc1.cab
TCP: Interfaces\{E88E9D34-B211-401B-BA1A-FF54F157AD43} : NameServer = 8.8.8.8,8.8.4.4
Notify: GoToAssist - c:\program files\citrix\gotoassist\822\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\clientb\appdata\roaming\mozilla\firefox\profiles\fjzj6ij7.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\users\clientb\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - ExtSQL: !HIDDEN! 2013-04-09 15:36; {7434560e-996e-4e46-9a9c-4a857b9cbc7d}; c:\users\clientb\appdata\roaming\mozilla\firefox\profiles\fjzj6ij7.default\extensions\{7434560e-996e-4e46-9a9c-4a857b9cbc7d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1402000.013\symds.sys [2013-4-9 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1402000.013\symefa.sys [2013-4-9 927904]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\bashdefs\20130322.001\BHDrvx86.sys [2013-3-22 997464]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\1402000.013\ccsetx86.sys [2013-4-9 134304]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\ipsdefs\20130405.001\IDSvix86.sys [2013-4-5 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1402000.013\ironx86.sys [2013-4-9 175264]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\1402000.013\symnets.sys [2013-4-9 338592]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2013-4-8 137232]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 EraserUtilDrv11220;EraserUtilDrv11220;c:\program files\common files\symantec shared\eengine\EraserUtilDrv11220.sys [2013-4-9 106656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2012-2-2 245760]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
.
=============== Created Last 30 ================
.
2013-04-09 20:03:45--------d-----w-c:\users\clientb\appdata\roaming\Malwarebytes
2013-04-09 20:02:54--------d-----w-c:\programdata\Malwarebytes
2013-04-09 20:02:5121104----a-w-c:\windows\system32\drivers\mbam.sys
2013-04-09 20:02:51--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2013-04-09 20:02:40--------d-----w-c:\users\clientb\appdata\local\Programs
2013-04-09 15:10:59927904----a-w-c:\windows\system32\drivers\n360\1402000.013\symefa.sys
2013-04-09 15:10:59368288----a-w-c:\windows\system32\drivers\n360\1402000.013\symds.sys
2013-04-09 15:10:59338592----a-r-c:\windows\system32\drivers\n360\1402000.013\symnets.sys
2013-04-09 15:10:5921400----a-r-c:\windows\system32\drivers\n360\1402000.013\symelam.sys
2013-04-09 15:10:58586400----a-w-c:\windows\system32\drivers\n360\1402000.013\srtsp.sys
2013-04-09 15:10:5832888----a-r-c:\windows\system32\drivers\n360\1402000.013\srtspx.sys
2013-04-09 15:10:58175264----a-r-c:\windows\system32\drivers\n360\1402000.013\ironx86.sys
2013-04-09 15:10:58134304----a-w-c:\windows\system32\drivers\n360\1402000.013\ccsetx86.sys
2013-04-09 15:10:41--------d-----w-c:\windows\system32\drivers\n360\1402000.013
2013-04-09 15:00:37--------d-----w-C:\N360_BACKUP
2013-04-09 14:51:00142496----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
2013-04-09 14:51:00--------d-----w-c:\program files\Symantec
2013-04-09 14:51:00--------d-----w-c:\program files\common files\Symantec Shared
2013-04-09 14:50:21--------d-----w-c:\windows\system32\drivers\N360
2013-04-09 14:50:19--------d-----w-c:\program files\Norton Security Suite
2013-04-09 14:50:07--------d-----w-c:\program files\NortonInstaller
2013-04-09 08:00:217108640----a-w-c:\programdata\microsoft\windows defender\definition updates\{79fd2c2d-f14a-4e70-bbf8-86c643f474ae}\mpengine.dll
2013-04-08 23:14:13--------d-----w-c:\users\clientb\appdata\local\Mozilla
2013-04-08 22:14:3094112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-04-08 22:04:20--------d-----w-C:\pharmsuite
2013-04-08 21:55:39227344----a-w-c:\windows\system32\atsckernel.exe
2013-04-08 21:55:38137232----a-w-c:\windows\system32\atashost.exe
2013-04-08 21:55:11--------d-----w-c:\programdata\WebEx
2013-04-04 14:21:332347008----a-w-c:\windows\system32\win32k.sys
2013-04-04 14:21:2915872----a-w-c:\windows\system32\drivers\usb8023.sys
2013-04-02 18:22:56--------d-----r-c:\users\clientb\appdata\roaming\Brother
.
==================== Find3M ====================
.
2013-04-08 22:14:24861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-04-08 22:14:24782240----a-w-c:\windows\system32\deployJava1.dll
2013-03-12 05:10:56237088------w-c:\windows\system32\MpSigStub.exe
2013-02-12 04:48:31474112----a-w-c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:262176512----a-w-c:\windows\apppatch\AcGenral.dll
2013-02-02 03:38:351800704----a-w-c:\windows\system32\jscript9.dll
2013-02-02 03:30:321427968----a-w-c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:211129472----a-w-c:\windows\system32\wininet.dll
2013-02-02 03:26:47142848----a-w-c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21420864----a-w-c:\windows\system32\vbscript.dll
2013-02-02 03:23:282382848----a-w-c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:27:32.42 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/29/2011 12:41:07 PM
System Uptime: 4/9/2013 4:22:29 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0ND237
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Microprocessor | 3391/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 373 GiB total, 348.51 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.22beta
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
Amazon Kindle
Brother MFL-Pro Suite MFC-7360N
Cisco WebEx Meetings
Coupon Printer for Windows
Google Chrome
GoToAssist Corporate
Intel(R) Graphics Media Accelerator Driver
Java 7 Update 17
Java Auto Updater
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Reader
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 20.0 (x86 en-US)
Mozilla Maintenance Service
Norton Security Suite
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Uninstall Web Viewer
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2768024) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Widevine Media Optimizer IE 6.0.0
.
==== Event Viewer Messages From Past Week ========
.
4/9/2013 4:27:14 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
4/9/2013 4:23:07 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain D039078 due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
4/9/2013 3:00:27 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Windows 7 (KB2799494).
4/9/2013 10:27:58 AM, Error: Service Control Manager [7000] - The Offline Files service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:27:58 AM, Error: Service Control Manager [7000] - The Group Policy Client service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:27:44 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xc0000005, 0x828a82ba, 0x8a71fb4c, 0x8a71f730). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040913-22822-01.
4/9/2013 10:12:05 AM, Error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Time service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Event Log service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Audio Endpoint Builder service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Themes service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the TCP/IP NetBIOS Helper service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Secure Socket Tunneling Protocol Service service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Network Store Interface Service service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Multimedia Class Scheduler service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Diagnostic Policy Service service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Desktop Window Manager Session Manager service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The User Profile Service service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Telephony service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The System Event Notification Service service depends on the COM+ Event System service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Server service depends on the Security Accounts Manager service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Security Accounts Manager service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Routing and Remote Access service depends on the Base Filtering Engine service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Print Spooler service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Offline Files service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Group Policy Client service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Distributed Link Tracking Client service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Cryptographic Services service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The COM+ Event System service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Base Filtering Engine service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Windows Event Log service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Windows Audio Endpoint Builder service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The TCP/IP NetBIOS Helper service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Secure Socket Tunneling Protocol Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Network Store Interface Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Diagnostic Policy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Desktop Window Manager Session Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:24 AM, Error: Service Control Manager [7001] - The Remote Procedure Call (RPC) service depends on the DCOM Server Process Launcher service which failed to start because of the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:08:23 AM, Error: Service Control Manager [7000] - The DCOM Server Process Launcher service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 1:15:48 AM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 252.
4/8/2013 9:03:00 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
4/8/2013 6:05:35 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000094, 0x00000002, 0x00000001, 0x8288e04b). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040813-16146-01.
.
==== End Of File ===========================
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/29/2011 12:41:07 PM
System Uptime: 4/9/2013 4:22:29 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0ND237
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Microprocessor | 3391/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 373 GiB total, 348.51 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.22beta
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
Amazon Kindle
Brother MFL-Pro Suite MFC-7360N
Cisco WebEx Meetings
Coupon Printer for Windows
Google Chrome
GoToAssist Corporate
Intel(R) Graphics Media Accelerator Driver
Java 7 Update 17
Java Auto Updater
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Reader
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 20.0 (x86 en-US)
Mozilla Maintenance Service
Norton Security Suite
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Uninstall Web Viewer
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2768024) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Widevine Media Optimizer IE 6.0.0
.
==== Event Viewer Messages From Past Week ========
.
4/9/2013 4:27:14 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
4/9/2013 4:23:07 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain D039078 due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
4/9/2013 3:00:27 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Windows 7 (KB2799494).
4/9/2013 10:27:58 AM, Error: Service Control Manager [7000] - The Offline Files service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:27:58 AM, Error: Service Control Manager [7000] - The Group Policy Client service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:27:44 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xc0000005, 0x828a82ba, 0x8a71fb4c, 0x8a71f730). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040913-22822-01.
4/9/2013 10:12:05 AM, Error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Time service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Event Log service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Audio Endpoint Builder service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Themes service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the TCP/IP NetBIOS Helper service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Secure Socket Tunneling Protocol Service service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Network Store Interface Service service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Multimedia Class Scheduler service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Diagnostic Policy Service service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Desktop Window Manager Session Manager service to connect.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The User Profile Service service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Telephony service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The System Event Notification Service service depends on the COM+ Event System service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Server service depends on the Security Accounts Manager service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Security Accounts Manager service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Routing and Remote Access service depends on the Base Filtering Engine service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Print Spooler service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Offline Files service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Group Policy Client service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Distributed Link Tracking Client service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Network Store Interface Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Cryptographic Services service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The COM+ Event System service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7001] - The Base Filtering Engine service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Windows Event Log service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Windows Audio Endpoint Builder service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The TCP/IP NetBIOS Helper service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Secure Socket Tunneling Protocol Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Network Store Interface Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Diagnostic Policy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:25 AM, Error: Service Control Manager [7000] - The Desktop Window Manager Session Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2013 10:08:24 AM, Error: Service Control Manager [7001] - The Remote Procedure Call (RPC) service depends on the DCOM Server Process Launcher service which failed to start because of the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 10:08:23 AM, Error: Service Control Manager [7000] - The DCOM Server Process Launcher service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
4/9/2013 1:15:48 AM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 252.
4/8/2013 9:03:00 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
4/8/2013 6:05:35 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000094, 0x00000002, 0x00000001, 0x8288e04b). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040813-16146-01.
.
==== End Of File ===========================
Broni
Posts: 56,041 +516
Welcome aboard
Please, observe following rules:
==================================
Download RogueKiller on the desktop
Download Malwarebytes Anti-Rootkit (MBAR) from HERE
Please, observe following rules:
- Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
- If you're stuck, or you're not sure about certain step, always ask before doing anything else.
- Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
- Never run more than one scan at a time.
- Keep updating me regarding your computer behavior, good, or bad.
- The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
- If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
- I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
==================================
- Close all the running programs
- Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
- Otherwise just double-click on RogueKiller.exe
- Pre-scan will start. Let it finish.
- Click on SCAN button.
- Wait until the Status box shows Scan Finished
- Click on Delete.
- Wait until the Status box shows Deleting Finished.
- Click on Report and copy/paste the content of the Notepad into your next reply.
- RKreport.txt could also be found on your desktop.
- If more than one log is produced post all logs.
- If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
- Unzip downloaded file.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
- When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : clientb [Admin rights]
Mode : Remove -- Date : 04/10/2013 08:35:00
| ARK || FAK || MBR |
¤¤¤ Bad processes : 5 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll [x] -> UNLOADED
[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\clientb\AppData\Local\VIDEO WMX Moniker Class\DevnetPlay.dll [x] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll [x] -> UNLOADED
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll [x] -> UNLOADED
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : VIDEOWMX (rundll32.exe "C:\Users\clientb\AppData\Local\VIDEO WMX Moniker Class\DevnetPlay.dll",kbdapi80 BthPadplugin) [x] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : Adobe (regsvr32.exe C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll) [-] -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82AF7C99 -> HOOKED (Unknown @ 0x868D0C20)
SSDT[14] : NtAlertThread @ 0x82A4ABE0 -> HOOKED (Unknown @ 0x868D0DB8)
SSDT[19] : NtAllocateVirtualMemory @ 0x82A43BEC -> HOOKED (Unknown @ 0x868BEAA0)
SSDT[22] : NtAlpcConnectPort @ 0x82A8F44E -> HOOKED (Unknown @ 0x85E99C90)
SSDT[43] : NtAssignProcessToJobObject @ 0x82A18FEE -> HOOKED (Unknown @ 0x868D00F8)
SSDT[74] : NtCreateMutant @ 0x82A2A2B2 -> HOOKED (Unknown @ 0x868D0800)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x82A1B911 -> HOOKED (Unknown @ 0x868FB8E0)
SSDT[87] : NtCreateThread @ 0x82AF5ECA -> HOOKED (Unknown @ 0x868BEFB0)
SSDT[88] : NtCreateThreadEx @ 0x82A8A36B -> HOOKED (Unknown @ 0x868FBCB8)
SSDT[96] : NtDebugActiveProcess @ 0x82AC7D9A -> HOOKED (Unknown @ 0x868D0200)
SSDT[111] : NtDuplicateObject @ 0x82A4B67A -> HOOKED (Unknown @ 0x868BEC70)
SSDT[131] : NtFreeVirtualMemory @ 0x828D1AEC -> HOOKED (Unknown @ 0x868BE858)
SSDT[145] : NtImpersonateAnonymousToken @ 0x82A0F8E0 -> HOOKED (Unknown @ 0x868D09A8)
SSDT[147] : NtImpersonateThread @ 0x82A9384C -> HOOKED (Unknown @ 0x868D0B40)
SSDT[155] : NtLoadDriver @ 0x829DFC20 -> HOOKED (Unknown @ 0x85E771A0)
SSDT[168] : NtMapViewOfSection @ 0x82A60532 -> HOOKED (Unknown @ 0x868BE6A0)
SSDT[177] : NtOpenEvent @ 0x82A29CAE -> HOOKED (Unknown @ 0x868FBFD0)
SSDT[190] : NtOpenProcess @ 0x82A2BAF8 -> HOOKED (Unknown @ 0x868BEE78)
SSDT[191] : NtOpenProcessToken @ 0x82A7E23F -> HOOKED (Unknown @ 0x868BEB90)
SSDT[194] : NtOpenSection @ 0x82A838BB -> HOOKED (Unknown @ 0x868D0428)
SSDT[198] : NtOpenThread @ 0x82A77FC3 -> HOOKED (Unknown @ 0x868BED88)
SSDT[215] : NtProtectVirtualMemory @ 0x82A5C5A1 -> HOOKED (Unknown @ 0x868FBDB8)
SSDT[304] : NtResumeThread @ 0x82A8A592 -> HOOKED (Unknown @ 0x868D0F50)
SSDT[316] : NtSetContextThread @ 0x82AF7745 -> HOOKED (Unknown @ 0x868BE338)
SSDT[333] : NtSetInformationProcess @ 0x82A5278D -> HOOKED (Unknown @ 0x868BE4D0)
SSDT[350] : NtSetSystemInformation @ 0x82A6829A -> HOOKED (Unknown @ 0x868D02E0)
SSDT[366] : NtSuspendProcess @ 0x82AF7BD3 -> HOOKED (Unknown @ 0x868D05C0)
SSDT[367] : NtSuspendThread @ 0x82AAF085 -> HOOKED (Unknown @ 0x868BE178)
SSDT[370] : NtTerminateProcess @ 0x82A74BFB -> HOOKED (Unknown @ 0x868B61C0)
SSDT[371] : unknown @ 0x82A92584 -> HOOKED (Unknown @ 0x868BE258)
SSDT[385] : NtUnmapViewOfSection @ 0x82A7E87A -> HOOKED (Unknown @ 0x868BE5C0)
SSDT[399] : NtWriteVirtualMemory @ 0x82A79958 -> HOOKED (Unknown @ 0x868BE948)
S_SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x84ED4848)
S_SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x869FC3B0)
S_SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x86A27BF8)
S_SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x86A52AB8)
S_SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x85D0F698)
S_SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x86BF2C38)
S_SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x86BD4C38)
S_SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x86BE67A8)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x86A621D8)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86BA4098)
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3400832AS ATA Device +++++
--- User ---
[MBR] 5efd045731889a604ec3892c35e6c54f
[BSP] 73a416a01c7af87de45a54d5d5a14472 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 381512 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] f7ddfe522abcd18587657865c9b08a91
[BSP] 73a416a01c7af87de45a54d5d5a14472 : Windows 7/8 MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 381512 Mo
Finished : << RKreport[2]_D_04102013_02d0835.txt >>
RKreport[1]_S_04102013_02d0831.txt ; RKreport[2]_D_04102013_02d0835.txt
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : clientb [Admin rights]
Mode : Remove -- Date : 04/10/2013 08:35:00
| ARK || FAK || MBR |
¤¤¤ Bad processes : 5 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll [x] -> UNLOADED
[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\clientb\AppData\Local\VIDEO WMX Moniker Class\DevnetPlay.dll [x] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll [x] -> UNLOADED
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll [x] -> UNLOADED
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : VIDEOWMX (rundll32.exe "C:\Users\clientb\AppData\Local\VIDEO WMX Moniker Class\DevnetPlay.dll",kbdapi80 BthPadplugin) [x] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : Adobe (regsvr32.exe C:\Users\clientb\AppData\Local\Adobe\drfohxkk.dll) [-] -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82AF7C99 -> HOOKED (Unknown @ 0x868D0C20)
SSDT[14] : NtAlertThread @ 0x82A4ABE0 -> HOOKED (Unknown @ 0x868D0DB8)
SSDT[19] : NtAllocateVirtualMemory @ 0x82A43BEC -> HOOKED (Unknown @ 0x868BEAA0)
SSDT[22] : NtAlpcConnectPort @ 0x82A8F44E -> HOOKED (Unknown @ 0x85E99C90)
SSDT[43] : NtAssignProcessToJobObject @ 0x82A18FEE -> HOOKED (Unknown @ 0x868D00F8)
SSDT[74] : NtCreateMutant @ 0x82A2A2B2 -> HOOKED (Unknown @ 0x868D0800)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x82A1B911 -> HOOKED (Unknown @ 0x868FB8E0)
SSDT[87] : NtCreateThread @ 0x82AF5ECA -> HOOKED (Unknown @ 0x868BEFB0)
SSDT[88] : NtCreateThreadEx @ 0x82A8A36B -> HOOKED (Unknown @ 0x868FBCB8)
SSDT[96] : NtDebugActiveProcess @ 0x82AC7D9A -> HOOKED (Unknown @ 0x868D0200)
SSDT[111] : NtDuplicateObject @ 0x82A4B67A -> HOOKED (Unknown @ 0x868BEC70)
SSDT[131] : NtFreeVirtualMemory @ 0x828D1AEC -> HOOKED (Unknown @ 0x868BE858)
SSDT[145] : NtImpersonateAnonymousToken @ 0x82A0F8E0 -> HOOKED (Unknown @ 0x868D09A8)
SSDT[147] : NtImpersonateThread @ 0x82A9384C -> HOOKED (Unknown @ 0x868D0B40)
SSDT[155] : NtLoadDriver @ 0x829DFC20 -> HOOKED (Unknown @ 0x85E771A0)
SSDT[168] : NtMapViewOfSection @ 0x82A60532 -> HOOKED (Unknown @ 0x868BE6A0)
SSDT[177] : NtOpenEvent @ 0x82A29CAE -> HOOKED (Unknown @ 0x868FBFD0)
SSDT[190] : NtOpenProcess @ 0x82A2BAF8 -> HOOKED (Unknown @ 0x868BEE78)
SSDT[191] : NtOpenProcessToken @ 0x82A7E23F -> HOOKED (Unknown @ 0x868BEB90)
SSDT[194] : NtOpenSection @ 0x82A838BB -> HOOKED (Unknown @ 0x868D0428)
SSDT[198] : NtOpenThread @ 0x82A77FC3 -> HOOKED (Unknown @ 0x868BED88)
SSDT[215] : NtProtectVirtualMemory @ 0x82A5C5A1 -> HOOKED (Unknown @ 0x868FBDB8)
SSDT[304] : NtResumeThread @ 0x82A8A592 -> HOOKED (Unknown @ 0x868D0F50)
SSDT[316] : NtSetContextThread @ 0x82AF7745 -> HOOKED (Unknown @ 0x868BE338)
SSDT[333] : NtSetInformationProcess @ 0x82A5278D -> HOOKED (Unknown @ 0x868BE4D0)
SSDT[350] : NtSetSystemInformation @ 0x82A6829A -> HOOKED (Unknown @ 0x868D02E0)
SSDT[366] : NtSuspendProcess @ 0x82AF7BD3 -> HOOKED (Unknown @ 0x868D05C0)
SSDT[367] : NtSuspendThread @ 0x82AAF085 -> HOOKED (Unknown @ 0x868BE178)
SSDT[370] : NtTerminateProcess @ 0x82A74BFB -> HOOKED (Unknown @ 0x868B61C0)
SSDT[371] : unknown @ 0x82A92584 -> HOOKED (Unknown @ 0x868BE258)
SSDT[385] : NtUnmapViewOfSection @ 0x82A7E87A -> HOOKED (Unknown @ 0x868BE5C0)
SSDT[399] : NtWriteVirtualMemory @ 0x82A79958 -> HOOKED (Unknown @ 0x868BE948)
S_SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x84ED4848)
S_SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x869FC3B0)
S_SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x86A27BF8)
S_SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x86A52AB8)
S_SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x85D0F698)
S_SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x86BF2C38)
S_SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x86BD4C38)
S_SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x86BE67A8)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x86A621D8)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86BA4098)
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3400832AS ATA Device +++++
--- User ---
[MBR] 5efd045731889a604ec3892c35e6c54f
[BSP] 73a416a01c7af87de45a54d5d5a14472 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 381512 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] f7ddfe522abcd18587657865c9b08a91
[BSP] 73a416a01c7af87de45a54d5d5a14472 : Windows 7/8 MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 381512 Mo
Finished : << RKreport[2]_D_04102013_02d0835.txt >>
RKreport[1]_S_04102013_02d0831.txt ; RKreport[2]_D_04102013_02d0835.txt
Mbar-log-2013-04-10 (09-16-50).txt
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
www.malwarebytes.org
Database version: v2013.04.10.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
clientb :: TANGPHARMACY4 [administrator]
4/10/2013 9:16:50 AM
mbar-log-2013-04-10 (09-16-50).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25821
Time elapsed: 13 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_50_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_781422736_user.mbam (Forged physical sector) -> Delete on reboot.
c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll (Trojan.FakeMS) -> Delete on reboot.
(end)
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
www.malwarebytes.org
Database version: v2013.04.10.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
clientb :: TANGPHARMACY4 [administrator]
4/10/2013 9:16:50 AM
mbar-log-2013-04-10 (09-16-50).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25821
Time elapsed: 13 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_50_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_781422736_user.mbam (Forged physical sector) -> Delete on reboot.
c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll (Trojan.FakeMS) -> Delete on reboot.
(end)
System-log.txt
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 166174720
------------ Kernel report ------------
04/10/2013 08:55:53
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMEFA.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVENG.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130406.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\TrueSight.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85c0f1b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85764908
Lower Device Driver Name: \00000694\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.04.10.07
Downloaded database version: v2013.03.25.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c10cc8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85764908, DeviceName: \IdeDeviceP0T0L0-0\, DriverName: \00000694\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffbcf06d90, 0xffffffff85c0f1b8, 0xffffffff85139790
Lower DeviceData: 0xffffffffc20f7128, 0xffffffff85764908, 0xffffffff851cdad8
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
MBR buffers are not equal
MBR is forged! [5b875a22f8ce39ec096216471c83be3f]
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8C879F4
Partition information:
Partition 0 type is Empty (0x0)
Partition is ACTIVE.
Partition starts at LBA: 50 Numsec = 0
Partition is not bootable
Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]
Changing partition to empty and not active. New active partition is 0 on drive 0 ...
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 80325 Numsec = 781337340
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
MBR infection found on drive 0
Disk Size: 400088457216 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-49-781402768-781422768)...
Done!
Performing system, memory and registry scan...
Infected: c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll --> [Trojan.FakeMS]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 1204051968
Removal queue found; removal started
Removing c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll...
Removal finished
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 166174720
------------ Kernel report ------------
04/10/2013 08:55:53
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMEFA.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVENG.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130406.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\TrueSight.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85c0f1b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85764908
Lower Device Driver Name: \00000694\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.04.10.07
Downloaded database version: v2013.03.25.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c10cc8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85764908, DeviceName: \IdeDeviceP0T0L0-0\, DriverName: \00000694\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffbcf06d90, 0xffffffff85c0f1b8, 0xffffffff85139790
Lower DeviceData: 0xffffffffc20f7128, 0xffffffff85764908, 0xffffffff851cdad8
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
MBR buffers are not equal
MBR is forged! [5b875a22f8ce39ec096216471c83be3f]
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8C879F4
Partition information:
Partition 0 type is Empty (0x0)
Partition is ACTIVE.
Partition starts at LBA: 50 Numsec = 0
Partition is not bootable
Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]
Changing partition to empty and not active. New active partition is 0 on drive 0 ...
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 80325 Numsec = 781337340
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
MBR infection found on drive 0
Disk Size: 400088457216 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-49-781402768-781422768)...
Done!
Performing system, memory and registry scan...
Infected: c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll --> [Trojan.FakeMS]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 1204051968
Removal queue found; removal started
Removing c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll...
Removal finished
=======================================
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
www.malwarebytes.org
Database version: v2013.04.10.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
clientb :: TANGPHARMACY4 [administrator]
4/10/2013 9:38:19 AM
mbar-log-2013-04-10 (09-38-19).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25767
Time elapsed: 8 minute(s), 25 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
www.malwarebytes.org
Database version: v2013.04.10.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
clientb :: TANGPHARMACY4 [administrator]
4/10/2013 9:38:19 AM
mbar-log-2013-04-10 (09-38-19).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25767
Time elapsed: 8 minute(s), 25 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 166174720
------------ Kernel report ------------
04/10/2013 08:55:53
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMEFA.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVENG.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130406.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\TrueSight.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85c0f1b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85764908
Lower Device Driver Name: \00000694\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.04.10.07
Downloaded database version: v2013.03.25.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\,
DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c10cc8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver
\Disk\
DevicePointer: 0xffffffff85764908, DeviceName: \IdeDeviceP0T0L0-0\, DriverName: \00000694\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffbcf06d90, 0xffffffff85c0f1b8, 0xffffffff85139790
Lower DeviceData: 0xffffffffc20f7128, 0xffffffff85764908, 0xffffffff851cdad8
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
MBR buffers are not equal
MBR is forged! [5b875a22f8ce39ec096216471c83be3f]
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8C879F4
Partition information:
Partition 0 type is Empty (0x0)
Partition is ACTIVE.
Partition starts at LBA: 50 Numsec = 0
Partition is not bootable
Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]
Changing partition to empty and not active. New active partition is 0 on drive 0 ...
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 80325 Numsec = 781337340
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
MBR infection found on drive 0
Disk Size: 400088457216 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-49-781402768-781422768)...
Done!
Performing system, memory and registry scan...
Infected: c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll -->
[Trojan.FakeMS]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 1204051968
Removal queue found; removal started
Removing c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll...
Removal finished
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 1119338496
------------ Kernel report ------------
04/10/2013 09:29:05
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\imofugc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMEFA.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVENG.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130406.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85a10ac8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85551030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85a10ac8, DeviceName: \Device\Harddisk0\DR0\,
DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85a10700, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85a10ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver
\Disk\
DevicePointer: 0xffffffff85551030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName:
\Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffc44c3c58, 0xffffffff85a10ac8, 0xffffffff85256ac8
Lower DeviceData: 0xffffffffc44a5be8, 0xffffffff85551030, 0xffffffff8529a1e0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8C879F4
Partition information:
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 80325 Numsec = 781337340
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 400088457216 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-781402768-781422768)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 166174720
------------ Kernel report ------------
04/10/2013 08:55:53
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMEFA.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVENG.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130406.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\TrueSight.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85c0f1b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85764908
Lower Device Driver Name: \00000694\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.04.10.07
Downloaded database version: v2013.03.25.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\,
DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c10cc8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85c0f1b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver
\Disk\
DevicePointer: 0xffffffff85764908, DeviceName: \IdeDeviceP0T0L0-0\, DriverName: \00000694\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffbcf06d90, 0xffffffff85c0f1b8, 0xffffffff85139790
Lower DeviceData: 0xffffffffc20f7128, 0xffffffff85764908, 0xffffffff851cdad8
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
MBR buffers are not equal
MBR is forged! [5b875a22f8ce39ec096216471c83be3f]
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8C879F4
Partition information:
Partition 0 type is Empty (0x0)
Partition is ACTIVE.
Partition starts at LBA: 50 Numsec = 0
Partition is not bootable
Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]
Changing partition to empty and not active. New active partition is 0 on drive 0 ...
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 80325 Numsec = 781337340
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
MBR infection found on drive 0
Disk Size: 400088457216 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-49-781402768-781422768)...
Done!
Performing system, memory and registry scan...
Infected: c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll -->
[Trojan.FakeMS]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 1204051968
Removal queue found; removal started
Removing c:\Users\clientb\AppData\Local\kvenZz7qZyWVto\kvenZz7qZyWVto.dll...
Removal finished
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1022
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
Account is Administrative
Internet Explorer version: 9.0.8112.16421
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.391000 GHz
Memory total: 2137145344, free: 1119338496
------------ Kernel report ------------
04/10/2013 09:29:05
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\imofugc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1402000.013\SYMEFA.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130409.021\NAVENG.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130406.001\IDSvix86.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-
85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85a10ac8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85551030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85a10ac8, DeviceName: \Device\Harddisk0\DR0\,
DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85a10700, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85a10ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver
\Disk\
DevicePointer: 0xffffffff85551030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName:
\Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffc44c3c58, 0xffffffff85a10ac8, 0xffffffff85256ac8
Lower DeviceData: 0xffffffffc44a5be8, 0xffffffff85551030, 0xffffffff8529a1e0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8C879F4
Partition information:
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 80262
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 80325 Numsec = 781337340
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 400088457216 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-781402768-781422768)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================
Windows Explorer crashed 3 times during Malwarebytes Anti-Rootkit, but loaded back up while the program was running. Malwarebytes Anti-Rootkit continued to run without a problem. So far so good with the multiple internet explorer processes. Thanks! I hope we are good to go!
I don't know if this is related to the previous problems, but every time the Windows 7 Pro starts up, I get this message:
Do you want to allow the following program to make changes to this computer?
Program name: Microsoft Windows Based Script Host
Verified publisher: Microsoft Windows
Program location: "C:\Windows\System32\wscript.exe"
"C:\Autotask\Update.vbs" uac
I read on file.net that some malware camouflages itself as wscript.exe, particularly when located in the c:\windows or c:\windows\system32 folder.
Do you want to allow the following program to make changes to this computer?
Program name: Microsoft Windows Based Script Host
Verified publisher: Microsoft Windows
Program location: "C:\Windows\System32\wscript.exe"
"C:\Autotask\Update.vbs" uac
I read on file.net that some malware camouflages itself as wscript.exe, particularly when located in the c:\windows or c:\windows\system32 folder.
Broni
Posts: 56,041 +516
We'll check it out.
Good news though
Makes sure "word wrap" is disabled in Notepad as some of your logs are hard to read.
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247
Please download ComboFix from Here, Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.
Make sure, you re-enable your security programs, when you're done with Combofix.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE.
If, for some reason, Combofix refuses to run, try the following...
Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
Restart computer in safe mode
When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.
IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
Good news though
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix. - Double click on combofix.exe & follow the prompts.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.
Make sure, you re-enable your security programs, when you're done with Combofix.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE.
If, for some reason, Combofix refuses to run, try the following...
Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
Restart computer in safe mode
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.
IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
ComboFix 13-04-15.01 - clientb 04/15/2013 10:10:55.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.972 [GMT -4:00]
Running from: c:\users\clientb\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\clientb\GoToAssistDownloadHelper.exe
c:\users\pharmadmin\GoToAssistDownloadHelper.exe
c:\users\Tang Pharmacy 4\GoToAssistDownloadHelper.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-03-15 to 2013-04-15 )))))))))))))))))))))))))))))))
.
.
2013-04-10 04:54 . 2013-03-01 03:092347008----a-w-c:\windows\system32\win32k.sys
2013-04-10 04:54 . 2013-01-24 04:47196328----a-w-c:\windows\system32\drivers\fvevol.sys
2013-04-10 04:54 . 2013-03-19 05:043968856----a-w-c:\windows\system32\ntkrnlpa.exe
2013-04-10 04:54 . 2013-03-19 05:043913560----a-w-c:\windows\system32\ntoskrnl.exe
2013-04-10 04:54 . 2013-03-19 04:4838912----a-w-c:\windows\system32\csrsrv.dll
2013-04-10 04:54 . 2013-03-19 02:4969632----a-w-c:\windows\system32\smss.exe
2013-04-10 04:54 . 2013-02-15 04:373217408----a-w-c:\windows\system32\mstscax.dll
2013-04-10 04:54 . 2013-02-15 04:34131584----a-w-c:\windows\system32\aaclient.dll
2013-04-10 04:54 . 2013-02-15 03:2536864----a-w-c:\windows\system32\tsgqec.dll
2013-04-10 04:53 . 2013-03-02 05:071212264----a-w-c:\windows\system32\drivers\ntfs.sys
2013-04-09 20:03 . 2013-04-09 20:03--------d-----w-c:\users\clientb\AppData\Roaming\Malwarebytes
2013-04-09 20:02 . 2013-04-09 20:02--------d-----w-c:\programdata\Malwarebytes
2013-04-09 20:02 . 2013-04-09 20:03--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2013-04-09 20:02 . 2012-12-14 20:4921104----a-w-c:\windows\system32\drivers\mbam.sys
2013-04-09 20:02 . 2013-04-09 20:02--------d-----w-c:\users\clientb\AppData\Local\Programs
2013-04-09 15:00 . 2013-04-09 15:00--------d-----w-C:\N360_BACKUP
2013-04-09 14:51 . 2013-04-09 15:12--------d-----w-c:\program files\Common Files\Symantec Shared
2013-04-09 14:51 . 2013-04-09 14:51--------d-----w-c:\program files\Symantec
2013-04-09 14:51 . 2013-04-09 14:51142496----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
2013-04-09 14:50 . 2013-04-09 19:03--------d-----w-c:\windows\system32\drivers\N360
2013-04-09 14:50 . 2013-04-09 14:50--------d-----w-c:\program files\Norton Security Suite
2013-04-09 14:50 . 2013-04-09 14:50--------d-----w-c:\program files\NortonInstaller
2013-04-09 08:00 . 2013-03-15 07:217108640----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{79FD2C2D-F14A-4E70-BBF8-86C643F474AE}\mpengine.dll
2013-04-08 23:14 . 2013-04-08 23:14--------d-----w-c:\users\clientb\AppData\Local\Mozilla
2013-04-08 23:13 . 2013-04-08 23:13--------d-----w-c:\program files\Mozilla Maintenance Service
2013-04-08 22:14 . 2013-04-08 22:14--------d-----w-c:\program files\Common Files\Java
2013-04-08 22:14 . 2013-04-08 22:1494112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-04-08 22:04 . 2013-04-08 22:07--------d-----w-C:\pharmsuite
2013-04-08 21:55 . 2013-04-08 21:55227344----a-w-c:\windows\system32\atsckernel.exe
2013-04-08 21:55 . 2013-04-08 21:55137232----a-w-c:\windows\system32\atashost.exe
2013-04-08 21:55 . 2013-04-09 13:58--------d-----w-c:\programdata\WebEx
2013-04-04 14:21 . 2013-02-12 03:3215872----a-w-c:\windows\system32\drivers\usb8023.sys
2013-04-02 18:22 . 2013-04-02 18:22--------d-----r-c:\users\clientb\AppData\Roaming\Brother
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-08 22:14 . 2012-03-08 14:56861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-04-08 22:14 . 2011-11-11 14:36782240----a-w-c:\windows\system32\deployJava1.dll
2013-03-12 05:10 . 2011-03-09 17:36237088------w-c:\windows\system32\MpSigStub.exe
2013-02-12 04:48 . 2013-04-04 14:21474112----a-w-c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-04-04 14:212176512----a-w-c:\windows\apppatch\AcGenral.dll
2013-03-27 02:18 . 2013-04-08 23:13263064----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"MPSUpg"="c:\autotask\update.vbs" [2012-08-09 240382]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2011-04-20 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe" [2011-11-08 247968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2012-09-01 13:3813672----a-w-c:\program files\Citrix\GoToAssist\822\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [x]
S1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccSetx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130412.001\IDSvix86.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\1402000.013\SYMNETS.SYS [x]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [x]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe [x]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2371939056-566542986-112303387-1139Core.job
- c:\users\clientb\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 19:49]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2371939056-566542986-112303387-1139UA.job
- c:\users\clientb\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 19:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://connect.mckesson.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: axway.com
Trusted Zone: cyclonecommerce.com
Trusted Zone: deaecom.gov
Trusted Zone: mckesson.com
TCP: Interfaces\{E88E9D34-B211-401B-BA1A-FF54F157AD43}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\clientb\AppData\Roaming\Mozilla\Firefox\Profiles\fjzj6ij7.default\
FF - ExtSQL: !HIDDEN! 2013-04-09 15:36; {7434560e-996e-4e46-9a9c-4a857b9cbc7d}; c:\users\clientb\AppData\Roaming\Mozilla\Firefox\Profiles\fjzj6ij7.default\extensions\{7434560e-996e-4e46-9a9c-4a857b9cbc7d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-15 10:22:55
ComboFix-quarantined-files.txt 2013-04-15 14:22
.
Pre-Run: 376,038,154,240 bytes free
Post-Run: 375,959,556,096 bytes free
.
- - End Of File - - 4D8B1382A88E9112BB9499F053F4490C
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.972 [GMT -4:00]
Running from: c:\users\clientb\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\clientb\GoToAssistDownloadHelper.exe
c:\users\pharmadmin\GoToAssistDownloadHelper.exe
c:\users\Tang Pharmacy 4\GoToAssistDownloadHelper.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-03-15 to 2013-04-15 )))))))))))))))))))))))))))))))
.
.
2013-04-10 04:54 . 2013-03-01 03:092347008----a-w-c:\windows\system32\win32k.sys
2013-04-10 04:54 . 2013-01-24 04:47196328----a-w-c:\windows\system32\drivers\fvevol.sys
2013-04-10 04:54 . 2013-03-19 05:043968856----a-w-c:\windows\system32\ntkrnlpa.exe
2013-04-10 04:54 . 2013-03-19 05:043913560----a-w-c:\windows\system32\ntoskrnl.exe
2013-04-10 04:54 . 2013-03-19 04:4838912----a-w-c:\windows\system32\csrsrv.dll
2013-04-10 04:54 . 2013-03-19 02:4969632----a-w-c:\windows\system32\smss.exe
2013-04-10 04:54 . 2013-02-15 04:373217408----a-w-c:\windows\system32\mstscax.dll
2013-04-10 04:54 . 2013-02-15 04:34131584----a-w-c:\windows\system32\aaclient.dll
2013-04-10 04:54 . 2013-02-15 03:2536864----a-w-c:\windows\system32\tsgqec.dll
2013-04-10 04:53 . 2013-03-02 05:071212264----a-w-c:\windows\system32\drivers\ntfs.sys
2013-04-09 20:03 . 2013-04-09 20:03--------d-----w-c:\users\clientb\AppData\Roaming\Malwarebytes
2013-04-09 20:02 . 2013-04-09 20:02--------d-----w-c:\programdata\Malwarebytes
2013-04-09 20:02 . 2013-04-09 20:03--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2013-04-09 20:02 . 2012-12-14 20:4921104----a-w-c:\windows\system32\drivers\mbam.sys
2013-04-09 20:02 . 2013-04-09 20:02--------d-----w-c:\users\clientb\AppData\Local\Programs
2013-04-09 15:00 . 2013-04-09 15:00--------d-----w-C:\N360_BACKUP
2013-04-09 14:51 . 2013-04-09 15:12--------d-----w-c:\program files\Common Files\Symantec Shared
2013-04-09 14:51 . 2013-04-09 14:51--------d-----w-c:\program files\Symantec
2013-04-09 14:51 . 2013-04-09 14:51142496----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
2013-04-09 14:50 . 2013-04-09 19:03--------d-----w-c:\windows\system32\drivers\N360
2013-04-09 14:50 . 2013-04-09 14:50--------d-----w-c:\program files\Norton Security Suite
2013-04-09 14:50 . 2013-04-09 14:50--------d-----w-c:\program files\NortonInstaller
2013-04-09 08:00 . 2013-03-15 07:217108640----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{79FD2C2D-F14A-4E70-BBF8-86C643F474AE}\mpengine.dll
2013-04-08 23:14 . 2013-04-08 23:14--------d-----w-c:\users\clientb\AppData\Local\Mozilla
2013-04-08 23:13 . 2013-04-08 23:13--------d-----w-c:\program files\Mozilla Maintenance Service
2013-04-08 22:14 . 2013-04-08 22:14--------d-----w-c:\program files\Common Files\Java
2013-04-08 22:14 . 2013-04-08 22:1494112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-04-08 22:04 . 2013-04-08 22:07--------d-----w-C:\pharmsuite
2013-04-08 21:55 . 2013-04-08 21:55227344----a-w-c:\windows\system32\atsckernel.exe
2013-04-08 21:55 . 2013-04-08 21:55137232----a-w-c:\windows\system32\atashost.exe
2013-04-08 21:55 . 2013-04-09 13:58--------d-----w-c:\programdata\WebEx
2013-04-04 14:21 . 2013-02-12 03:3215872----a-w-c:\windows\system32\drivers\usb8023.sys
2013-04-02 18:22 . 2013-04-02 18:22--------d-----r-c:\users\clientb\AppData\Roaming\Brother
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-08 22:14 . 2012-03-08 14:56861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-04-08 22:14 . 2011-11-11 14:36782240----a-w-c:\windows\system32\deployJava1.dll
2013-03-12 05:10 . 2011-03-09 17:36237088------w-c:\windows\system32\MpSigStub.exe
2013-02-12 04:48 . 2013-04-04 14:21474112----a-w-c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-04-04 14:212176512----a-w-c:\windows\apppatch\AcGenral.dll
2013-03-27 02:18 . 2013-04-08 23:13263064----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"MPSUpg"="c:\autotask\update.vbs" [2012-08-09 240382]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2011-04-20 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe" [2011-11-08 247968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2012-09-01 13:3813672----a-w-c:\program files\Citrix\GoToAssist\822\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [x]
S1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccSetx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130412.001\IDSvix86.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\1402000.013\SYMNETS.SYS [x]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [x]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe [x]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2371939056-566542986-112303387-1139Core.job
- c:\users\clientb\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 19:49]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2371939056-566542986-112303387-1139UA.job
- c:\users\clientb\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 19:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://connect.mckesson.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: axway.com
Trusted Zone: cyclonecommerce.com
Trusted Zone: deaecom.gov
Trusted Zone: mckesson.com
TCP: Interfaces\{E88E9D34-B211-401B-BA1A-FF54F157AD43}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\clientb\AppData\Roaming\Mozilla\Firefox\Profiles\fjzj6ij7.default\
FF - ExtSQL: !HIDDEN! 2013-04-09 15:36; {7434560e-996e-4e46-9a9c-4a857b9cbc7d}; c:\users\clientb\AppData\Roaming\Mozilla\Firefox\Profiles\fjzj6ij7.default\extensions\{7434560e-996e-4e46-9a9c-4a857b9cbc7d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-15 10:22:55
ComboFix-quarantined-files.txt 2013-04-15 14:22
.
Pre-Run: 376,038,154,240 bytes free
Post-Run: 375,959,556,096 bytes free
.
- - End Of File - - 4D8B1382A88E9112BB9499F053F4490C
Broni
Posts: 56,041 +516
Looks good.
How is computer doing?
Please download AdwCleaner by Xplode onto your desktop.
Please download Junkware Removal Tool to your desktop.
Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
How is computer doing?
- Close all open programs and internet browsers.
- Double click on adwcleaner.exe to run the tool.
- Click on Delete.
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the contents of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- Post the contents of JRT.txt into your next message.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Click the Scan All Users checkbox.
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
- Status
Similar threads
