Inactive Svchost.exe trojan.agent malware removal help?

Status
Not open for further replies.
R

rwhite1954

Posts: 30   +0
Malwarebytes is detecting 2 trojan.agent items tied to c:\windows\svchost.exe. When I select to remove it via Malwarebytes, it tries to remove it, but after rebooting, the windows\svchost.exe file is still there, and a Malwarebytes scan detects it again.

Sure hope someone can help me get this removed.

AV, Malware & DDS logs coming in next post.

Thanks in advance for any help that you can provide!
 
Malwarebytes log

Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ryan :: RYAN-HP [administrator]

Protection: Enabled

4/1/2012 10:02:43 PM
mbam-log-2012-04-01 (22-02-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 189974
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 4484 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
 
DDS logs

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Ryan at 23:19:56 on 2012-04-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3563.2076 [GMT -5:00]
.
AV: Norton 360 Premier Edition *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 Premier Edition *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 Premier Edition *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\SysWOW64\ezSharedSvcHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\ccSvcHst.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe
C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/?_bc=1
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\IPS\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [<NO NAME>]
mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2F506DBF-52B8-468F-B465-5D8E1A207FE8} : DhcpNameServer = 150.100.2.6
TCP: Interfaces\{8F29B21D-9C19-45BA-A762-2D1D333A7290} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO-X64: TSBHO Class - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\coIEPlg.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [(Default)]
mRun-x64: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
SEH-X64: EasyBits ShellExecute Hook: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [2012-3-17 1157240]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120330.002\IDSviA64.sys [2012-3-30 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0502000.00D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0502000.00D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-10-15 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-2 365568]
R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-8-29 514232]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-2-18 265544]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-2-28 92216]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-10-15 2375168]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-1 652360]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.0.13\ccsvchst.exe [2012-4-1 130008]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\amdhub30.sys --> C:\Windows\system32\DRIVERS\amdhub30.sys [?]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\amdxhc.sys --> C:\Windows\system32\DRIVERS\amdxhc.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-4-1 138360]
R3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-02 03:13:59 20480 ------w- C:\Windows\svchost.exe
2012-04-02 02:14:20 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-04-02 00:55:26 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Malwarebytes
2012-04-02 00:55:18 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-02 00:55:17 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-02 00:55:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-02 00:30:03 912504 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\symefa64.sys
2012-04-02 00:30:03 450680 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\symds64.sys
2012-04-02 00:30:03 386168 ----a-w- C:\Windows\System32\drivers\N360x64\0502000.00D\symnets.sys
2012-04-02 00:30:02 744568 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\srtsp64.sys
2012-04-02 00:30:02 40568 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\srtspx64.sys
2012-04-02 00:30:02 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0502000.00D\ironx64.sys
2012-04-02 00:29:54 -------- d-----w- C:\Windows\System32\drivers\N360x64\0502000.00D
2012-04-02 00:19:30 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-04-02 00:19:27 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-04-02 00:19:27 -------- d-----w- C:\Program Files\Symantec
2012-04-02 00:19:27 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-04-02 00:19:15 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-04-02 00:19:15 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-04-02 00:18:18 -------- d-----w- C:\Windows\System32\drivers\N360x64
2012-04-02 00:18:03 -------- d-----w- C:\Program Files (x86)\Norton 360 Premier Edition
2012-04-02 00:14:48 -------- d-----w- C:\ProgramData\PCSettings
2012-04-02 00:12:51 -------- d-----w- C:\Users\Ryan\AppData\Local\AMD
2012-04-02 00:07:53 -------- d-----w- C:\Users\Ryan\AppData\Local\ATI
2012-04-02 00:06:50 -------- d-----w- C:\Users\Ryan\AppData\Roaming\hpqLog
2012-04-02 00:06:43 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Synaptics
2012-04-02 00:05:44 -------- d-----w- C:\Users\Ryan\AppData\Local\RemEngine
2012-04-02 00:00:48 -------- d-----w- C:\Users\Ryan\AppData\Local\Hewlett-Packard
2012-04-02 00:00:18 -------- d-----w- C:\Users\Ryan\AppData\Local\Hewlett-Packard_Company
2012-04-02 00:00:00 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-02 00:00:00 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-02 00:00:00 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-01 23:59:58 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-04-01 23:59:58 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-04-01 23:59:58 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-01 23:59:58 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-04-01 23:56:08 -------- d-----w- C:\Users\Ryan\AppData\Local\VirtualStore
.
==================== Find3M ====================
.
2012-04-02 01:43:20 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 23:20:35.71 ===============
 
DDS Attach file

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/1/2012 6:55:38 PM
System Uptime: 4/1/2012 10:24:07 PM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 358B
Processor: AMD A8-3500M APU with Radeon(tm) HD Graphics | Socket FS1 | 1500/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 449 GiB total, 421.042 GiB free.
D: is FIXED (NTFS) - 17 GiB total, 1.857 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 4/1/2012 6:58:34 PM - First_User_Boot
RP4: 4/1/2012 7:06:53 PM - Windows Update
RP5: 4/1/2012 8:42:19 PM - Installed Java(TM) 6 Update 31
.
==== Installed Programs ======================
.
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader X MUI
Adobe Shockwave Player 11.5
Agatha Christie - Peril at End House
AMD System Monitor
AMD VISION Engine Control Center
Bejeweled 2 Deluxe
Bejeweled 3
Bing Bar
Blackhawk Striker 2
Blasterball 3
Blio
Bounce Symphony
Build-a-lot 2
Cake Mania
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
CyberLink YouCam
D3DX10
Diner Dash 2 Restaurant Rescue
Dora's World Adventure
Energy Star Digital Logo
ESU for Microsoft Windows 7
Evernote v. 4.2.2
Farm Frenzy
FATE - The Traitor Soul
HP Connection Manager
HP Customer Experience Enhancements
HP DVB-T TV Tuner 8.0.64.43
HP Games
HP MovieStore
HP On Screen Display
HP Power Manager
HP Quick Launch
HP Setup
HP Setup Manager
HP SimplePass 2011
HP Software Framework
HP Support Assistant
HPAsset component for HP Active Support Library
IDT Audio
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
Magic Desktop
Mah Jong Medley
Malwarebytes Anti-Malware version 1.60.1.1000
Mesh Runtime
Microsoft Office 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
MSVCRT
MSVCRT_amd64
Mystery P.I. - Stolen in San Francisco
Namco All-Stars PAC-MAN
Norton 360 Premier Edition
Penguins!
Plants vs. Zombies - Game of the Year
PlayReady PC Runtime x86
Poker Superstars III
Polar Bowler
Polar Golfer
Ralink RT5390 802.11b/g/n WiFi Adapter
Realtek Ethernet Controller Driver
Realtek PCIE Card Reader
Recovery Manager
RoxioNow Player
Slingo Supreme
Update Installer for WildTangent Games App
Virtual Villagers 4 - The Tree of Life
Wheel of Fortune 2
WildTangent Games App (HP Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
4/1/2012 9:08:59 PM, Error: Service Control Manager [7034] - The HP Client Services service terminated unexpectedly. It has done this 1 time(s).
4/1/2012 9:08:54 PM, Error: Service Control Manager [7034] - The TrueSuiteService service terminated unexpectedly. It has done this 1 time(s).
4/1/2012 8:03:37 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002f9316a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040112-44226-01.
4/1/2012 7:48:27 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the N360 service.
4/1/2012 10:13:43 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
.
==== End Of File ===========================
 
Did you have any antivirus program before you added Norton on 4/2/2012?

Are you having or noticing any system problems at this time?

Do you understand that svchost.exe is also a legitimate process and you may observe multiple svchost.ese in the Task Manager- I usually have 7-9) But malware can also hide in the name so we look further.

The more information I have from you, the easier it is to help.
=================================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=========================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
===================================
Please leave the logs in your next reply.
 
Problems experiencing...

Bobbye, many thanks for the quick response!

This is my son's laptop we gave him new @ Christmas. Had Norton Antivirus activated on it at that time, but very likely could have been a 60-day trial version that may have expired sometime in February, but don't know for sure.

He had what I'm assuming was a malware "fake" antivirus notification pop up and hit the "fix it" button, which launched off multiple repeat windows and basically rendered his laptop unusable - eventually driving it to a "blue screen" when trying to shut down.

I managed to get it rebooted in Safe Mode, and did a "recover to factory condition" option, which deleted all prior installed software and restored it to the condition it was in when new. After the restore, the laptop appeared to be working ok, but when I put Malwarebytes Pro on and ran the scan, it detected the Trojan.Agent in svchost.exe.

Malwarebytes now frequently pops up a message stating that it blocks malicious outgoing traffic to IP addresses 89.114.9.96 & 89.114.9.97. It also occasionally pops up another Trojan.Agent detection message providing the option to quarantine the malware.

I realize that svchost.exe is also a valid Windows application. However, the valid Windows application is in the Windows/System32 folder. The rogue application is in the Windows folder (not Windows/System32). The rogue application also is made to appear as if it was created/modified at the same time/date as the valid "Windows/System32/svchost.exe", but the properties on the rogue application state a create date of "4/1/2012".

I can identify the rogue Svshost.exe process and, if I'm quick enough, I can halt the process, and delete the rogue application. However, the process somehow starts back up again and the application appears in the c:Windows folder.

Not sure how the virus survived the "restore to factory condition" option - other than I'm guessing that option didn't perform a full reformatting of the hard-drive and OS install?

Hope the additional info helps. Thanks for the additional steps to follow. I'll be available to run them later on tonight and will post the results. If any additional questions, let me know.

Many thanks again for all the help!
 
Task Manager info for Svchost.exe rogue service.

Forgot to add that the rogue svchost.exe service appears in Task Manager as "svchost.exe *32", and when I also display the Image Path Name and Command Line columns in the Task Manager view, this rogue service shows:

Image Path Name of "c:\Windows\svchost.exe" (other valid svchost services show "c:\Windows\System32\svchost.exe").

Command Line of "-netsvcs" (other valid svchost services list command line of "c:\windows\system32\svchost.exe -k .......".

The rogue service description also lists "winrscmde".

Will be downloading your recommended utilities and posting results in an hour or so. Thanks!
 
The IP 89.114.9.96 is a site in Romania. If it's incoming, something is trying to access the system. If it's outgoing, something in the system is trying to access the remote server. Either way, Malwarebytes is acting correctly blocking it.

If your son hit FIX on the popup, he most likely activated malware.
========================================
Since we are now trying to find and remove the malware, please don't do any restores. We will work what is on the system now. Once you run Combofix and the Eset scan, I'll have more to go on.

Additionally, let the svchost.exe processes run. We need to find it to remove it. Here's the bad guy: 2012-04-02 03:13:59 20480 ------w- C:\Windows\svchost.exe

But we have to find what's generating it.

There is a possibility you need to be aware of: if the malware had a Backdoor in it, that could be why it survived the factory reset. If that turns out to be correct, it's possible the system has been compromised.

Be sure that Norton is disabled when you run Combofix so we get a good scan.
=============================
Are you only able to boot into Safe Mode, not Normal Mode? If Yes, make sure it's Safe Mode with Networking. I believe that will allow the Recovery Console in Combofix and it will be best to get that on the system.
 
Combofix & ESET Results

I tried Combofix and it got hung up after completing step 4. I let it go for hours (actually overnight), but the cursor remained blinking after stating that it completed Step 4.

I finally closed it this morning. When I downloaded it, a warning message popped up at the bottom of my screen stating it was a potentially harmful program, and gave me 2 options - delete the program, or allow it to remain, but don't allow it to launch. I chose the latter, and it appeared to download to the desktop just fine.

I also disabled Northon 360 Antivirus Auto Protect and Malwarebytes protection settings via right-clicking on the systray icons for both. However, when I launched Combofix, it stated that Norton 360 scanning options were still enabled. So, I went into Norton 360 and turned off a couple additional scanning settings. I also tried to exit out of the Combofix pop-up message, thinking it might halt Combofix, but Combofix proceeded and I didn't want to stop it.

End result = Combofix continued running, but never completed after running for hours.

After ending Combofix this morning, I did run ESET. Here's the results of the ESET text file:
C:\Users\Ryan\AppData\Local\Temp\Av-test.txt Eicar test file

2 other pieces of relevant information....

I CAN boot up to the regular Windows (not just Safe mode). You had asked about that. When I did the original "restore to factory settings" in recovery mode, the system booted up fine and seemed fine (other than Malwarebytes detecting the problems). If I hadn't installed Malwarebytes pro and enabled protect mode, I likely wouldn't have found anything wrong. Fyi, Malwarebytes continues to periodically block outgoing traffic to the 2 IP addresses I posted to you earlier.

Also, Windows update downloaded updates and forced a restart on me yesterday (prior to me doing anything with Combofix & ESET). One of the items it installed was "Windows Malicious Software Removal Tool - KB890830". After rebooting, that tool launched automatically and popped up a results box that stated it detected "Trojan:DOS/Alureon.A" and said it partially removed it, followed by this recommendation. Fyi, I didn't perform any of these steps - will wait for your advice.:

This virus may cause damage to the Master Boot Record (MBR) and Boot Configuration Data (BCD). You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:

bootrec /fixmbr

bootrec /fixboot

bootrec /rebuildbcd

For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".
 
TDSSKiller & MBRCheck Results

Ran TDSSKiller as instructed. There wasn't an option called "Quarantine", but there was an option called "Copy to Quarantine". I selected that option, but it didn't require a reboot as you eluded to. So, I reran the TDSSKiller scan and selected "Cure". After running "Cure", it prompted for a reboot.

After reboot, I rean MBRCheck. Here are the results from MBRCheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv6 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 218):
0x02C1F000 \SystemRoot\system32\ntoskrnl.exe
0x03208000 \SystemRoot\system32\hal.dll
0x00BAA000 \SystemRoot\system32\kdcom.dll
0x00C4A000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00C57000 \SystemRoot\system32\PSHED.dll
0x00C6B000 \SystemRoot\system32\CLFS.SYS
0x00CC9000 \SystemRoot\system32\CI.dll
0x00EC3000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F67000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F76000 \SystemRoot\system32\drivers\ACPI.sys
0x00FCD000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00FD6000 \SystemRoot\system32\drivers\msisadrv.sys
0x00E00000 \SystemRoot\system32\drivers\pci.sys
0x00E33000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00E40000 \SystemRoot\System32\drivers\partmgr.sys
0x00E55000 \SystemRoot\system32\drivers\compbatt.sys
0x00E5E000 \SystemRoot\system32\drivers\BATTC.SYS
0x00E6A000 \SystemRoot\system32\drivers\volmgr.sys
0x00D89000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E7F000 \SystemRoot\system32\drivers\pciide.sys
0x00E86000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00E96000 \SystemRoot\System32\drivers\mountmgr.sys
0x00EB0000 \SystemRoot\system32\drivers\atapi.sys
0x00C00000 \SystemRoot\system32\drivers\ataport.SYS
0x00FE0000 \SystemRoot\system32\drivers\msahci.sys
0x00C2A000 \SystemRoot\system32\DRIVERS\amd_sata.sys
0x01017000 \SystemRoot\system32\DRIVERS\storport.sys
0x0107A000 \SystemRoot\system32\DRIVERS\amd_xata.sys
0x01088000 \SystemRoot\system32\drivers\amdxata.sys
0x01093000 \SystemRoot\system32\drivers\fltmgr.sys
0x010DF000 \SystemRoot\system32\drivers\N360x64\0502010.003\SYMDS64.SYS
0x01150000 \SystemRoot\system32\drivers\fileinfo.sys
0x01260000 \SystemRoot\system32\drivers\N360x64\0502010.003\SYMEFA64.SYS
0x0144D000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01344000 \SystemRoot\System32\Drivers\msrpc.sys
0x01400000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01164000 \SystemRoot\System32\Drivers\cng.sys
0x0141B000 \SystemRoot\System32\drivers\pcw.sys
0x0142C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01656000 \SystemRoot\system32\drivers\ndis.sys
0x01749000 \SystemRoot\system32\drivers\NETIO.SYS
0x017A9000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01847000 \SystemRoot\System32\drivers\tcpip.sys
0x01A4B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01A95000 \SystemRoot\system32\drivers\volsnap.sys
0x01AE1000 \SystemRoot\System32\Drivers\spldr.sys
0x01AE9000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B23000 \SystemRoot\System32\Drivers\mup.sys
0x01B35000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01B3E000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x01B48000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01B82000 \SystemRoot\system32\drivers\disk.sys
0x01B98000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x01813000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0183D000 \SystemRoot\System32\Drivers\Null.SYS
0x01BF7000 \SystemRoot\System32\Drivers\Beep.SYS
0x017D4000 \SystemRoot\System32\drivers\vga.sys
0x01600000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01625000 \SystemRoot\System32\drivers\watchdog.sys
0x01635000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x0163E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01647000 \SystemRoot\system32\drivers\rdprefmp.sys
0x017E2000 \SystemRoot\System32\Drivers\Msfs.SYS
0x017ED000 \SystemRoot\System32\Drivers\Npfs.SYS
0x013A2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01436000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02EC9000 \SystemRoot\system32\drivers\afd.sys
0x02F52000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02F97000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x02FA2000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02FAB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02FD1000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x02FE7000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02E00000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02E1B000 \SystemRoot\system32\drivers\termdd.sys
0x02E2F000 \SystemRoot\System32\Drivers\N360x64\0502010.003\SYMNETS.SYS
0x013C4000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x02E96000 \SystemRoot\system32\drivers\N360x64\0502010.003\Ironx64.SYS
0x01200000 \SystemRoot\system32\drivers\N360x64\0502010.003\SRTSPX64.SYS
0x040A9000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x040FA000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04106000 \SystemRoot\system32\drivers\mssmbios.sys
0x04111000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120404.002\IDSvia64.sys
0x04000000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x04079000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x0418E000 \SystemRoot\System32\drivers\discache.sys
0x0419D000 \SystemRoot\System32\Drivers\dfsc.sys
0x041BB000 \SystemRoot\system32\drivers\blbdrive.sys
0x04276000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120317.002\BHDrvx64.sys
0x04395000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x043BB000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x04200000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x04A1D000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x04448000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0453C000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04582000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x05344000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x05842000 \SystemRoot\system32\DRIVERS\netr28x.sys
0x05992000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x0599F000 \SystemRoot\system32\DRIVERS\RtsPStor.sys
0x05800000 \SystemRoot\system32\DRIVERS\amdxhc.sys
0x05831000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05833000 \SystemRoot\system32\DRIVERS\usbfilter.sys
0x045A6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x059F5000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x054DE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x05534000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x05545000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x05563000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x05A70000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x05BCD000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x05BDC000 \SystemRoot\system32\drivers\CmBatt.sys
0x05BE1000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x05BEE000 \SystemRoot\system32\drivers\wmiacpi.sys
0x05A00000 \SystemRoot\system32\drivers\CompositeBus.sys
0x05A10000 \SystemRoot\system32\DRIVERS\clwvd.sys
0x05A16000 \SystemRoot\system32\DRIVERS\ks.sys
0x05A59000 \SystemRoot\system32\drivers\ksthunk.sys
0x05572000 \SystemRoot\System32\Drivers\fastfat.SYS
0x055A8000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x055BE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x05A5F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x05400000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0542F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0544A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0546B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x05A6B000 \SystemRoot\system32\drivers\swenum.sys
0x05485000 \SystemRoot\system32\DRIVERS\amdiox64.sys
0x05499000 \SystemRoot\system32\DRIVERS\circlass.sys
0x054AB000 \SystemRoot\system32\DRIVERS\umbus.sys
0x054BD000 \SystemRoot\system32\DRIVERS\amdhub30.sys
0x06AFE000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x06B58000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x06B6D000 \SystemRoot\system32\drivers\AtihdW76.sys
0x06B8D000 \SystemRoot\system32\drivers\portcls.sys
0x06BCA000 \SystemRoot\system32\drivers\drmk.sys
0x06A00000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x06A83000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06AA0000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x06AAE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x06AC7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x06AD0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x06ADE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x06AEB000 \SystemRoot\System32\drivers\Dxapi.sys
0x06BEC000 \SystemRoot\System32\Drivers\crashdmp.sys
0x055E2000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x045B3000 \SystemRoot\System32\Drivers\dump_amd_sata.sys
0x055EC000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x045CA000 \SystemRoot\System32\Drivers\usbvideo.sys
0x04400000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00530000 \SystemRoot\System32\TSDDD.dll
0x006A0000 \SystemRoot\System32\cdd.dll
0x00860000 \SystemRoot\System32\ATMFD.DLL
0x0440E000 \SystemRoot\system32\drivers\luafv.sys
0x053AE000 \SystemRoot\system32\drivers\WudfPf.sys
0x04431000 \SystemRoot\system32\DRIVERS\WinUSB.sys
0x053CF000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x04A00000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x07A87000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x07ADA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x07AED000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x07B05000 \SystemRoot\system32\drivers\HTTP.sys
0x07BCE000 \SystemRoot\system32\DRIVERS\bowser.sys
0x07A00000 \SystemRoot\System32\drivers\mpsdrv.sys
0x07A18000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x08E5A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x08EA8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x08ECC000 \SystemRoot\system32\drivers\peauth.sys
0x08F72000 \SystemRoot\System32\Drivers\secdrv.SYS
0x08F7D000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x08FAE000 \SystemRoot\System32\drivers\tcpipreg.sys
0x096FE000 \SystemRoot\System32\DRIVERS\srv2.sys
0x09767000 \SystemRoot\System32\DRIVERS\srv.sys
0x09600000 \SystemRoot\System32\Drivers\N360x64\0502010.003\SRTSP64.SYS
0x0AE08000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120404.033\EX64.SYS
0x096C0000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120404.033\ENG64.SYS
0x096E0000 \??\C:\Windows\system32\drivers\mbam.sys
0x778B0000 \Windows\System32\ntdll.dll
0x47F50000 \Windows\System32\smss.exe
0xFFBD0000 \Windows\System32\apisetschema.dll
0xFFCC0000 \Windows\System32\autochk.exe
0x777B0000 \Windows\System32\user32.dll
0xFF9B0000 \Windows\System32\ole32.dll
0xFF910000 \Windows\System32\msvcrt.dll
0x77690000 \Windows\System32\kernel32.dll
0x77A80000 \Windows\System32\normaliz.dll
0xFF800000 \Windows\System32\msctf.dll
0x77A70000 \Windows\System32\psapi.dll
0x77480000 \Windows\System32\iertutil.dll
0xFF730000 \Windows\System32\usp10.dll
0xFF650000 \Windows\System32\oleaut32.dll
0x77320000 \Windows\System32\wininet.dll
0xFF5E0000 \Windows\System32\gdi32.dll
0xFE850000 \Windows\System32\shell32.dll
0xFE7B0000 \Windows\System32\clbcatq.dll
0xFE760000 \Windows\System32\ws2_32.dll
0xFE740000 \Windows\System32\imagehlp.dll
0xFE560000 \Windows\System32\setupapi.dll
0xFE540000 \Windows\System32\sechost.dll
0xFE410000 \Windows\System32\rpcrt4.dll
0xFE370000 \Windows\System32\comdlg32.dll
0xFE2F0000 \Windows\System32\shlwapi.dll
0xFE290000 \Windows\System32\Wldap32.dll
0xFE260000 \Windows\System32\imm32.dll
0xFE180000 \Windows\System32\advapi32.dll
0xFE170000 \Windows\System32\lpk.dll
0xFE0F0000 \Windows\System32\difxapi.dll
0xFE0E0000 \Windows\System32\nsi.dll
0x771D0000 \Windows\System32\urlmon.dll
0xFE0A0000 \Windows\System32\wintrust.dll
0xFDF30000 \Windows\System32\crypt32.dll
0xFDEC0000 \Windows\System32\KernelBase.dll
0xFDEA0000 \Windows\System32\devobj.dll
0xFDE60000 \Windows\System32\cfgmgr32.dll
0xFDDC0000 \Windows\System32\comctl32.dll
0xFDDB0000 \Windows\System32\msasn1.dll
0x75D30000 \Windows\SysWOW64\normaliz.dll

Processes (total 86):
0 System Idle Process
4 System
300 C:\Windows\System32\smss.exe
448 csrss.exe
512 C:\Windows\System32\wininit.exe
544 csrss.exe
576 C:\Windows\System32\services.exe
592 C:\Windows\System32\lsass.exe
600 C:\Windows\System32\lsm.exe
688 C:\Windows\System32\winlogon.exe
752 C:\Windows\System32\svchost.exe
816 C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
876 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\atiesrxx.exe
1016 C:\Windows\System32\svchost.exe
316 C:\Windows\System32\svchost.exe
568 C:\Windows\System32\svchost.exe
524 C:\Program Files\IDT\WDM\stacsv64.exe
1084 C:\Windows\System32\audiodg.exe
1252 C:\Windows\System32\svchost.exe
1300 C:\Windows\System32\hpservice.exe
1356 C:\Windows\System32\atieclxx.exe
1376 WUDFHost.exe
1572 C:\Windows\System32\dwm.exe
1596 C:\Windows\explorer.exe
1608 C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
1692 C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
1796 C:\Windows\System32\svchost.exe
1932 C:\Windows\System32\spoolsv.exe
1964 C:\Windows\System32\taskhost.exe
2012 C:\Windows\System32\svchost.exe
368 C:\Windows\System32\svchost.exe
1216 C:\Program Files\IDT\WDM\sttray64.exe
1200 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2100 C:\Program Files\IDT\WDM\AESTSr64.exe
2176 C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
2236 C:\Windows\SysWOW64\ezSharedSvcHost.exe
2324 C:\Windows\System32\svchost.exe
2360 C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
2408 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
2472 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
2544 C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
2552 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
2632 C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccsvchst.exe
2656 C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
2664 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
2684 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2876 C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
2916 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
2980 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
3032 C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
2676 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2844 WmiPrvSE.exe
3268 C:\Windows\System32\wbem\unsecapp.exe
3516 C:\Windows\System32\svchost.exe
3592 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3620 C:\Program Files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccsvchst.exe
3680 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
3804 C:\Windows\System32\SearchIndexer.exe
3904 C:\Program Files\Windows Media Player\wmpnetwk.exe
3976 C:\Windows\System32\svchost.exe
4384 C:\Windows\System32\taskeng.exe
4416 C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
4500 dllhost.exe
3296 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
4568 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3200 C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPConnectionManager.exe
1908 C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
4344 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
4116 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
584 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
2152 C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
192 C:\Program Files (x86)\Internet Explorer\iexplore.exe
4632 C:\Program Files (x86)\Internet Explorer\iexplore.exe
4348 C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe
4152 C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe
2728 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe
5396 C:\Windows\servicing\TrustedInstaller.exe
5216 C:\Windows\System32\wuauclt.exe
5780 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3304 C:\Windows\System32\SearchProtocolHost.exe
2124 C:\Windows\System32\SearchFilterHost.exe
5932 dllhost.exe
5728 dllhost.exe
5524 C:\Users\Ryan\Desktop\MBRCheck.exe
2836 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000070`2d200000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS547550A9E384, Rev: JE3OA50A

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
 
Appears to be fixed!

After the TDSSKiller run & reboot, it appears it took care of the virus. The c:\windows\svchost.exe application is gone, the rogue svchost.exe process no longer shows up in task manager.

Malwarebytes, Norton360 and TDSSKiller scans all come up clean. I'm assuming this thing is finally blasted!

Anything else you can think of for me to do?

Many thanks for all the help - much appreciated!
 
You're welcome. You're looking up! But we're not quite through yet. There is some reason why Combofix isn't completing:

Let's double check this: Bootkit Remover:

Download Bootkit Remover.zip and save to your desktop.
  1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the boot cleaner.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
============================================
You can just delete this file from Eset. It's not malware:
C:\Users\Ryan\AppData\Local\Temp\Av-test.txt Eicar test file
============================================
I'd really like to get this to run- try one more time:

NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode. If it won't run, go one to #2.

2. Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.

3.See which one of the following runs. You do not need to download all three versions:
This is a slight variation on the RKill:
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, add the following:

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
(Directions courtesy bleeping computer)

4. With both RKill and exehelper on board:
Go right to the renamed (Combofix) and double click on friday.exe to run
If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

If successful, please leave RKill, Exehelper and Combofix logs.
 
Bootkit Remover results

Thanks for the extra suggestions. I downloaded and ran bootkit remover, and looks like it is still detecting something. Logs posted below. I didn't try to take any further actions on this item - will wait for your advice on next steps.

I will also try the other things you asked for and post them after they run.

Here's bootkit remover results:
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
rkill.com results

rkill.com ran successfully. You didn't ask for the log, but here it is in case you needed it. Exehelper log results also listed below. Thought I would post these prior to trying the Combofix run again.

rkill.com results:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/09/2012 at 20:01:49.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 04/09/2012 at 20:02:04.

=======================================================
Also, here's the exehelper log results:

exeHelper by Raktor
Build 20100414
Run at 20:06:01 on 04/09/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
 
Combofix log

Combofix completed successfully! Here is the Combofix log:

ComboFix 12-04-09.06 - Ryan 04/09/2012 20:17:44.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3563.2136 [GMT -5:00]
Running from: c:\users\Ryan\Desktop\friday.exe
AV: Norton 360 Premier Edition *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 Premier Edition *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 Premier Edition *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-10 01:30 . 2012-04-10 01:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-09 02:03 . 2012-04-09 02:03 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-04-09 02:03 . 2012-04-09 02:03 -------- d-----w- c:\windows\SHELLNEW
2012-04-09 02:02 . 2012-04-09 02:15 -------- d-----w- c:\programdata\Microsoft Help
2012-04-09 02:01 . 2012-04-09 02:01 -------- d-----r- C:\MSOCache
2012-04-09 00:52 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-09 00:52 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-09 00:52 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-09 00:50 . 2012-04-09 00:51 -------- d--h--w- c:\windows\AxInstSV
2012-04-08 23:11 . 2012-04-08 23:11 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-02 21:34 . 2012-04-02 21:34 -------- d-----w- c:\windows\SysWow64\Wat
2012-04-02 21:34 . 2012-04-02 21:34 -------- d-----w- c:\windows\system32\Wat
2012-04-02 13:12 . 2012-04-02 13:12 -------- d-----w- c:\program files (x86)\MSXML 4.0
2012-04-02 11:55 . 2012-04-02 11:55 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-04-02 11:46 . 2011-07-16 05:41 362496 ----a-w- c:\windows\system32\wow64win.dll
2012-04-02 02:14 . 2012-04-02 02:14 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-04-02 01:46 . 2012-04-02 01:46 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-04-02 01:43 . 2012-04-02 01:43 -------- d-----w- c:\program files (x86)\Java
2012-04-02 00:55 . 2012-04-02 00:55 -------- d-----w- c:\programdata\Malwarebytes
2012-04-02 00:55 . 2012-04-02 00:55 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-02 00:55 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 00:19 . 2010-08-21 03:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-04-02 00:19 . 2012-04-02 00:19 -------- d-----w- c:\program files\Symantec
2012-04-02 00:19 . 2012-04-02 00:19 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-04-02 00:19 . 2012-04-02 00:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-04-02 00:19 . 2010-08-21 03:59 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-04-02 00:19 . 2010-08-21 03:59 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-04-02 00:18 . 2012-04-08 22:59 -------- d-----w- c:\windows\system32\drivers\N360x64
2012-04-02 00:18 . 2012-04-02 00:18 -------- d-----w- c:\program files (x86)\Norton 360 Premier Edition
2012-04-02 00:14 . 2012-04-02 00:14 -------- d-----w- c:\programdata\PCSettings
2012-04-02 00:00 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-02 00:00 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-02 00:00 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-01 23:59 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-01 23:59 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-04-01 23:59 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-01 23:59 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-01 23:55 . 2012-04-05 11:40 -------- d-----w- c:\users\Ryan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-02 01:43 . 2011-08-30 01:42 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-01 23:57 . 2010-06-24 18:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2011-03-16 61112]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-01-27 318520]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502010.003\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502010.003\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-04-02 1160824]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120406.002\IDSvia64.sys [2012-03-30 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502010.003\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502010.003\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-28 92216]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 N360;Norton 360;c:\program files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccSvcHst.exe [2011-04-17 130008]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-04-02 138360]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-11 1128448]
"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360 Premier Edition\Engine\5.2.1.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\ezSharedSvcHost.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2012-04-09 20:52:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-10 01:52
.
Pre-Run: 447,268,327,424 bytes free
Post-Run: 446,879,821,824 bytes free
.
- - End Of File - - E8B1D5E09155379E477BC468F867F59D
 
Steps completed...

I think I left you posts with all the things you needed - Bootkit, rkill, exehelper & combofix logs.

Bootkit logs appeared to detect a rootkit, but as I mentioned in that post, I didn't take any further action that it suggested yet. Will wait for your advice on any next steps.

Can't thank you enough for all the help you've been providing! Very much appreciated.

Let me know if any further suggestions!
 
You're welcome- glad to help!

Good we ran Bootkit- always helps to be sure: Go ahead and run the following. I'll review Combofix after lunch.

  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START boot cleaner.exe fix  \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
  • In the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double click on fixbat to run.
    You may see a black box appear; this is normal.
  • When done, run bootkit.exe again and post its output.
=========================================
Be sure and let me know if there are any changes in the system- good or bad!
 
Combofix looks pretty good. There is one Service that you might want to check and make sure it's on Manual Startup Type, not Automatic.

This is a hidden Services, so you will need to show the files first:
Show Hidden Files and Folders in Windows Vista and Windows 7:
  • Click on the Start button and select Computer
  • Press the Alt key on your keyboard and click on Tools
  • Select Folder Options
  • Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
  • Next, uncheck the box next to Hide protected operating system files (Recommended)
  • Then, uncheck the box next to Hide extensions for known filetypes
  • Click Apply then click OK

The Click on Start> Run> type in services.msc> Enter> find this Service>
ActiveX Installer (AxInstSV)> Set to Manual in Windows 7 Home Premium

There are 3 Dependencies, but you will most likely have them running: Dependencies: >
Remote Procedure Call
DCOM Server Process Launcher
RPC Endpoint Mapper
These 3 Services should be set to Automatic Startup.

Please be sure to re-hide the files and folders.
====================================
I do have a question: there are the following 2 Registry entries:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\ex plorer\ShellExecuteHooks]

I noticed you did Some work with Microsoft on 4/9/2012:
c:\program files (x86)\Microsoft Analysis Services
c:\windows\SHELLNEW
c:\programdata\Microsoft Help
C:\MSOCache (this one might be after Office install)
Do you know if the registry entries are policy settings from that?
=====================================
Are there any remaining problems?
 
remover.exe fix

I created the fix.bat file - copying in the code you had in your code box and saving it as a batch file.

When I run it, the black box appears, then quickly goes away. But I'm not sure it's doing what you hoped it would do. After the black box disappears, it opens up to an explorer window to the C:\windows\system32\boot folder.

When I re-run boot_cleaner.exe, the logs still show the rootkit in the MBR. Here are the logs:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
======================================================
 
Answers to additional questions

You had asked about a couple of registry entries from combofix.

After I thought we had things cleaned, I went ahead and re-installed MS Office 2010 (sorry about that, I jumped the gun in thinking we had things completely cleaned up a few days ago :-(). Not sure if that's what can attribut to those 2 registry entries or not.

I also followed your instructions to verify that ActiveX Installer service was set to Manual startup.
 
It wasn't my instruction to run TDSSKiller or MBR Check- you did that on your own. and there is a contradiction here:

"After the TDSSKiller run & reboot, it appears it took care of the virus.

Malwarebytes, Norton360 and TDSSKiller scans all come up clean. I'm assuming this thing is finally blasted!"
-----------------------------
I'd like you to run the Bootkit scans and fix again:
Bootkit Remover:

Download Bootkit Remover.zip and save to your desktop.
  1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the boot cleaner.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
==================================================
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START boot cleaner.exe fix  \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
  • In the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double click on fixbat to run.
    You may see a black box appear; this is normal.
  • When done, run bootkit.exe again and post its output.

Looks like one of the slashes in the fix may have parsed.
 
bootkit remover results

I apologize if I ran something I wasn't supposed to. Definitely appreciate you sticking with this and helping me out!

Here are the results of the bootkit remover execution (after running this, I'll copy in and run the .bat file and post those results).

Bootkit remover results
===================================
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
Okay, let' see if we can get it this time:

  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START boot cleaner.exe fix  \ \.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
  • In the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double click on fixbat to run.
    You may see a black box appear; this is normal.
  • When done, run bootkit.exe again and post its output.
 
fix.bat and subsequent bootcleaner results

Thanks for all the patience, and the quick responses!

I created the fix.bat file and ran it. However, all it did was opened up a file explorer window pointing to the windows\system32\boot file folder. I think I figured out what was happening. In the code I copied over from the code box, it referenced "boot cleaner.exe". I think anything after the "space" following boot was getting ignored.

I changed it to "boot_cleaner.exe" in my fix.bat file and it ran the bootcleaner fix that time. I'm posting the results of the fix.bat run and the subsequent bootcleaner run that I ran after a reboot (the fix.bat run recommended an immediate reboot).
=====================================
fix.bat run results:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000
Restoring boot code at \\.\PhysicalDrive0...
ATA_Write(): DeviceIoControl() ERROR 1
ERROR: Can't write first sector of the disk.

Done;
Press any key to quit...
============================================
After a reboot, here's the results of the subsequent boot_cleaner run:
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0c800000

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

=============================================
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
Z
The Windows Photos app gets new AI object removal feature
Replies
2
Views
208
erickmendes
erickmendes
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back