Solved Win64/Patched.A on C:\Windows\System32\services.exe

[Fra_SME]

Hello guys.

I've just discovered my wife's laptop has this nice big boy installed and that it's not easy to remove at: avg finds it but can't simply repair the file.
I read some thread in the forum but since people have been asked to post their logs and I was already following the first steps like downloading Farbar Recovery Scan Tool 64-Bit.
when I enter SRO you mention to use US keyboard but that wouldn't be my country (I'm italian): is this mandatory or may I use the italian settings?

thanks!

 

[Fra_SME]

Forgot to mention, OS in win7 obviously 64bit

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[Fra_SME]

Hello Broni!

Thanks a lot for your support!
Before posting logs, I have to tell that after running MBAM and rebooting the system I got a warning message from AVG saying a new virus was found and specifically:

​

c:\windowsassembly\GAC_64\Desktop.ini
Trojan Generic29.ANPX

I tried to quaratine it but with no success

Anyway, here are the logs even if I'm not sure why the first one is in Italian even if I installed the software in English. Let me know if not clear so that I can translate it.

MBAM

Malwarebytes Anti-Malware (Prova) 1.65.1.1000
www.malwarebytes.org

Versione database: v2012.12.15.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mary Furlani :: MARYFURLANI-PC [amministratore]

Protezione: Disattivata

15/12/2012 22:19:24
mbam-log-2012-12-15 (22-19-24).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 231835
Tempo impiegato: 3 minuti, 54 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 3
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Spostato in quarantena ed eliminato con successo.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\000000cb.@ (Rootkit.0Access) -> Spostato in quarantena ed eliminato con successo.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000032.@ (Rootkit.0Access) -> Spostato in quarantena ed eliminato con successo.

(fine)

 

[Fra_SME]

And here is DDS log as well:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by Mary Furlani at 22:36:26 on 2012-12-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.39.1040.18.3767.2116 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
C:\Windows\SysWOW64\NlsSrv32.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\UI0Detect.exe
C:\Windows\System32\WUDFHost.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mary Furlani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.gboxapp.com/
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://search.gboxapp.com/
mDefault_Page_URL = hxxp://acer.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Guida per l'accesso a Windows Live ID: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Mary Furlani\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&sporta in Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer = 193.70.152.25 212.52.97.25
TCP: Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer = 193.70.152.25 212.52.97.25
TCP: Interfaces\{66E43F8C-E5CD-454F-83ED-7080475BFC5C} : DHCPNameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{66E43F8C-E5CD-454F-83ED-7080475BFC5C}\64143545755424F513D2030323139363234423639343 : DHCPNameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer = 212.52.97.25 193.70.152.25
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1Qzuzzzzzy0F0F0AyDtD0D0Czy0Dzy0E0CyEtN0D0Tzu0CtByDyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=995618659
x64-mDefault_Page_URL = hxxp://acer.msn.com
x64-BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [mwlDaemon] C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-4-19 28480]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-1-31 36944]
R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2010-11-2 24680]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-6-19 55856]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-7-26 291680]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-12-23 47696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-8-24 384352]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2009-6-3 22576]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2009-6-3 20016]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2009-6-3 60464]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-9-30 169408]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-8-13 5167736]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-8-30 321104]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2010-12-26 868896]
R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-3-14 346976]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-8-30 13336]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-15 399432]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-15 676936]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\System32\NlsSrv32.exe --> C:\Windows\System32\NlsSrv32.exe [?]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-6-28 255744]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-8-30 2320920]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-8-30 243232]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2011-12-23 124496]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\avgidsfiltera.sys [2011-12-23 29776]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-8-30 56344]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2012-9-1 86016]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-8-30 158976]
R3 IntcDAud;Audio schermo Intel(R);C:\Windows\System32\drivers\IntcDAud.sys [2010-8-30 287232]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-15 25928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Mobile Partner. RunOuc;Mobile Partner. OUC;C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [2012-9-1 246112]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2012-9-1 117248]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\System32\drivers\ew_usbenumfilter.sys [2012-9-1 13952]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-6-21 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 huawei_cdcacm;huawei_cdcacm;C:\Windows\System32\drivers\ew_jucdcacm.sys [2012-9-1 98816]
S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\Windows\System32\drivers\ew_juextctrl.sys [2012-9-1 28672]
S3 huawei_wwanecm;huawei_wwanecm;C:\Windows\System32\drivers\ew_juwwanecm.sys [2012-9-1 212992]
S3 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-5-27 305520]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-12-26 246376]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-21 59392]
S3 WatAdminSvc;Servizio Windows Activation Technologies;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-19 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-12-15 21:32:10--------d-----w-C:\Users\Mary Furlani\AppData\Local\{93FF7903-ABCA-4ED0-8869-CCABD082B294}
2012-12-15 21:18:3325928----a-w-C:\Windows\System32\drivers\mbam.sys
2012-12-15 21:18:33--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-15 07:14:35--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\Malwarebytes
2012-12-15 07:14:28--------d-----w-C:\ProgramData\Malwarebytes
2012-12-14 22:54:31--------d-sh--w-C:\Windows\SysWow64\%APPDATA%
2012-12-14 22:36:06--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\LeeGT-Games
2012-12-14 03:05:23--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\PerformerSoft
2012-12-14 03:05:2119000----a-w-C:\Windows\System32\roboot64.exe
2012-12-14 03:05:19--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\StatusWinks
2012-12-14 03:05:04--------d-----w-C:\Program Files (x86)\File Scout
2012-12-13 01:28:022048----a-w-C:\Windows\SysWow64\tzres.dll
2012-12-13 01:28:022048----a-w-C:\Windows\System32\tzres.dll
2012-12-13 01:24:24--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\WiiSports101in1
2012-12-13 01:24:24--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\Jewels of the East India Company
2012-12-12 13:54:33--------d-----w-C:\Users\Mary Furlani\AppData\Local\{FBC755B0-8465-42F3-BA28-4104ACDACE5C}
2012-12-01 00:14:48--------d-----w-C:\Windows\Delicious 8- Emily's Wonder Wedding Premium Edition
2012-12-01 00:14:48--------d-----w-C:\Program Files (x86)\Delicious 8- Emily's Wonder Wedding Premium Edition
2012-11-30 09:02:52--------d-----w-C:\Users\Mary Furlani\AppData\Local\{A961CD49-8822-4B65-BCDA-9F959A15EA76}
2012-11-27 02:03:53--------d-----w-C:\ProgramData\Islands
2012-11-26 14:35:15--------d-----w-C:\Users\Mary Furlani\AppData\Local\{6D30398F-6381-4383-BFF5-4D2F6B5FFD1B}
2012-11-25 01:15:41--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\Realore All My Gods
2012-11-23 21:48:22--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\EscapeTheMuseum2
2012-11-23 20:46:15--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\ShockwaveAllMyGods
2012-11-19 12:29:01--------d-----w-C:\Users\Mary Furlani\AppData\Local\{DCB35AD6-CC98-4D04-BA39-5B4306729BF6}
2012-11-18 22:19:07--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\BlamGames
2012-11-18 22:17:59--------d-----w-C:\Windows\SysWow64\1017
2012-11-18 22:17:32--------d-----w-C:\Windows\A Gnome's Home - The Great Crystal Crusade
2012-11-17 01:12:15--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\northern_tale_realore_en
2012-11-17 01:11:04--------d-----w-C:\Program Files (x86)\Foxy Games
2012-11-17 00:11:21--------d-----w-C:\Users\Mary Furlani\AppData\Roaming\northerntale_shockwave_en
2012-11-16 13:44:31--------d-----w-C:\Users\Mary Furlani\AppData\Local\{5904247A-BED9-45E0-88E9-284F45283FB9}
.
==================== Find3M ====================
.
2012-12-12 15:25:3373656----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-12 15:25:33697272----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-22 03:26:403149824----a-w-C:\Windows\System32\win32k.sys
2012-11-14 06:11:442312704----a-w-C:\Windows\System32\jscript9.dll
2012-11-14 06:04:111392128----a-w-C:\Windows\System32\wininet.dll
2012-11-14 06:02:491494528----a-w-C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46599040----a-w-C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35173056----a-w-C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:402382848----a-w-C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:221800704----a-w-C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:151427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:371129472----a-w-C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27420864----a-w-C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:422382848----a-w-C:\Windows\SysWow64\mshtml.tlb
2012-11-05 21:35:1646080----a-w-C:\Windows\System32\atmlib.dll
2012-11-05 20:41:32367616----a-w-C:\Windows\System32\atmfd.dll
2012-11-05 20:32:16295424----a-w-C:\Windows\SysWow64\atmfd.dll
2012-11-05 20:32:0934304----a-w-C:\Windows\SysWow64\atmlib.dll
2012-11-02 05:59:11478208----a-w-C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31376832----a-w-C:\Windows\SysWow64\dpnet.dll
2012-10-19 14:08:59499712----a-w-C:\Windows\SysWow64\msvcp71.dll
2012-10-19 14:08:59348160----a-w-C:\Windows\SysWow64\msvcr71.dll
2012-10-16 08:38:37135168----a-w-C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38:34350208----a-w-C:\Windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39:52561664----a-w-C:\Windows\apppatch\AcLayers.dll
2012-10-09 18:17:1355296----a-w-C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13226816----a-w-C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:3144032----a-w-C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31193536----a-w-C:\Windows\SysWow64\dhcpcore6.dll
2012-10-04 17:46:16362496----a-w-C:\Windows\System32\wow64win.dll
2012-10-04 17:46:15243200----a-w-C:\Windows\System32\wow64.dll
2012-10-04 17:46:1513312----a-w-C:\Windows\System32\wow64cpu.dll
2012-10-04 17:45:55215040----a-w-C:\Windows\System32\winsrv.dll
2012-10-04 17:43:2816384----a-w-C:\Windows\System32\ntvdm64.dll
2012-10-04 17:41:16424960----a-w-C:\Windows\System32\KernelBase.dll
2012-10-04 16:47:415120----a-w-C:\Windows\SysWow64\wow32.dll
2012-10-04 16:47:41274944----a-w-C:\Windows\SysWow64\KernelBase.dll
2012-10-04 15:21:55338432----a-w-C:\Windows\System32\conhost.exe
2012-10-04 14:46:467680----a-w-C:\Windows\SysWow64\instnm.exe
2012-10-04 14:46:4625600----a-w-C:\Windows\SysWow64\setup16.exe
2012-10-04 14:46:4414336----a-w-C:\Windows\SysWow64\ntvdm64.dll
2012-10-04 14:46:432048----a-w-C:\Windows\SysWow64\user.exe
2012-10-04 14:41:506144---ha-w-C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-10-04 14:41:504608---ha-w-C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-04 14:41:503584---ha-w-C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-10-04 14:41:503072---ha-w-C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-10-03 17:56:541914248----a-w-C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:2170656----a-w-C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21303104----a-w-C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17246272----a-w-C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:1718944----a-w-C:\Windows\System32\netevent.dll
2012-10-03 17:44:16216576----a-w-C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16569344----a-w-C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:2418944----a-w-C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24175104----a-w-C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23156672----a-w-C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:2645568----a-w-C:\Windows\System32\drivers\tcpipreg.sys
2012-09-25 22:47:4378336----a-w-C:\Windows\SysWow64\synceng.dll
2012-09-25 22:46:1795744----a-w-C:\Windows\System32\synceng.dll
.
============= FINISH: 22:36:57,43 ===============

 

[Fra_SME]

And this is the attach.txt log from DDS:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 15/06/2011 00:40:53
System Uptime: 15/12/2012 22:26:25 (0 hours ago)
.
Motherboard: Acer | | Aspire 5742G
Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | CPU | 2533/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 453 GiB total, 340,662 GiB free.
D: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Controller Ethernet
Device ID: PCI\VEN_14E4&DEV_1692&SUBSYS_036D1025&REV_01\4&14D14F08&0&00E0
Manufacturer:
Name: Controller Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1692&SUBSYS_036D1025&REV_01\4&14D14F08&0&00E0
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Acer Backup Manager
Acer Crystal Eye webcam
Acer ePower Management
Acer eRecovery Management
Acer ScreenSaver
Acer Updater
Acrobat.com
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 9
Adobe Reader 9.5.2 MUI
AVG 2012
Backup Manager Basic
Canon My Printer
CyberLink PowerDVD 9
D3DX10
Delicious 7- Emilys True Love - Premium Edition
Delicious 8- Emily's Wonder Wedding Premium Edition
Delicious: Emily's Holiday Season
Elements 9 Organizer
Elements STI Installer
FileZilla Client 3.5.0
Google Chrome
Identity Card
Intel(R) Control Center
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Components
Intel(R) Rapid Storage Technology
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
KaraFun Player
Launch Manager
LEGO® Indiana Jones™
Malwarebytes Anti-Malware version 1.65.1.1000
MediaGet2 version 2.1.577.0
MediaGet2 versione 2.1.904.0
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile - Language Pack (ITA)
Microsoft .NET Framework 4 Client Profile ITA Language Pack
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (Italian) 2007
Microsoft Office Excel 2007 Help - Aggiornamento (KB963678)
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office File Validation Add-In
Microsoft Office Office 64-bit Components 2007
Microsoft Office Outlook 2007 Help - Aggiornamento (KB963677)
Microsoft Office Outlook MUI (Italian) 2007
Microsoft Office Powerpoint 2007 Help - Aggiornamento (KB963669)
Microsoft Office PowerPoint MUI (Italian) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (Italian) 2007
Microsoft Office Shared 64-bit MUI (Italian) 2007
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Word 2007 Help - Aggiornamento (KB963665)
Microsoft Office Word MUI (Italian) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_ATL_x86
Microsoft_VC80_ATL_x86_x64
Microsoft_VC80_CRT_x86
Microsoft_VC80_CRT_x86_x64
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFC_x86_x64
Microsoft_VC80_MFCLOC_x86
Microsoft_VC80_MFCLOC_x86_x64
Microsoft_VC90_ATL_x86
Microsoft_VC90_ATL_x86_x64
Microsoft_VC90_CRT_x86
Microsoft_VC90_CRT_x86_x64
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFC_x86_x64
Microsoft_VC90_MFCLOC_x86
Microsoft_VC90_MFCLOC_x86_x64
Mobile Partner
MSVCRT
MSVCRT Redists
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyWinLocker
MyWinLocker Suite
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Updatus
Portrait Professional 10.2
Raccolta foto di Windows Live
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
RealUpgrade 1.1
Security Update for Microsoft .NET Framework 4 Client Profile - Language Pack (ITA) (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile - Language Pack (ITA) (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Shredder
Skype Click to Call
Skype™ 6.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760573) 32-Bit Edition
vanBasco's Karaoke Player
Visual Studio 2008 x64 Redistributables
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Wooliz
.
==== End Of File ===========================

 

[Broni]

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

********************************************

Download Malwarebytes Anti-Rootkit (MBAR) from HERE

• Unzip downloaded file.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

 

[Fra_SME]

Scan complete.
Just two notes:
- MBAR created a restore point
- upon rebooting I was asked to run Malwarebytes Anti-Rootkit or cancel the action right after logging in Win7 and I confirmed it

Here is mbar-log-2012-12-15 (23-27-53).txt:

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2012.12.15.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mary Furlani :: MARYFURLANI-PC [administrator]

15/12/2012 23:27:53
mbar-log-2012-12-15 (23-27-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 30208
Time elapsed: 21 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Delete on reboot.
HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U (Backdoor.0Access) -> Delete on reboot.

Files Detected: 13
C:\Windows\System32\services.exe (Rootkit.0Access) -> Delete on reboot.
C:\Users\Mary Furlani\AppData\Local\Temp\iMesh_setup.exe (P2P.iMesh) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\000000cb.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000032.@ (Rootkit.0Access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
C:\Windows\assembly\GAC_32\Desktop.ini (Rootkit.0access) -> Delete on reboot.
C:\Windows\assembly\GAC_64\Desktop.ini (Rootkit.0access) -> Delete on reboot.
C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L\201d3dde (Backdoor.0Access) -> Delete on reboot.

(end)

 

[Fra_SME]

And here is system-log.txt:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 3949682688, free: 2139701248

------------ Kernel report ------------
12/15/2012 23:05:19
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\nvpciflt.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\avgrkx64.sys
\SystemRoot\system32\DRIVERS\avgidsha.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\avgmfx64.sys
\SystemRoot\system32\DRIVERS\mwlPSDFilter.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\avgtdia.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys
\SystemRoot\system32\DRIVERS\mwlPSDNServ.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\avgldx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\system32\DRIVERS\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\??\C:\Windows\system32\drivers\UBHelper.sys
\??\C:\Windows\system32\drivers\NTIDrvr.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\ew_jubusenum.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\avgidsfiltera.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\avgidsdrivera.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xfffffa8004948060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007b\
Lower Device Object: 0xfffffa8004ac4b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80070e0060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8005102050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.15.07
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80070e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80070e0b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80070e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005102050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a0106ec580, 0xfffffa80070e0060, 0xfffffa8004a06460
Lower DeviceData: 0xfffff8a010311580, 0xfffffa8005102050, 0xfffffa8007f51e40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D4794879

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 27262976

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 27265024 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 27469824 Numsec = 949301248

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004948060, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80099e1b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004948060, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004ac4b60, DeviceName: \Device\0000007b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xfffff8a00e7c3420, 0xfffffa8004948060, 0xfffffa80043833a0
Lower DeviceData: 0xfffff8a005399f90, 0xfffffa8004ac4b60, 0xfffffa8004548cc0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

Partition 0 type is Other (0xb)
Partition is NOT ACTIVE.
Partition starts at LBA: 8064 Numsec = 15679616

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 8032092160 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-19.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-23.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-26.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-28.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-12-11.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-12-12.log" is compressed (flags = 1)
Infected: C:\Windows\System32\services.exe --> [Rootkit.0Access]
Backup file found for a file C:\Windows\System32\services.exe
Infected: C:\Users\Mary Furlani\AppData\Local\Temp\iMesh_setup.exe --> [P2P.iMesh]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L\00000004.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000004.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\000000cb.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000000.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000032.@ --> [Rootkit.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000064.@ --> [Backdoor.0Access]
Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Rootkit.0access]
Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
Infected: HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\bbjciahceamgodcoidkjpchnokgfpphh --> [PUP.Funmoods]
Infected: HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cjpglkicenollcignonpgiafdgfeehoj --> [PUP.FunMoods]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L\201d3dde --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U --> [Backdoor.0Access]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 3949682688, free: 2620006400

 

[Broni]

Please re-run the tool one more time and post fresh logs.

 

[Fra_SME]

Message "No malaware found" sounds promising.

Anyway here we go first with mbar-log-2012-12-16 (00-16-27).txt

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2012.12.15.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mary Furlani :: MARYFURLANI-PC [administrator]

16/12/2012 00:16:27
mbar-log-2012-12-16 (00-16-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 30173
Time elapsed: 19 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Fra_SME]

And then system-log.txt

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 3949682688, free: 2139701248

------------ Kernel report ------------
12/15/2012 23:05:19
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\nvpciflt.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\avgrkx64.sys
\SystemRoot\system32\DRIVERS\avgidsha.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\avgmfx64.sys
\SystemRoot\system32\DRIVERS\mwlPSDFilter.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\avgtdia.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys
\SystemRoot\system32\DRIVERS\mwlPSDNServ.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\avgldx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\system32\DRIVERS\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\??\C:\Windows\system32\drivers\UBHelper.sys
\??\C:\Windows\system32\drivers\NTIDrvr.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\ew_jubusenum.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\avgidsfiltera.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\avgidsdrivera.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xfffffa8004948060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007b\
Lower Device Object: 0xfffffa8004ac4b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80070e0060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8005102050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.15.07
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80070e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80070e0b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80070e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005102050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a0106ec580, 0xfffffa80070e0060, 0xfffffa8004a06460
Lower DeviceData: 0xfffff8a010311580, 0xfffffa8005102050, 0xfffffa8007f51e40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D4794879

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 27262976

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 27265024 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 27469824 Numsec = 949301248

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004948060, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80099e1b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004948060, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004ac4b60, DeviceName: \Device\0000007b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xfffff8a00e7c3420, 0xfffffa8004948060, 0xfffffa80043833a0
Lower DeviceData: 0xfffff8a005399f90, 0xfffffa8004ac4b60, 0xfffffa8004548cc0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

Partition 0 type is Other (0xb)
Partition is NOT ACTIVE.
Partition starts at LBA: 8064 Numsec = 15679616

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 8032092160 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-19.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-23.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-26.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-28.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-12-11.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-12-12.log" is compressed (flags = 1)
Infected: C:\Windows\System32\services.exe --> [Rootkit.0Access]
Backup file found for a file C:\Windows\System32\services.exe
Infected: C:\Users\Mary Furlani\AppData\Local\Temp\iMesh_setup.exe --> [P2P.iMesh]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L\00000004.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000004.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\000000cb.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000000.@ --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000032.@ --> [Rootkit.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U\80000064.@ --> [Backdoor.0Access]
Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Rootkit.0access]
Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
Infected: HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\bbjciahceamgodcoidkjpchnokgfpphh --> [PUP.Funmoods]
Infected: HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cjpglkicenollcignonpgiafdgfeehoj --> [PUP.FunMoods]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\L\201d3dde --> [Backdoor.0Access]
Infected: C:\Windows\Installer\{90b64b9a-b702-254c-fea7-b86fbf2f9236}\U --> [Backdoor.0Access]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 3949682688, free: 2620006400

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 3949682688, free: 2235068416

------------ Kernel report ------------
12/15/2012 23:56:29
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\nvpciflt.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\avgrkx64.sys
\SystemRoot\system32\DRIVERS\avgidsha.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\avgmfx64.sys
\SystemRoot\system32\DRIVERS\mwlPSDFilter.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\avgtdia.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys
\SystemRoot\system32\DRIVERS\mwlPSDNServ.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\avgldx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\system32\DRIVERS\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\??\C:\Windows\system32\drivers\UBHelper.sys
\??\C:\Windows\system32\drivers\NTIDrvr.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\ew_jubusenum.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\DRIVERS\avgidsfiltera.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\avgidsdrivera.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa800815b060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000074\
Lower Device Object: 0xfffffa8008158060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80070e2060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8005114050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80070e2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800520b8e0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80070e2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005114050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a00fb8be40, 0xfffffa80070e2060, 0xfffffa8004a96790
Lower DeviceData: 0xfffff8a00271a010, 0xfffffa8005114050, 0xfffffa8007638460
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D4794879

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 27262976

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 27265024 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 27469824 Numsec = 949301248

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa800815b060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800814cb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800815b060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8008158060, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xfffff8a00439eb70, 0xfffffa800815b060, 0xfffffa8007820090
Lower DeviceData: 0xfffff8a011319fa0, 0xfffffa8008158060, 0xfffffa8008eedbe0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

Partition 0 type is Other (0xb)
Partition is NOT ACTIVE.
Partition starts at LBA: 8064 Numsec = 15679616

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 8032092160 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-19.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-23.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-26.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-11-28.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-12-11.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgual.2012-12-12.log" is compressed (flags = 1)
Read File: File "C:\ProgramData\AVG2012\log\avgchjw.log.1" is compressed (flags = 1)
Done!
Scan finished
=======================================

 

[Broni]

Very good

• Download RogueKiller on the desktop
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• Wait until the Status box shows Scan Finished
• Click on Delete.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

===============================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[Fra_SME]

Before running Roguekiller do I have to close all running programs, AVG included?

 

[Broni]

Yes.

 

[Fra_SME]

Houston, we have a problem Roguekiller ran smoothly and below are the logs While running aswMBR I got the blue screen... It was the first time so I reboot the system normally. What shall I do now? Rerun aswMBR? Number 1 RogueKiller V8.4.0 [Dec 15 2012] by Tigzy mail : tigzyRKgmailcom Feedback : https://www.techspot.com/downloads/5562-roguekiller.html Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Mary Furlani [Admin rights] Mode : Scan -- Date : 12/16/2012 00:38:08 ¤¤¤ Bad processes : 3 ¤¤¤ [SUSP PATH] HWDeviceService64.exe -- C:\ProgramData\DatacardService\HWDeviceService64.exe -> KILLED [TermProc] [SUSP PATH] ouc.exe -- C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe -> KILLED [TermProc] [SUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 9 ¤¤¤ [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\Mary Furlani\Desktop\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> FOUND [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> FOUND [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> FOUND [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 activate.adobe.com 127.0.0.1 practivate.adobe.com ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BEVT-22A0RT0 +++++ --- User --- [MBR] 3ec0ee59c154e7cd35a71c0980dc4d3a [BSP] a742b1d3b0fef083858c285a92feeb84 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: TOSHIBA TransMemory USB Device +++++ --- User --- [MBR] a297b59321e99abba35c91174b3c30ae [BSP] ef3177ea6997481f5647d45aa222b26f : MBR Code unknown Partition table: 0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8064 | Size: 7656 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : > RKreport[1]_S_12162012_02d0038.txt --------------------- Number 2 RogueKiller V8.4.0 [Dec 15 2012] by Tigzy mail : tigzyRKgmailcom Feedback : https://www.techspot.com/downloads/5562-roguekiller.html Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Mary Furlani [Admin rights] Mode : Remove -- Date : 12/16/2012 00:39:02 ¤¤¤ Bad processes : 3 ¤¤¤ [SUSP PATH] HWDeviceService64.exe -- C:\ProgramData\DatacardService\HWDeviceService64.exe -> KILLED [TermProc] [SUSP PATH] ouc.exe -- C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe -> KILLED [TermProc] [SUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 9 ¤¤¤ [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\Mary Furlani\Desktop\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> DELETED [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> NOT REMOVED, USE DNSFIX [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> NOT REMOVED, USE DNSFIX [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 activate.adobe.com 127.0.0.1 practivate.adobe.com ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BEVT-22A0RT0 +++++ --- User --- [MBR] 3ec0ee59c154e7cd35a71c0980dc4d3a [BSP] a742b1d3b0fef083858c285a92feeb84 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: TOSHIBA TransMemory USB Device +++++ --- User --- [MBR] a297b59321e99abba35c91174b3c30ae [BSP] ef3177ea6997481f5647d45aa222b26f : MBR Code unknown Partition table: 0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8064 | Size: 7656 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : > RKreport[1]_S_12162012_02d0038.txt ; RKreport[2]_D_12162012_02d0039.txt

 

[Fra_SME]

Argh, really badly posted: do you want me to re-post it?

 

[Broni]

Yes, repost. Are you copying the above log from Notepad?

 

[Broni]

Don't worry about BSOD.

 

[Fra_SME]

Yes, from notepad I'll try a preview now before

Roguekiller report #1

RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Mary Furlani [Admin rights]
Mode : Scan -- Date : 12/16/2012 00:38:08

¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] HWDeviceService64.exe -- C:\ProgramData\DatacardService\HWDeviceService64.exe -> KILLED [TermProc]
[SUSP PATH] ouc.exe -- C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe -> KILLED [TermProc]
[SUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\Mary Furlani\Desktop\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-22A0RT0 +++++
--- User ---
[MBR] 3ec0ee59c154e7cd35a71c0980dc4d3a
[BSP] a742b1d3b0fef083858c285a92feeb84 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: TOSHIBA TransMemory USB Device +++++
--- User ---
[MBR] a297b59321e99abba35c91174b3c30ae
[BSP] ef3177ea6997481f5647d45aa222b26f : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8064 | Size: 7656 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_12162012_02d0038.txt >>
RKreport[1]_S_12162012_02d0038.txt

 

[Fra_SME]

Roguekiller report #2

RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Mary Furlani [Admin rights]
Mode : Remove -- Date : 12/16/2012 00:39:02

¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] HWDeviceService64.exe -- C:\ProgramData\DatacardService\HWDeviceService64.exe -> KILLED [TermProc]
[SUSP PATH] ouc.exe -- C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe -> KILLED [TermProc]
[SUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\Mary Furlani\Desktop\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> DELETED
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2188C499-947A-420C-899F-3EC090128049} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{4126A863-A29A-4790-897D-CE73BCDA9E5E} : NameServer (193.70.152.25 212.52.97.25) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{FAAD2573-63F5-426F-99D8-C9EAEC636ED8} : NameServer (212.52.97.25 193.70.152.25) -> NOT REMOVED, USE DNSFIX
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-22A0RT0 +++++
--- User ---
[MBR] 3ec0ee59c154e7cd35a71c0980dc4d3a
[BSP] a742b1d3b0fef083858c285a92feeb84 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: TOSHIBA TransMemory USB Device +++++
--- User ---
[MBR] a297b59321e99abba35c91174b3c30ae
[BSP] ef3177ea6997481f5647d45aa222b26f : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8064 | Size: 7656 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_12162012_02d0039.txt >>
RKreport[1]_S_12162012_02d0038.txt ; RKreport[2]_D_12162012_02d0039.txt

 

[Fra_SME]

Shall I re-run aswMBR as well?

 

[Broni]

Yes. If it gives you another BSOD run it from safe mode.

 

[Fra_SME]

Ok not 100% sure scan was complete but it looks so since no progress was done in like 5 minutes...
Here is the log in any case:



aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-16 02:19:09
-----------------------------
02:19:09.589 OS Version: Windows x64 6.1.7601 Service Pack 1
02:19:09.589 Number of processors: 4 586 0x2505
02:19:09.590 ComputerName: MARYFURLANI-PC UserName: Mary Furlani
02:19:10.825 Initialize success
02:19:22.360 AVAST engine defs: 12121502
02:19:26.835 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
02:19:26.838 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
02:19:26.876 Disk 0 MBR read successfully
02:19:26.879 Disk 0 MBR scan
02:19:26.884 Disk 0 Windows 7 default MBR code
02:19:26.888 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
02:19:26.908 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
02:19:26.924 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463526 MB offset 27469824
02:19:26.943 Disk 0 scanning C:\Windows\system32\drivers
02:19:38.373 Service scanning
02:20:23.175 Modules scanning
02:20:23.183 Disk 0 trace - called modules:
02:20:23.230 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
02:20:23.237 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80070e1060]
02:20:23.242 3 CLASSPNP.SYS[fffff88001d4b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005103050]
02:20:24.635 AVAST engine scan C:\Windows
02:20:28.313 AVAST engine scan C:\Windows\system32
02:24:22.909 AVAST engine scan C:\Windows\system32\drivers
02:24:37.187 AVAST engine scan C:\Users\Mary Furlani
02:28:10.771 Disk 0 MBR has been saved successfully to "C:\Users\Mary Furlani\Desktop\MBR.dat"
02:28:10.772 The log file has been saved successfully to "C:\Users\Mary Furlani\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-16 02:19:09
-----------------------------
02:19:09.589 OS Version: Windows x64 6.1.7601 Service Pack 1
02:19:09.589 Number of processors: 4 586 0x2505
02:19:09.590 ComputerName: MARYFURLANI-PC UserName: Mary Furlani
02:19:10.825 Initialize success
02:19:22.360 AVAST engine defs: 12121502
02:19:26.835 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
02:19:26.838 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
02:19:26.876 Disk 0 MBR read successfully
02:19:26.879 Disk 0 MBR scan
02:19:26.884 Disk 0 Windows 7 default MBR code
02:19:26.888 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
02:19:26.908 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
02:19:26.924 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463526 MB offset 27469824
02:19:26.943 Disk 0 scanning C:\Windows\system32\drivers
02:19:38.373 Service scanning
02:20:23.175 Modules scanning
02:20:23.183 Disk 0 trace - called modules:
02:20:23.230 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
02:20:23.237 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80070e1060]
02:20:23.242 3 CLASSPNP.SYS[fffff88001d4b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005103050]
02:20:24.635 AVAST engine scan C:\Windows
02:20:28.313 AVAST engine scan C:\Windows\system32
02:24:22.909 AVAST engine scan C:\Windows\system32\drivers
02:24:37.187 AVAST engine scan C:\Users\Mary Furlani
02:28:10.771 Disk 0 MBR has been saved successfully to "C:\Users\Mary Furlani\Desktop\MBR.dat"
02:28:10.772 The log file has been saved successfully to "C:\Users\Mary Furlani\Desktop\aswMBR.txt"
02:38:04.283 Disk 0 MBR has been saved successfully to "C:\Users\Mary Furlani\Desktop\MBR.dat"
02:38:04.284 The log file has been saved successfully to "C:\Users\Mary Furlani\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-16 02:39:31
-----------------------------
02:39:31.760 OS Version: Windows x64 6.1.7601 Service Pack 1
02:39:31.761 Number of processors: 4 586 0x2505
02:39:31.761 ComputerName: MARYFURLANI-PC UserName: Mary Furlani
02:39:33.426 Initialize success
02:39:39.966 AVAST engine defs: 12121502
02:39:43.149 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
02:39:43.151 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
02:39:43.220 Disk 0 MBR read successfully
02:39:43.222 Disk 0 MBR scan
02:39:43.227 Disk 0 Windows 7 default MBR code
02:39:43.249 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
02:39:43.286 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
02:39:43.324 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463526 MB offset 27469824
02:39:43.387 Disk 0 scanning C:\Windows\system32\drivers
02:40:10.548 Service scanning
02:41:04.940 Modules scanning
02:41:04.949 Disk 0 trace - called modules:
02:41:05.007 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
02:41:05.014 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80070e1060]
02:41:05.019 3 CLASSPNP.SYS[fffff88001d4b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005103050]
02:41:07.350 AVAST engine scan C:\Windows
02:41:16.335 AVAST engine scan C:\Windows\system32
02:44:35.831 AVAST engine scan C:\Windows\system32\drivers
02:44:50.598 AVAST engine scan C:\Users\Mary Furlani
02:55:49.674 Disk 0 MBR has been saved successfully to "C:\Users\Mary Furlani\Desktop\MBR.dat"
02:55:49.680 The log file has been saved successfully to "C:\Users\Mary Furlani\Desktop\aswMBR.txt"

 

[Broni]

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

================================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  If the connection is not there use restore point you created prior to running Combofix.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.