Jump to content


Photo
- - - - -

search redirect nothing detected


  • This topic is locked This topic is locked
34 replies to this topic

#1 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 31 March 2011 - 11:01 AM

Wits end, probably have done a lot of things I shouldn't have... was going to just reimage, but thought I'd try this as I'm really curious at this point. Nothing bad is showing up on any scans that I see. Thanks in advance.

DDS.txt

.
DDS (Ver_11-03-05.01) - FAT32x86
Run by james at 8:39:10.21 on Thu 03/31/2011
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.2110 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
F:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
f:\UnHackMe\hackmon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\dvd43\DVD43_Tray.exe
F:\iTunes7\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Free Download Manager\fdm.exe
F:\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Users\james\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - f:\free download manager\iefdm2.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Steam] "f:\steam\Steam.exe" -silent
uRun: [Free Download Manager] f:\free download manager\fdm.exe -autorun
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "f:\itunes7\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "f:\malwarebytes\mbam.exe" /runcleanupscript
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\james\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - f:\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\squeez~1.lnk - f:\squeezebox\SqueezeTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://f:\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://f:\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://f:\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://f:\free download manager\dllink.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ssl.water.ca.gov/dana-cached/sc/JuniperSetupClient.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\wf24yb9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\users\james\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\james\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: f:\itunes7\mozilla plugins\npitunes.dll
FF - plugin: f:\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\james\appdata\roaming\Move Networks
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 SscRdBus;Virtual bus device (SuperSpeed LLC);c:\windows\system32\drivers\SscRdBus.sys [2009-6-18 67608]
R0 SscRdCls;RAM Disk (SuperSpeed LLC);c:\windows\system32\drivers\SscRdCls.sys [2007-12-19 40984]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-28 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-28 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-28 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-3-28 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-28 42184]
R2 SqueezeMySQL;SqueezeMySQL;f:\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~2\squeez~1\cache\my.cnf squeezemysql --> f:\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~2\squeez~1\cache\my.cnf SqueezeMySQL [?]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-3-27 35816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-29 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2011-3-27 24416]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;f:\sandra benchmark\sisoftware sandra lite 2010.sp2\RpcAgentSrv.exe [2010-8-1 93848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-6 1343400]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-03-28 05:29:09 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-03-28 05:29:07 2 --shatr- c:\windows\winstart.bat
2011-03-26 23:22:21 149504 --sha-r- c:\windows\system32\KBDBENEY.dll
2011-03-03 02:56:50 37943240 ----a-w- c:\windows\system32\MRT.exe
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 14:04:17 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-07 07:31:10 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 07:31:10 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 05:34:32 716800 ----a-w- c:\windows\system32\jscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: STT_FTM6 rev.1571 -> Harddisk3\DR3 -> \Device\00000068
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
c:\windows\system32\drivers\nvstor.sys NVIDIA Corporation NVIDIA nForce™ SATA Driver
1 ntkrnlpa!IofCallDriver[0x83476448] -> \Device\Harddisk3\DR3[0x873B9AC8]
3 CLASSPNP[0x8BE5E59E] -> ntkrnlpa!IofCallDriver[0x83476448] -> [0x85FE2B50]
5 ACPI[0x840CC3B2] -> ntkrnlpa!IofCallDriver[0x83476448] -> \Device\00000066[0x86DCB030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
error: Read Insufficient system resources exist to complete the requested service.
.
============= FINISH: 8:40:02.36 ===============

Attached Files



#2 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 31 March 2011 - 11:15 AM

Hello devinjc! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Let's start from somewhere.


Step 1

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:
  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->-Control Panel-->Programs and Features
Click on the program name AskBarDis to highlight it
From the menu at the top, select Uninstall or Remove.

Please reboot the computer.


Step 2

You have some leftovers from AVG. Use their uninstaller to clean them:
http://download.avg....6_2011_1184.exe


Step 3

* Go to start > run... and type: wbemtest > hit enter
* There, click connect
* In the field on top, where it says "root\default", type root\SecurityCenter instead, then click the connect button.
* Below, click the "Query... " button
* In the query box, type: Select * From AntivirusProduct and hit apply.
* In there, select the entry with the guid {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} and hit delete below. Then close that window.


Finally, post a new fresh DDS log file.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#3 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 31 March 2011 - 01:52 PM

Hello Borislav, thank you very much for the help.

Step 1: No AskBarDis in programs to remove, however search for "ask" revealed Foxit toolbar with ask.com association, removed that.
Step 2: Done
Step 3: Opened webemtest, clicked connect, replaced "root\cimv2" with "root\SecurityCenter" clicked connect. Query, entered "Select * From AntivirusProduct" returned no entries to delete.



New DDS just in case.
.
DDS (Ver_11-03-05.01) - FAT32x86
Run by james at 11:32:57.48 on Thu 03/31/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.2293 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
F:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
f:\UnHackMe\hackmon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\dvd43\DVD43_Tray.exe
F:\iTunes7\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Free Download Manager\fdm.exe
F:\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\james\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - f:\free download manager\iefdm2.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Steam] "f:\steam\Steam.exe" -silent
uRun: [Free Download Manager] f:\free download manager\fdm.exe -autorun
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "f:\itunes7\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "f:\malwarebytes\mbam.exe" /runcleanupscript
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\james\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - f:\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\squeez~1.lnk - f:\squeezebox\SqueezeTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://f:\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://f:\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://f:\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://f:\free download manager\dllink.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ssl.water.ca.gov/dana-cached/sc/JuniperSetupClient.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\wf24yb9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\users\james\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\james\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: f:\itunes7\mozilla plugins\npitunes.dll
FF - plugin: f:\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\james\appdata\roaming\Move Networks
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 SscRdBus;Virtual bus device (SuperSpeed LLC);c:\windows\system32\drivers\SscRdBus.sys [2009-6-18 67608]
R0 SscRdCls;RAM Disk (SuperSpeed LLC);c:\windows\system32\drivers\SscRdCls.sys [2007-12-19 40984]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-28 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-28 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-28 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-3-28 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-28 42184]
R2 SqueezeMySQL;SqueezeMySQL;f:\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~2\squeez~1\cache\my.cnf squeezemysql --> f:\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~2\squeez~1\cache\my.cnf SqueezeMySQL [?]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-3-27 35816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-29 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2011-3-27 24416]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;f:\sandra benchmark\sisoftware sandra lite 2010.sp2\RpcAgentSrv.exe [2010-8-1 93848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-6 1343400]
.
=============== Created Last 30 ================
.
2011-03-30 07:23:10 -------- d-----w- c:\users\james\appdata\local\temp
2011-03-30 07:21:34 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-30 07:08:54 98816 ----a-w- c:\windows\sed.exe
2011-03-30 07:08:54 89088 ----a-w- c:\windows\MBR.exe
2011-03-30 07:08:54 256512 ----a-w- c:\windows\PEV.exe
2011-03-30 07:08:54 161792 ----a-w- c:\windows\SWREG.exe
2011-03-30 07:08:50 -------- d-----w- C:\23
2011-03-30 01:31:59 981504 ----a-w- c:\windows\system32\wininet.dll
2011-03-29 06:51:52 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-29 06:51:52 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-29 06:51:42 40648 ----a-w- c:\windows\avastSS.scr
2011-03-29 06:51:40 -------- d-----w- c:\program files\AVAST Software
2011-03-29 06:51:40 -------- d-----w- c:\progra~2\AVAST Software
2011-03-29 06:06:05 -------- d-----w- C:\TEMP
2011-03-29 05:19:20 -------- d-----w- c:\program files\CCleaner
2011-03-28 05:34:25 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-03-28 05:29:09 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-03-28 05:29:09 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-03-28 05:29:07 2 --shatr- c:\windows\winstart.bat
2011-03-28 05:29:05 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-03-27 22:04:32 -------- d-----w- c:\users\james\appdata\roaming\Malwarebytes
2011-03-27 22:04:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 22:04:30 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-27 22:04:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-27 21:45:37 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-27 21:45:35 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-27 21:45:15 -------- d-----w- c:\progra~2\Hitman Pro
2011-03-26 23:36:16 0 ----a-w- c:\users\james\appdata\local\Esixuka.bin
2011-03-26 23:22:21 149504 --sha-r- c:\windows\system32\KBDBENEY.dll
2011-03-26 23:14:52 -------- d-----w- c:\users\james\appdata\roaming\GARMIN
2011-03-26 23:14:12 -------- d-----w- C:\WebUpdater
2011-03-26 23:13:51 -------- d-----w- C:\Garmin
2011-03-14 16:42:48 -------- d--h--w- c:\progra~2\Common Files
2011-03-09 17:01:21 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-07 07:31:10 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 07:31:10 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: STT_FTM6 rev.1571 -> Harddisk3\DR3 -> \Device\00000068
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
c:\windows\system32\drivers\nvstor.sys NVIDIA Corporation NVIDIA nForce™ SATA Driver
1 ntkrnlpa!IofCallDriver[0x83478448] -> \Device\Harddisk3\DR3[0x873BDAC8]
3 CLASSPNP[0x8BE0F59E] -> ntkrnlpa!IofCallDriver[0x83478448] -> [0x86DC84F0]
5 ACPI[0x840493B2] -> ntkrnlpa!IofCallDriver[0x83478448] -> \Device\00000066[0x86DC8030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
error: Read Insufficient system resources exist to complete the requested service.
.
============= FINISH: 11:33:15.09 ===============

Attached Files



#4 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 31 March 2011 - 05:11 PM

You don't have root\default?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#5 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 31 March 2011 - 10:44 PM

I can switch to root\default but the first time I hit connect it shows "root\cimv2"

#6 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 01 April 2011 - 03:48 AM

Okay, what about with root/default?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#7 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 01 April 2011 - 10:14 AM

Not sure I understand what you are asking at this point.

Attempted all of the following:

Root\default > Query Select * From AntivirusProduct = invalid class error
Root/default > Query Select * From AntivirusProduct = invalid class error

Root/default > root/securitycenter > Query Select * From AntivirusProduct = 0 objects
Root\default > root\securitycenter > Quert Select * From AntivirusProduct = 0 objects

#8 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 01 April 2011 - 10:17 AM

Let me think. Meanwhile:


  • Download MBRCheck to your desktop
  • For Windows XP: Double click on MBRCheck.exe to run it.
  • For Windows Vista/7: Right click on MBRCheck.exe and select Run as Administrator
  • It will show a black screen with some data on it
  • Don't run any of the options!!!
  • When it's done, Press Enter to close the program
  • A file will called MBRCheck_ will appear on your desktop
  • Please copy into to your next reply

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#9 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 01 April 2011 - 11:34 AM

Fun stuff. MBRcheck locked up the machine (or so it appeared, unresponsive to everything including enter) after an hour I rebooted. Now I'm getting NTLDR missing. Will repair that tonight hopefully.

Thanks for all your help so far, it will probably be 10-12 hours before I get a chance to do anything else.

#10 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 01 April 2011 - 10:10 PM

Back in business, here's the MBRCHECK log that it generated earlier. I can run again if incomplete, but will wait for your direction.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: MSI
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: MSI
System Product Name: MS-7350
Logical Drives Mask: 0x00020dfc

Kernel Drivers (total 163):
0x8343C000 \SystemRoot\system32\ntkrnlpa.exe
0x83405000 \SystemRoot\system32\halmacpi.dll
0x80BAA000 \SystemRoot\system32\kdcom.dll
0x83A04000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83A7C000 \SystemRoot\system32\PSHED.dll
0x83A8D000 \SystemRoot\system32\BOOTVID.dll
0x83A95000 \SystemRoot\system32\CLFS.SYS
0x83AD7000 \SystemRoot\system32\CI.dll
0x83B82000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8402A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x84038000 \SystemRoot\system32\drivers\Partizan.sys
0x84040000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x84088000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x84091000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x84099000 \SystemRoot\system32\DRIVERS\pci.sys
0x840C3000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x840CE000 \SystemRoot\System32\drivers\partmgr.sys
0x840DF000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x840EF000 \SystemRoot\System32\drivers\volmgrx.sys
0x8413A000 \SystemRoot\system32\DRIVERS\pciide.sys
0x84141000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8414F000 \SystemRoot\System32\drivers\mountmgr.sys
0x84165000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8416E000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x84191000 \SystemRoot\system32\DRIVERS\nvstor.sys
0x841B6000 \SystemRoot\system32\DRIVERS\storport.sys
0x84000000 \SystemRoot\system32\DRIVERS\SscRdBus.sys
0x8423E000 \SystemRoot\system32\DRIVERS\vsmraid.sys
0x84263000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8426C000 \SystemRoot\system32\DRIVERS\SscRdCls.sys
0x84279000 \SystemRoot\system32\drivers\fltmgr.sys
0x842AD000 \SystemRoot\system32\drivers\fileinfo.sys
0x842BE000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x842C7000 \SystemRoot\System32\Drivers\Ntfs.sys
0x84200000 \SystemRoot\System32\Drivers\msrpc.sys
0x8422B000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8BA1A000 \SystemRoot\System32\Drivers\cng.sys
0x8BA77000 \SystemRoot\System32\drivers\pcw.sys
0x8BA85000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8BA8E000 \SystemRoot\system32\drivers\ndis.sys
0x8BB45000 \SystemRoot\system32\drivers\NETIO.SYS
0x8BB83000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8BC30000 \SystemRoot\System32\drivers\tcpip.sys
0x8BD79000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8BDAA000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8BDB3000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8BDF2000 \SystemRoot\System32\Drivers\spldr.sys
0x8BC00000 \SystemRoot\System32\drivers\rdyboost.sys
0x8BBA8000 \SystemRoot\System32\Drivers\mup.sys
0x8BBB8000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8BBC0000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8BA00000 \SystemRoot\system32\DRIVERS\disk.sys
0x8BE0B000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8BE7D000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8BE9C000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x8BEFA000 \SystemRoot\System32\Drivers\Null.SYS
0x8BF01000 \SystemRoot\System32\Drivers\Beep.SYS
0x8BF08000 \SystemRoot\System32\drivers\vga.sys
0x8BF14000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8BF35000 \SystemRoot\System32\drivers\watchdog.sys
0x8BF42000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8BF4A000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8BF52000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8BF5A000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8BF65000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8BF73000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8BF8A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8BF95000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8BF9F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x9123E000 \SystemRoot\system32\drivers\afd.sys
0x91298000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x9129D000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x912A4000 \SystemRoot\system32\DRIVERS\pacer.sys
0x912C3000 \SystemRoot\system32\DRIVERS\netbios.sys
0x912D1000 \SystemRoot\system32\DRIVERS\serial.sys
0x912EB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x912FE000 \SystemRoot\system32\DRIVERS\termdd.sys
0x9130E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9134F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x91359000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x91363000 \SystemRoot\System32\drivers\discache.sys
0x9136F000 \SystemRoot\system32\drivers\csc.sys
0x913D3000 \SystemRoot\System32\Drivers\dfsc.sys
0x913EB000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x91625000 \SystemRoot\System32\Drivers\aswSP.SYS
0x9166D000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x9168E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x91E3C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x916A0000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x927A2000 \SystemRoot\System32\drivers\dxgmms1.sys
0x927DB000 \SystemRoot\system32\DRIVERS\serenum.sys
0x927E5000 \SystemRoot\system32\DRIVERS\parport.sys
0x91E00000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x91E18000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x91E25000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x91E32000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x91757000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x917A2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x917B1000 \SystemRoot\System32\DRIVERS\dvd43llh.sys
0x917B6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x917BC000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x91600000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x92C2E000 \SystemRoot\system32\DRIVERS\nvm62x32.sys
0x92C83000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x92C90000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x92CA2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x92CBA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x92CC5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x92CE7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x92CFF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x92D16000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x92D2D000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x92D37000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0x92D54000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x92D7A000 \SystemRoot\system32\DRIVERS\swenum.sys
0x92D7C000 \SystemRoot\system32\DRIVERS\ks.sys
0x92DB0000 \SystemRoot\system32\DRIVERS\umbus.sys
0x92E07000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x92E4B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x93037000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x932C0000 \SystemRoot\system32\drivers\portcls.sys
0x932EF000 \SystemRoot\system32\drivers\drmk.sys
0x93308000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9331F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x93321000 \SystemRoot\System32\Drivers\fastfat.SYS
0x96830000 \SystemRoot\System32\win32k.sys
0x9334B000 \SystemRoot\System32\drivers\Dxapi.sys
0x93355000 \SystemRoot\System32\Drivers\crashdmp.sys
0x93362000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x9336C000 \SystemRoot\System32\Drivers\dump_nvstor.sys
0x93391000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x933A2000 \SystemRoot\system32\DRIVERS\monitor.sys
0x96A90000 \SystemRoot\System32\TSDDD.dll
0x96AC0000 \SystemRoot\System32\cdd.dll
0x933AD000 \SystemRoot\system32\drivers\luafv.sys
0x933C8000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x93000000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x93003000 \SystemRoot\system32\drivers\WudfPf.sys
0x9301D000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x92E5C000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x92E6F000 \SystemRoot\system32\drivers\HTTP.sys
0x92EF4000 \SystemRoot\system32\DRIVERS\bowser.sys
0x92F0D000 \SystemRoot\System32\drivers\mpsdrv.sys
0x92F1F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x92F42000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x92F7D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9302D000 \SystemRoot\system32\DRIVERS\parvdm.sys
0x9E40C000 \SystemRoot\system32\drivers\peauth.sys
0x9E4A3000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9E4AD000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9E4CE000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9E4DB000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9E52A000 \SystemRoot\System32\DRIVERS\srv.sys
0x9E57B000 \SystemRoot\System32\drivers\rdpdr.sys
0x9E5A0000 \SystemRoot\system32\drivers\tdtcp.sys
0x9E5AA000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x9E5B7000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x92F98000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA54A1000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA54AA000 \??\R:\Temp\mbr.sys
0x77130000 \Windows\System32\ntdll.dll
0x48310000 \Windows\System32\smss.exe
0x77370000 \Windows\System32\apisetschema.dll

Processes (total 64):
0 System Idle Process
4 System
292 C:\Windows\System32\smss.exe
464 csrss.exe
512 C:\Windows\System32\wininit.exe
520 csrss.exe
572 C:\Windows\System32\services.exe
580 C:\Windows\System32\lsass.exe
596 C:\Windows\System32\lsm.exe
616 C:\Windows\System32\winlogon.exe
744 C:\Windows\System32\svchost.exe
856 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1408 C:\Windows\System32\svchost.exe
1488 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1788 C:\Windows\System32\taskeng.exe
1796 C:\Windows\System32\spoolsv.exe
1832 C:\Windows\System32\svchost.exe
1880 C:\Windows\System32\rundll32.exe
1960 C:\Windows\System32\svchost.exe
1980 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2044 C:\Program Files\Bonjour\mDNSResponder.exe
388 C:\Windows\System32\svchost.exe
412 C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
1120 C:\Windows\System32\PnkBstrA.exe
1304 C:\Windows\System32\PnkBstrB.exe
1340 F:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
2056 C:\Windows\System32\svchost.exe
2092 C:\Windows\System32\SearchIndexer.exe
2860 WUDFHost.exe
2980 C:\Windows\System32\svchost.exe
3868 C:\Windows\System32\taskeng.exe
2100 C:\Windows\System32\dwm.exe
4044 C:\Windows\System32\taskhost.exe
3832 C:\Windows\explorer.exe
3980 F:\UnHackMe\hackmon.exe
4072 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
2792 C:\Program Files\dvd43\DVD43_Tray.exe
2656 F:\iTunes7\iTunesHelper.exe
3972 C:\Program Files\AVAST Software\Avast\AvastUI.exe
3012 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2380 F:\Free Download Manager\fdm.exe
2572 F:\MagicDisc\MagicDisc.exe
1144 C:\Program Files\iPod\bin\iPodService.exe
3128 C:\Program Files\Windows Media Player\wmpnetwk.exe
6100 C:\Windows\System32\ctfmon.exe
1680 C:\Windows\System32\notepad.exe
1276 F:\Squeezebox\SqueezeTray.exe
1676 F:\SQUEEZ~1\server\SQUEEZ~3.EXE
5932 C:\Program Files\Internet Explorer\iexplore.exe
4604 C:\Program Files\Internet Explorer\iexplore.exe
3032 C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
5828 C:\Windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe
4680 WmiPrvSE.exe
772 C:\Program Files\Internet Explorer\iexplore.exe
3988 C:\Windows\System32\SearchProtocolHost.exe
3448 C:\Windows\System32\SearchFilterHost.exe
5688 C:\Windows\System32\audiodg.exe
4256 C:\Users\james\Desktop\MBRCheck.exe
5924 C:\Windows\System32\conhost.exe
4328 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive3 at offset 0x00000000`00103e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)
\\.\G: --> \\.\PhysicalDrive5 at offset 0x0000000c`0cbf3000 (NTFS)
\\.\K: --> \\.\PhysicalDrive2 at offset 0x00000000`08100000 (NTFS)
\\.\L: --> \\.\PhysicalDrive4 at offset 0x00000000`08100000 (NTFS)

PhysicalDrive3 Model Number: STT_FTM64GX25H, Rev: 1571
PhysicalDrive0 Model Number: ST3400633A, Rev: 3.AAH
PhysicalDrive5 Model Number: WDC WD16, Rev: 10.0
PhysicalDrive1 Model Number: WDC WD5000AAKS-65YGA, Rev: 12.0
PhysicalDrive2 Model Number: WDC WD10EALS-00Z8A0, Rev: 05.0
PhysicalDrive4 Model Number: WDC WD20EARS-00MVWB0, Rev: 50.0

Size Device Name MBR Status
--------------------------------------------
59 GB \\.\PhysicalDrive3

#11 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 02 April 2011 - 05:15 AM

It seems cut, please try again.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#12 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 02 April 2011 - 11:02 AM

Ran MBRcheck again, this time the window indicated it was finished, hit enter to close. Hit enter, it flashed not responding, then blue screened. At least this time the bios still recognizes the ssd boot drive. Here is the log, I had deleted the previous one. This one looks similar. I do have a ramdrive set up (drive letter R), I wonder if that is an issue with this?


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: MSI
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: MSI
System Product Name: MS-7350
Logical Drives Mask: 0x00020cfc

Kernel Drivers (total 162):
0x83401000 \SystemRoot\system32\ntkrnlpa.exe
0x83811000 \SystemRoot\system32\halmacpi.dll
0x80BD4000 \SystemRoot\system32\kdcom.dll
0x83A38000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83AB0000 \SystemRoot\system32\PSHED.dll
0x83AC1000 \SystemRoot\system32\BOOTVID.dll
0x83AC9000 \SystemRoot\system32\CLFS.SYS
0x83B0B000 \SystemRoot\system32\CI.dll
0x84021000 \SystemRoot\system32\drivers\Wdf01000.sys
0x84092000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x840A0000 \SystemRoot\system32\drivers\Partizan.sys
0x840A8000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x840F0000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x840F9000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x84101000 \SystemRoot\system32\DRIVERS\pci.sys
0x8412B000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x84136000 \SystemRoot\System32\drivers\partmgr.sys
0x84147000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x84157000 \SystemRoot\System32\drivers\volmgrx.sys
0x841A2000 \SystemRoot\system32\DRIVERS\pciide.sys
0x841A9000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x841B7000 \SystemRoot\System32\drivers\mountmgr.sys
0x841CD000 \SystemRoot\system32\DRIVERS\atapi.sys
0x841D6000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x83BB6000 \SystemRoot\system32\DRIVERS\nvstor.sys
0x8420A000 \SystemRoot\system32\DRIVERS\storport.sys
0x84251000 \SystemRoot\system32\DRIVERS\SscRdBus.sys
0x84264000 \SystemRoot\system32\DRIVERS\vsmraid.sys
0x84289000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x84292000 \SystemRoot\system32\DRIVERS\SscRdCls.sys
0x8429F000 \SystemRoot\system32\drivers\fltmgr.sys
0x842D3000 \SystemRoot\system32\drivers\fileinfo.sys
0x842E4000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8BC3A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BD69000 \SystemRoot\System32\Drivers\msrpc.sys
0x8BD94000 \SystemRoot\System32\Drivers\ksecdd.sys
0x842ED000 \SystemRoot\System32\Drivers\cng.sys
0x8BDA7000 \SystemRoot\System32\drivers\pcw.sys
0x8BDB5000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8BE03000 \SystemRoot\system32\drivers\ndis.sys
0x8BEBA000 \SystemRoot\system32\drivers\NETIO.SYS
0x8BEF8000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C033000 \SystemRoot\System32\drivers\tcpip.sys
0x8C17C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C1AD000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8C1B6000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8C1F5000 \SystemRoot\System32\Drivers\spldr.sys
0x8C000000 \SystemRoot\System32\drivers\rdyboost.sys
0x8BF1D000 \SystemRoot\System32\Drivers\mup.sys
0x8BF2D000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8BF35000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8BF67000 \SystemRoot\system32\DRIVERS\disk.sys
0x8BF78000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8BDBE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8434A000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x8BFEA000 \SystemRoot\System32\Drivers\Null.SYS
0x8BFF1000 \SystemRoot\System32\Drivers\Beep.SYS
0x8BDDD000 \SystemRoot\System32\drivers\vga.sys
0x8BC00000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8BC21000 \SystemRoot\System32\drivers\watchdog.sys
0x8BFF8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8BC2E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8BDE9000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8BDF1000 \SystemRoot\System32\Drivers\Msfs.SYS
0x843A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x843B6000 \SystemRoot\system32\DRIVERS\tdx.sys
0x843CD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x843D8000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x83A00000 \SystemRoot\System32\DRIVERS\netbt.sys
0x91A2D000 \SystemRoot\system32\drivers\afd.sys
0x91A87000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x91A8C000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x91A93000 \SystemRoot\system32\DRIVERS\pacer.sys
0x91AB2000 \SystemRoot\system32\DRIVERS\netbios.sys
0x91AC0000 \SystemRoot\system32\DRIVERS\serial.sys
0x91ADA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x91AED000 \SystemRoot\system32\DRIVERS\termdd.sys
0x91AFD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x91B3E000 \SystemRoot\system32\drivers\nsiproxy.sys
0x91B48000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x91B52000 \SystemRoot\System32\drivers\discache.sys
0x91B5E000 \SystemRoot\system32\drivers\csc.sys
0x91BC2000 \SystemRoot\System32\Drivers\dfsc.sys
0x91BDA000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x91C3D000 \SystemRoot\System32\Drivers\aswSP.SYS
0x91C85000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x91CA6000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x92E23000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x91CB8000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x93789000 \SystemRoot\System32\drivers\dxgmms1.sys
0x937C2000 \SystemRoot\system32\DRIVERS\serenum.sys
0x937CC000 \SystemRoot\system32\DRIVERS\parport.sys
0x937E4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x92E00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x92E0D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x91D6F000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x91D79000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x91DC4000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x92E1A000 \SystemRoot\System32\DRIVERS\dvd43llh.sys
0x91DD3000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x91C00000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x91DD9000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x9248F000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x9249C000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x924AE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x924C6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x924D1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x924F3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x9250B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x92522000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x92539000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x92543000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0x92560000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x92586000 \SystemRoot\system32\DRIVERS\swenum.sys
0x92588000 \SystemRoot\system32\DRIVERS\ks.sys
0x925BC000 \SystemRoot\system32\DRIVERS\umbus.sys
0x92803000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x92847000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x93C1C000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x93EA5000 \SystemRoot\system32\drivers\portcls.sys
0x93ED4000 \SystemRoot\system32\drivers\drmk.sys
0x93EED000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x93F03000 \SystemRoot\System32\Drivers\crashdmp.sys
0x93F10000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x93F1A000 \SystemRoot\System32\Drivers\dump_nvstor.sys
0x93F3F000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x98100000 \SystemRoot\System32\win32k.sys
0x93F50000 \SystemRoot\System32\drivers\Dxapi.sys
0x93F5A000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98360000 \SystemRoot\System32\TSDDD.dll
0x98390000 \SystemRoot\System32\cdd.dll
0x93F65000 \SystemRoot\system32\drivers\luafv.sys
0x93F80000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x93FB8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x93FBB000 \SystemRoot\system32\drivers\WudfPf.sys
0x93FD5000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x93FE5000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x92858000 \SystemRoot\system32\drivers\HTTP.sys
0x93C00000 \SystemRoot\system32\DRIVERS\bowser.sys
0x928DD000 \SystemRoot\System32\drivers\mpsdrv.sys
0x928EF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x92912000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9294D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x93FF8000 \SystemRoot\system32\DRIVERS\parvdm.sys
0x92968000 \SystemRoot\system32\drivers\peauth.sys
0x925CA000 \SystemRoot\System32\Drivers\secdrv.SYS
0x925D4000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x92400000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA0629000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA0678000 \SystemRoot\System32\DRIVERS\srv.sys
0xA06C9000 \SystemRoot\System32\drivers\rdpdr.sys
0xA06EE000 \SystemRoot\system32\drivers\tdtcp.sys
0xA06F8000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0xA0705000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA0736000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA07C1000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9240D000 \SystemRoot\system32\DRIVERS\nvm62x32.sys
0xA07CA000 \SystemRoot\System32\Drivers\fastfat.SYS
0xA0757000 \SystemRoot\system32\DRIVERS\udfs.sys
0x76FA0000 \Windows\System32\ntdll.dll
0x484E0000 \Windows\System32\smss.exe
0x771E0000 \Windows\System32\apisetschema.dll

Processes (total 61):
0 System Idle Process
4 System
292 C:\Windows\System32\smss.exe
456 csrss.exe
504 C:\Windows\System32\wininit.exe
512 csrss.exe
564 C:\Windows\System32\services.exe
572 C:\Windows\System32\lsass.exe
580 C:\Windows\System32\lsm.exe
604 C:\Windows\System32\winlogon.exe
724 C:\Windows\System32\svchost.exe
836 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
976 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
1176 C:\Windows\System32\svchost.exe
1344 C:\Windows\System32\svchost.exe
1448 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1760 C:\Windows\System32\spoolsv.exe
1772 C:\Windows\System32\taskeng.exe
1812 C:\Windows\System32\svchost.exe
1856 C:\Windows\System32\rundll32.exe
1944 C:\Windows\System32\svchost.exe
1964 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2012 C:\Program Files\Bonjour\mDNSResponder.exe
180 C:\Windows\System32\svchost.exe
412 C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
1276 C:\Windows\System32\PnkBstrA.exe
1044 C:\Windows\System32\taskhost.exe
2104 C:\Windows\System32\taskeng.exe
2120 C:\Windows\System32\dwm.exe
2208 C:\Windows\explorer.exe
2288 F:\UnHackMe\hackmon.exe
2420 C:\Windows\System32\PnkBstrB.exe
2448 F:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
2484 C:\Windows\System32\svchost.exe
2524 C:\Windows\System32\svchost.exe
2576 C:\Windows\System32\SearchIndexer.exe
3340 WUDFHost.exe
3460 C:\Windows\System32\svchost.exe
2892 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
3204 C:\Program Files\dvd43\DVD43_Tray.exe
3480 F:\iTunes7\iTunesHelper.exe
516 C:\Program Files\AVAST Software\Avast\AvastUI.exe
752 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3748 F:\Free Download Manager\fdm.exe
3132 F:\MagicDisc\MagicDisc.exe
3892 C:\Program Files\iPod\bin\iPodService.exe
3900 C:\Program Files\Windows Media Player\wmpnetwk.exe
4280 C:\Windows\System32\svchost.exe
5700 F:\Squeezebox\SqueezeTray.exe
4404 F:\SQUEEZ~1\server\SQUEEZ~3.EXE
4664 C:\Windows\System32\svchost.exe
4272 C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
4852 C:\Windows\System32\SearchProtocolHost.exe
3504 C:\Windows\System32\SearchFilterHost.exe
4020 C:\Windows\System32\audiodg.exe
3468 C:\Windows\System32\ctfmon.exe
4836 C:\Users\james\Desktop\MBRCheck.exe
5468 C:\Windows\System32\conhost.exe
1768 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive3 at offset 0x00000000`00103e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)
\\.\G: --> \\.\PhysicalDrive5 at offset 0x0000000c`0cbf3000 (NTFS)
\\.\K: --> \\.\PhysicalDrive2 at offset 0x00000000`08100000 (NTFS)
\\.\L: --> \\.\PhysicalDrive4 at offset 0x00000000`08100000 (NTFS)

PhysicalDrive3 Model Number: STT_FTM64GX25H, Rev: 1571
PhysicalDrive0 Model Number: ST3400633A, Rev: 3.AAH
PhysicalDrive5 Model Number: WDC WD16, Rev: 10.0
PhysicalDrive1 Model Number: WDC WD5000AAKS-65YGA, Rev: 12.0
PhysicalDrive2 Model Number: WDC WD10EALS-00Z8A0, Rev: 05.0
PhysicalDrive4 Model Number: WDC WD20EARS-00MVWB0, Rev: 50.0

Size Device Name MBR Status
--------------------------------------------
59 GB \\.\PhysicalDrive3

#13 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 03 April 2011 - 05:02 AM

Are you sure that you copy the entire log file? Please attach it this time.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#14 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 03 April 2011 - 07:58 AM

yes that's the entire file. attached

Attached Files



#15 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 03 April 2011 - 08:14 AM

Hmm.... I really don't understand.


**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    ----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#16 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 03 April 2011 - 11:31 AM

Glad to change tactics. :) Even tried MBRcheck in safe mode, instant crash, 4 power cycles to get the bios to see the boot drive again.

DLed combofix as combo-fix to desktop. Ran. Combofix popup: Avg running please disable. Cannot find any trace of AVG to disable, continued. Combofix does it's thing, here is the log:

ComboFix 11-04-02.05 - james 04/03/2011 9:17:42.4.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.2130 [GMT -7:00]
Running from: C:\Users\james\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


R:\Temp\catchme.dll
R:\temp\F2C6.tmp
R:\Temp\pdk-james-5248\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
R:\temp\pdk-james-5248\2076671ee5d0a5323570c92c74abac6f\Process.dll
R:\Temp\pdk-james-5248\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
R:\Temp\pdk-james-5248\23fe5d76b9491fa255db2281ac7687d5\Service.dll
R:\temp\pdk-james-5248\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
R:\temp\pdk-james-5248\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
R:\temp\pdk-james-5248\7020d50af327e3fc94b98242c307fc81\Cwd.dll
R:\Temp\pdk-james-5248\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
R:\temp\pdk-james-5248\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
R:\Temp\pdk-james-5248\86351894c58e4804ca004825fea78bbb\Encode.dll
R:\Temp\pdk-james-5248\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
R:\Temp\pdk-james-5248\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
R:\Temp\pdk-james-5248\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
R:\Temp\pdk-james-5248\f48694173221cfa9bad4275e2389b498\Win32.dll
R:\temp\pdk-james-5248\perl510.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_WMPNetworkSvc


((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))


2011-04-03 16:21:38 . 2011-04-03 16:21:38 -------- d-----w- C:\Users\Karen\AppData\Local\temp
2011-04-03 16:21:38 . 2011-04-03 16:21:38 -------- d-----w- C:\Users\james\AppData\Local\temp
2011-04-03 16:21:38 . 2011-04-03 16:21:38 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-03-30 07:08:50 . 2011-03-30 07:23:21 -------- d-----w- C:\23
2011-03-30 01:31:59 . 2010-12-21 05:38:24 73728 ----a-w- C:\Windows\system32\wscsvc.dll
2011-03-29 06:51:52 . 2011-02-23 13:56:55 371544 ----a-w- C:\Windows\system32\drivers\aswSnx.sys
2011-03-29 06:51:52 . 2011-02-23 13:56:45 301528 ----a-w- C:\Windows\system32\drivers\aswSP.sys
2011-03-29 06:51:52 . 2011-02-23 13:55:49 49240 ----a-w- C:\Windows\system32\drivers\aswTdi.sys
2011-03-29 06:51:52 . 2011-02-23 13:55:10 25432 ----a-w- C:\Windows\system32\drivers\aswRdr.sys
2011-03-29 06:51:52 . 2011-02-23 13:55:03 53592 ----a-w- C:\Windows\system32\drivers\aswMonFlt.sys
2011-03-29 06:51:52 . 2011-02-23 13:54:55 19544 ----a-w- C:\Windows\system32\drivers\aswFsBlk.sys
2011-03-29 06:51:42 . 2011-02-23 14:04:21 40648 ----a-w- C:\Windows\avastSS.scr
2011-03-29 06:51:42 . 2011-02-23 14:04:17 190016 ----a-w- C:\Windows\system32\aswBoot.exe
2011-03-29 06:51:40 . 2011-03-29 06:51:40 -------- d-----w- C:\ProgramData\AVAST Software
2011-03-29 06:51:40 . 2011-03-29 06:51:40 -------- d-----w- C:\Program Files\AVAST Software
2011-03-29 06:06:05 . 2011-04-03 16:05:35 -------- d-----w- C:\TEMP
2011-03-29 05:25:19 . 2011-03-29 05:25:19 -------- d-----w- C:\Users\Karen\AppData\Roaming\Malwarebytes
2011-03-29 05:25:17 . 2011-03-29 05:25:17 -------- d-----w- C:\Users\Karen\AppData\Local\Apple Computer
2011-03-29 05:19:20 . 2011-03-29 05:19:20 -------- d-----w- C:\Program Files\CCleaner
2011-03-28 05:34:25 . 2011-03-30 15:22:59 24416 ----a-w- C:\Windows\system32\drivers\regguard.sys
2011-03-28 05:29:09 . 2011-03-28 05:29:09 39192 ----a-w- C:\Windows\system32\Partizan.exe
2011-03-28 05:29:09 . 2011-03-28 05:29:09 35816 ----a-w- C:\Windows\system32\drivers\Partizan.sys
2011-03-28 05:29:07 . 2011-03-28 05:29:07 2 --shatr- C:\Windows\winstart.bat
2011-03-28 05:29:05 . 2011-03-16 21:50:18 12808 ----a-w- C:\Windows\system32\drivers\UnHackMeDrv.sys
2011-03-27 22:04:32 . 2011-03-27 22:04:32 -------- d-----w- C:\Users\james\AppData\Roaming\Malwarebytes
2011-03-27 22:04:30 . 2011-03-27 22:04:30 -------- d-----w- C:\ProgramData\Malwarebytes
2011-03-27 22:04:30 . 2010-12-21 01:09:00 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-03-27 22:04:27 . 2010-12-21 01:08:40 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-03-27 21:45:37 . 2011-03-29 05:16:48 16968 ----a-w- C:\Windows\system32\drivers\hitmanpro35.sys
2011-03-27 21:45:35 . 2011-03-27 21:45:35 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2011-03-27 21:45:15 . 2011-03-27 21:49:15 -------- d-----w- C:\ProgramData\Hitman Pro
2011-03-26 23:36:16 . 2011-03-27 18:40:22 0 ----a-w- C:\Users\james\AppData\Local\Esixuka.bin
2011-03-26 23:22:21 . 2011-03-26 23:22:21 149504 --sha-r- C:\Windows\system32\KBDBENEY.dll
2011-03-26 23:14:52 . 2011-03-26 23:14:52 -------- d-----w- C:\Users\james\AppData\Roaming\GARMIN
2011-03-26 23:14:12 . 2011-03-28 02:45:20 -------- d-----w- C:\WebUpdater
2011-03-26 23:13:51 . 2011-03-26 23:14:18 -------- d-----w- C:\Garmin
2011-03-14 16:42:48 . 2011-03-14 16:42:48 -------- d--h--w- C:\ProgramData\Common Files
2011-03-09 17:01:21 . 2011-03-09 17:01:21 -------- d-----w- C:\Program Files\Bonjour


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-02-19 00:36:58 . 2011-02-19 00:36:58 41984 ----a-w- C:\Windows\system32\drivers\usbaapl.sys
2011-02-19 00:36:58 . 2011-02-19 00:36:58 4184352 ----a-w- C:\Windows\system32\usbaaplrc.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04:11 122512 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-14 16:35:34 39408]
"Steam"="F:\Steam\Steam.exe" [2010-12-27 00:20:08 1242448]
"Free Download Manager"="F:\Free Download Manager\fdm.exe" [2009-01-31 10:45:14 3399727]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Quick Search Box"="C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-14 16:35:33 122880]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-21 03:21:50 7625248]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-11-18 01:50:14 827904]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-30 01:38:18 421888]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 01:17:16 47904]
"iTunesHelper"="F:\iTunes7\iTunesHelper.exe" [2011-03-07 23:33:40 421160]
"Malwarebytes' Anti-Malware (reboot)"="F:\Malwarebytes\mbam.exe" [2010-12-21 01:08:46 963976]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2011-02-23 14:04:20 3451496]

C:\Users\james\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - F:\MagicDisc\MagicDisc.exe [2011-1-28 576000]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2010-4-18 67128]
Squeezebox Server Tray Tool.lnk - F:\Squeezebox\SqueezeTray.exe [2009-11-12 2351191]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 20:16:28 130384]
R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-30 01:43:24 136176]
R3 RegGuard;RegGuard;C:\Windows\system32\Drivers\regguard.sys [2011-03-30 15:22:59 24416]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;F:\Sandra Benchmark\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe [2009-08-10 20:34:40 93848]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-03-06 11:00:13 1343400]
S0 Partizan;Partizan;C:\Windows\system32\drivers\Partizan.sys [2011-03-28 05:29:09 35816]
S0 SscRdBus;Virtual bus device (SuperSpeed LLC);C:\Windows\system32\DRIVERS\SscRdBus.sys [2009-06-18 16:24:00 67608]
S0 SscRdCls;RAM Disk (SuperSpeed LLC);C:\Windows\system32\DRIVERS\SscRdCls.sys [2007-12-20 02:22:16 40984]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [2011-02-23 13:55:03 53592]
S2 SqueezeMySQL;SqueezeMySQL;F:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2010-12-13 21:18:02 4149248]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc

Contents of the 'Scheduled Tasks' folder

2011-04-03 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-30 01:43:30 . 2010-05-30 01:43:24]

2011-04-03 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-30 01:43:30 . 2010-05-30 01:43:24]


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://F:\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://F:\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://F:\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://F:\Free Download Manager\dllink.htm
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - C:\Users\james\AppData\Roaming\Mozilla\Firefox\Profiles\wf24yb9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\james\AppData\Roaming\Move Networks
FF - Ext: avast! WebRep: wrc@avast.com - C:\Program Files\AVAST Software\Avast\WebRep\FF


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)

------------------------ Other Running Processes ------------------------

C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
f:\UnHackMe\hackmon.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe

**************************************************************************

Completion time: 2011-04-03 09:24:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-03 16:24:46
ComboFix2.txt 2011-03-30 07:22:51

Pre-Run: 38,492,540,928 bytes free
Post-Run: 38,224,654,336 bytes free

- - End Of File - - 64743F67FD966A2DBE5436FEC4163ED3

#17 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 03 April 2011 - 11:35 AM

Please visit www.virustotal.com and upload the following file:
C:\Windows\system32\KBDBENEY.dll

Please post the result in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#18 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 03 April 2011 - 12:32 PM

I can't see that dll to upload it. Closest visable is KBDBENE.dll in the system32 folder. I have show hidden turned on. A search of C:\ for KBDB does not show it either.

#19 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 03 April 2011 - 12:43 PM

Thanks!


Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=80038

SecCenter::
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} 

Collect::[8]
C:\Windows\system32\KBDBENEY.dll 

File::
C:\Users\james\AppData\Local\Esixuka.bin

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Posted Image

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#20 devinjc

devinjc

    New Member

  • Members
  • Pip
  • 18 posts

Posted 03 April 2011 - 03:42 PM

it hung the first time on reboot, so I repeated the process as described

ComboFix 11-04-03.01 - james 04/03/2011 13:23:40.6.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.2272 [GMT -7:00]
Running from: C:\Users\james\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\james\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"C:\Users\james\AppData\Local\Esixuka.bin"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


R:\Temp\catchme.dll
R:\Temp\CFB.tmp

---- Previous Run -------

C:\Users\james\AppData\Local\Esixuka.bin
C:\Windows\system32\KBDBENEY.dll
R:\Temp\catchme.dll


((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))


2011-04-03 20:27:33 . 2011-04-03 20:27:33 -------- d-----w- C:\Users\Karen\AppData\Local\temp
2011-04-03 20:27:33 . 2011-04-03 20:27:33 -------- d-----w- C:\Users\james\AppData\Local\temp
2011-04-03 20:27:33 . 2011-04-03 20:27:33 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-04-03 19:35:59 . 2011-04-03 20:22:25 -------- d-----w- C:\Combo-Fix
2011-03-30 07:08:50 . 2011-03-30 07:23:21 -------- d-----w- C:\23
2011-03-30 01:31:59 . 2010-12-21 05:38:24 73728 ----a-w- C:\Windows\system32\wscsvc.dll
2011-03-29 06:51:52 . 2011-02-23 13:56:55 371544 ----a-w- C:\Windows\system32\drivers\aswSnx.sys
2011-03-29 06:51:52 . 2011-02-23 13:56:45 301528 ----a-w- C:\Windows\system32\drivers\aswSP.sys
2011-03-29 06:51:52 . 2011-02-23 13:55:49 49240 ----a-w- C:\Windows\system32\drivers\aswTdi.sys
2011-03-29 06:51:52 . 2011-02-23 13:55:10 25432 ----a-w- C:\Windows\system32\drivers\aswRdr.sys
2011-03-29 06:51:52 . 2011-02-23 13:55:03 53592 ----a-w- C:\Windows\system32\drivers\aswMonFlt.sys
2011-03-29 06:51:52 . 2011-02-23 13:54:55 19544 ----a-w- C:\Windows\system32\drivers\aswFsBlk.sys
2011-03-29 06:51:42 . 2011-02-23 14:04:21 40648 ----a-w- C:\Windows\avastSS.scr
2011-03-29 06:51:42 . 2011-02-23 14:04:17 190016 ----a-w- C:\Windows\system32\aswBoot.exe
2011-03-29 06:51:40 . 2011-03-29 06:51:40 -------- d-----w- C:\ProgramData\AVAST Software
2011-03-29 06:51:40 . 2011-03-29 06:51:40 -------- d-----w- C:\Program Files\AVAST Software
2011-03-29 06:06:05 . 2011-04-03 20:29:27 -------- d-----w- C:\TEMP
2011-03-29 05:25:19 . 2011-03-29 05:25:19 -------- d-----w- C:\Users\Karen\AppData\Roaming\Malwarebytes
2011-03-29 05:25:17 . 2011-03-29 05:25:17 -------- d-----w- C:\Users\Karen\AppData\Local\Apple Computer
2011-03-29 05:19:20 . 2011-03-29 05:19:20 -------- d-----w- C:\Program Files\CCleaner
2011-03-28 05:34:25 . 2011-03-30 15:22:59 24416 ----a-w- C:\Windows\system32\drivers\regguard.sys
2011-03-28 05:29:09 . 2011-03-28 05:29:09 39192 ----a-w- C:\Windows\system32\Partizan.exe
2011-03-28 05:29:09 . 2011-03-28 05:29:09 35816 ----a-w- C:\Windows\system32\drivers\Partizan.sys
2011-03-28 05:29:07 . 2011-03-28 05:29:07 2 --shatr- C:\Windows\winstart.bat
2011-03-28 05:29:05 . 2011-03-16 21:50:18 12808 ----a-w- C:\Windows\system32\drivers\UnHackMeDrv.sys
2011-03-27 22:04:32 . 2011-03-27 22:04:32 -------- d-----w- C:\Users\james\AppData\Roaming\Malwarebytes
2011-03-27 22:04:30 . 2011-03-27 22:04:30 -------- d-----w- C:\ProgramData\Malwarebytes
2011-03-27 22:04:30 . 2010-12-21 01:09:00 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-03-27 22:04:27 . 2010-12-21 01:08:40 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-03-27 21:45:37 . 2011-03-29 05:16:48 16968 ----a-w- C:\Windows\system32\drivers\hitmanpro35.sys
2011-03-27 21:45:35 . 2011-03-27 21:45:35 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2011-03-27 21:45:15 . 2011-03-27 21:49:15 -------- d-----w- C:\ProgramData\Hitman Pro
2011-03-26 23:14:52 . 2011-03-26 23:14:52 -------- d-----w- C:\Users\james\AppData\Roaming\GARMIN
2011-03-26 23:14:12 . 2011-03-28 02:45:20 -------- d-----w- C:\WebUpdater
2011-03-26 23:13:51 . 2011-03-26 23:14:18 -------- d-----w- C:\Garmin
2011-03-14 16:42:48 . 2011-03-14 16:42:48 -------- d--h--w- C:\ProgramData\Common Files
2011-03-09 17:01:21 . 2011-03-09 17:01:21 -------- d-----w- C:\Program Files\Bonjour


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-02-19 00:36:58 . 2011-02-19 00:36:58 41984 ----a-w- C:\Windows\system32\drivers\usbaapl.sys
2011-02-19 00:36:58 . 2011-02-19 00:36:58 4184352 ----a-w- C:\Windows\system32\usbaaplrc.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04:11 122512 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-14 16:35:34 39408]
"Steam"="F:\Steam\Steam.exe" [2010-12-27 00:20:08 1242448]
"Free Download Manager"="F:\Free Download Manager\fdm.exe" [2009-01-31 10:45:14 3399727]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Quick Search Box"="C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-14 16:35:33 122880]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-21 03:21:50 7625248]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-11-18 01:50:14 827904]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-30 01:38:18 421888]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 01:17:16 47904]
"iTunesHelper"="F:\iTunes7\iTunesHelper.exe" [2011-03-07 23:33:40 421160]
"Malwarebytes' Anti-Malware (reboot)"="F:\Malwarebytes\mbam.exe" [2010-12-21 01:08:46 963976]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2011-02-23 14:04:20 3451496]

C:\Users\james\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - F:\MagicDisc\MagicDisc.exe [2011-1-28 576000]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2010-4-18 67128]
Squeezebox Server Tray Tool.lnk - F:\Squeezebox\SqueezeTray.exe [2009-11-12 2351191]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 20:16:28 130384]
R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-30 01:43:24 136176]
R3 RegGuard;RegGuard;C:\Windows\system32\Drivers\regguard.sys [2011-03-30 15:22:59 24416]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;F:\Sandra Benchmark\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe [2009-08-10 20:34:40 93848]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-03-06 11:00:13 1343400]
S0 Partizan;Partizan;C:\Windows\system32\drivers\Partizan.sys [2011-03-28 05:29:09 35816]
S0 SscRdBus;Virtual bus device (SuperSpeed LLC);C:\Windows\system32\DRIVERS\SscRdBus.sys [2009-06-18 16:24:00 67608]
S0 SscRdCls;RAM Disk (SuperSpeed LLC);C:\Windows\system32\DRIVERS\SscRdCls.sys [2007-12-20 02:22:16 40984]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [2011-02-23 13:55:03 53592]
S2 SqueezeMySQL;SqueezeMySQL;F:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2010-12-13 21:18:02 4149248]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc

Contents of the 'Scheduled Tasks' folder

2011-04-03 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-30 01:43:30 . 2010-05-30 01:43:24]

2011-04-03 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-30 01:43:30 . 2010-05-30 01:43:24]


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://F:\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://F:\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://F:\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://F:\Free Download Manager\dllink.htm
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - C:\Users\james\AppData\Roaming\Mozilla\Firefox\Profiles\wf24yb9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\james\AppData\Roaming\Move Networks
FF - Ext: avast! WebRep: wrc@avast.com - C:\Program Files\AVAST Software\Avast\WebRep\FF


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)

------------------------ Other Running Processes ------------------------

C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
f:\UnHackMe\hackmon.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\DllHost.exe

**************************************************************************

Completion time: 2011-04-03 13:32:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-03 20:32:14
ComboFix2.txt 2011-04-03 16:24:51
ComboFix3.txt 2011-03-30 07:22:51

Pre-Run: 38,368,309,248 bytes free
Post-Run: 38,216,839,168 bytes free

- - End Of File - - C413F35C359854AE423669E26AC106ED




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users