trojan.agent - winrscmde issue

padlinfool · November 14, 2012

I believe my machine (win7 home) is infected with trojan.agent. Any help would be greatly appreciated. Please find attached files per the directions.

MB sees the virus on a quick scan but is unable to remove on reboot.

Thanks in advance!

attach.txt

dds.txt

padlinfool · November 14, 2012

Here are the files posted

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-07.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 6/14/2011 5:33:40 PM

System Uptime: 11/13/2012 6:07:16 PM (1 hours ago)

.

Motherboard: Dell Inc. | | 0Y2MRG

Processor: Intel® Core i5-2300 CPU @ 2.80GHz | CPU 1 | 2801/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 919 GiB total, 747.763 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

I: is FIXED (NTFS) - 228 GiB total, 98.556 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Officejet 6500 E709n

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Officejet 6500 E709n

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Broadcom NetLink Gigabit Ethernet

Device ID: PCI\VEN_14E4&DEV_1691&SUBSYS_04AA1028&REV_01\4&290E7F79&0&00E3

Manufacturer: Broadcom

Name: Broadcom NetLink Gigabit Ethernet

PNP Device ID: PCI\VEN_14E4&DEV_1691&SUBSYS_04AA1028&REV_01\4&290E7F79&0&00E3

Service: k57nd60a

.

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: Officejet 6500 E709n

Device ID: ROOT\IMAGE\0000

Manufacturer: HP

Name: Officejet 6500 E709n

PNP Device ID: ROOT\IMAGE\0000

Service: StillCam

.

==== System Restore Points ===================

.

RP192: 11/9/2012 3:00:25 AM - Windows Update

RP193: 11/9/2012 10:19:00 PM - Windows Update

RP194: 11/10/2012 10:44:44 PM - Windows Update

RP195: 11/11/2012 9:54:43 PM - Windows Update

RP196: 11/11/2012 11:10:42 PM - Windows Update

RP197: 11/13/2012 3:00:51 AM - Windows Update

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

6500_E709_eDocs

6500_E709_Help

6500_E709n

7-Zip 9.22beta

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.2

Akamai NetSession Interface

Amazon Cloud Drive

Amazon MP3 Downloader 1.0.15

AOL Mail Toolbar

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Best Buy pc app

Bing Bar

Bing Rewards Client Installer

Bonjour

bpd_scan

BPDSoftware

BPDSoftware_Ini

BufferChm

Compatibility Pack for the 2007 Office system

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Dell Dock

Dell Edoc Viewer

Dell Getting Started Guide

Dell Support Center

Destinations

DeviceDiscovery

DirectX 9 Runtime

DivX Setup

DocMgr

DocProc

Download Updater (AOL LLC)

DW WLAN Card

eReg

Fax

Garmin City Navigator North America v8

Garmin Communicator Plugin

Garmin MapSource

Garmin Training Center

Garmin USB Drivers

Garmin WebUpdater

Google Chrome

Google Earth

Google SketchUp 6

Google SketchUp 6 Exporters

Google SketchUp LayOut 6

Google SketchUp Pro 6

Google SketchUp Pro 8

Google Update Helper

GPBaseService2

GSAK 7.7.4.36 (Final)

Hewlett-Packard ACLM.NET v1.1.0.0

HP Customer Participation Program 14.0

HP Document Manager 2.0

HP Imaging Device Functions 14.0

HP Officejet 6500 E709 Series

HP Product Detection

HP Smart Web Printing 4.60

HP Solution Center 14.0

HP Update

HPDiagnosticAlert

HPProductAssistant

HPSSupply

Intel® Processor Graphics

Intel® Rapid Storage Technology

Internet TV for Windows Media Center

IrfanView (remove only)

iTunes

Java Auto Updater

Java 6 Update 37

Jungle Disk Desktop

Junk Mail filter update

Kernel Outlook PST Viewer ver 11.05.01

Logitech SetPoint 6.30

Malwarebytes Anti-Malware version 1.65.1.1000

MarketResearch

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 1.1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Click-to-Run 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Student 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Mozilla Thunderbird (3.1.10)

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

Multimedia Card Reader

My Trail Maps

NEF Codec

Network64

NEW JERSEY TOPO

NEW YORK TOPO

NORTH CAROLINA TOPO

Norton 360

NVIDIA 3D Vision Controller Driver 306.97

NVIDIA 3D Vision Driver 306.97

NVIDIA Control Panel 306.97

NVIDIA Graphics Driver 306.97

NVIDIA HD Audio Driver 1.3.18.0

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0604

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.10.8

NVIDIA Update Components

OCR Software by I.R.I.S. 14.0

palmOne

Pandora

PENNSYLVANIA TOPO

PhotoShowExpress

ProductContext

QuickBooks

QuickBooks Pro 2010

QuickTime

RBVirtualFolder64Inst

Realtek High Definition Audio Driver

Roxio Activation Module

Roxio BackOnTrack

Roxio Burn

Roxio Creator Starter

Roxio Express Labeler 3

Roxio File Backup

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2553488) 32-Bit Edition

Shop for HP Supplies

SmartWebPrinting

SolutionCenter

Sonic CinePlayer Decoder Pack

Status

Switch Sound File Converter

System Checkup 3.3

THX TruStudio PC

TI Connect 1.6

Toolbox

TrayApp

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598289) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

VC80CRTRedist - 8.0.50727.6195

VIRGINIA TOPO

WavePad Sound Editor

WeatherBug

WebReg

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)

Windows Driver Package - Texas Instruments Inc. (SilvrLnk) USB (06/11/2009 1.0.0.0)

Windows Driver Package - Texas Instruments Inc. (TIEHDUSB) USB (09/02/2009 1.0.0.1)

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Wise Disk Cleaner 6.15

Wise Registry Cleaner 6.14

.

==== Event Viewer Messages From Past Week ========

.

11/8/2012 6:05:49 AM, Error: Service Control Manager [7022] - The Windows Search service hung on starting.

11/8/2012 10:47:39 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800033876ea, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 110812-47408-01.

11/6/2012 6:15:51 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800030cb405). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 110612-38750-01.

11/13/2012 7:47:00 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800030777ef, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 111312-42479-01.

11/13/2012 3:03:19 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).

11/10/2012 7:01:00 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800030cd405). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 111012-40965-01.

.

==== End Of File ===========================

DDS (Ver_2012-11-07.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16450

Run by marc at 19:13:05 on 2012-11-13

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6126.3335 [GMT -5:00]

.

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files (x86)\AWS\WeatherBug\Weather.exe

C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe

C:\Program Files (x86)\Garmin\gStart.exe

C:\Users\marc\AppData\Local\Amazon\Cloud Drive\AmazonCloudDrive.exe

C:\Users\marc\AppData\Local\Akamai\netsession_win.exe

C:\Program Files (x86)\palmOne\Hotsync.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Users\marc\AppData\Local\Amazon\Cloud Drive\jre\bin\javaw.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Users\marc\AppData\Local\Akamai\netsession_win.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

-netsvcs

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.aol.com/?mtmhp=aolmailtoolbar&ncid=hyplognew00000007

uURLSearchHooks: AOL Mail Toolbar Search Class: {98572e47-b5fe-43de-9aea-492a1d3064cd} - C:\Program Files (x86)\AOL Mail Toolbar\aolmailtb.dll

mURLSearchHooks: AOL Mail Toolbar Search Class: {98572e47-b5fe-43de-9aea-492a1d3064cd} - C:\Program Files (x86)\AOL Mail Toolbar\aolmailtb.dll

mWinlogon: Userinit = userinit.exe,

BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ips\ipsbho.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: AOL Mail Toolbar Loader: {fbea8524-8c72-4208-9d12-7fb73e9926eb} - C:\Program Files (x86)\AOL Mail Toolbar\aolmailtb.dll

BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\coieplg.dll

TB: AOL Mail Toolbar: {a3704fa3-dbf6-46b5-b95e-0677dfd39577} - C:\Program Files (x86)\AOL Mail Toolbar\aolmailtb.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [Google Update] "C:\Users\marc\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1

uRun: [gStart] C:\Program Files (x86)\Garmin\gStart.exe

uRun: [Nero MediaHome 4] "C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN

uRun: [Amazon Cloud Drive] C:\Users\marc\AppData\Local\Amazon\Cloud Drive\AmazonCloudDrive.exe

uRun: [Akamai NetSession Interface] "C:\Users\marc\AppData\Local\Akamai\netsession_win.exe"

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r

mRun: [updReg] C:\Windows\UpdReg.EXE

mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\marc\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HOTSYN~1.LNK - C:\Program Files (x86)\palmOne\Hotsync.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\JUNGLE~1.LNK - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:255

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB

DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{031C83FD-49C1-42B5-8A73-747024A63E96} : DHCPNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

x64-BHO: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [RunDLLEntry_THXCfg] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64

x64-Run: [RunDLLEntry_EptMon] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\EptMon64.dll,RunDLLEntry EptMon64

x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - <orphaned>

x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

x64-SSODL: WebCheck - <orphaned>

x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll

x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-4-15 55856]

R0 SMR311;Symantec SMR Utility Service 3.1.1;C:\Windows\System32\drivers\SMR311.SYS [2012-11-13 95392]

R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0604000.009\symds64.sys [2012-10-1 451192]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0604000.009\symefa64.sys [2012-10-1 1129120]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\BASHDefs\20121030.002\BHDrvx64.sys [2012-11-5 1385632]

R1 cbfs3;cbfs3;C:\Windows\System32\drivers\cbfs3.sys [2011-6-17 321424]

R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\System32\drivers\N360x64\0604000.009\ccsetx64.sys [2012-10-1 167072]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\IPSDefs\20121110.005\IDSviA64.sys [2012-11-12 513184]

R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0604000.009\ironx64.sys [2012-10-1 190072]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\0604000.009\symnets.sys [2012-10-1 405624]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-4-15 13336]

R2 JungleDiskService;JungleDiskService;C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-15 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-15 676936]

R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccsvchst.exe [2012-10-1 138272]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-2 382824]

R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-27 138912]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-4-16 317440]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-12-22 25928]

R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

S3 AceecaUSBDx64;AceecaUSBDx64;C:\Windows\System32\drivers\AceecaUSBDx64.sys [2011-4-5 66552]

S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-4-16 158976]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-4-16 406056]

S3 pmxdrv;pmxdrv;C:\Windows\System32\drivers\pmxdrv.sys [2012-10-1 31152]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-7 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-5-10 51712]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-20 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-11-13 23:04:02 95392 ----a-w- C:\Windows\System32\drivers\SMR311.SYS

2012-11-13 23:03:56 -------- d-----w- C:\Users\marc\AppData\Local\NPE

2012-11-13 13:19:59 -------- d-----w- C:\Users\marc\AppData\Local\{BE20085D-AEEB-41A2-8AA6-84F77DC8F87C}

2012-11-13 12:47:56 20480 ----a-w- C:\Windows\svchost.exe

2012-11-13 01:13:11 -------- d-----w- C:\Users\marc\AppData\Local\{F936E1EC-ED26-4E53-926E-C64FA3111BBD}

2012-11-12 13:12:59 -------- d-----w- C:\Users\marc\AppData\Local\{0B709638-E96E-4843-AF6D-4B2435E1A9E0}

2012-11-12 01:12:35 -------- d-----w- C:\Users\marc\AppData\Local\{A73CA647-2222-4388-8D73-B209DBCD3C81}

2012-11-11 13:12:11 -------- d-----w- C:\Users\marc\AppData\Local\{44F1986D-1B84-46BC-A92F-E3C7BD01D7A5}

2012-11-11 01:11:46 -------- d-----w- C:\Users\marc\AppData\Local\{B8E77B9B-95D7-4EF2-91D4-71CE794EEE53}

2012-11-10 13:11:35 -------- d-----w- C:\Users\marc\AppData\Local\{624415A6-CEBD-4292-A9AB-0F6E7D1EAA29}

2012-11-10 01:11:10 -------- d-----w- C:\Users\marc\AppData\Local\{AC283FAB-0989-4D2D-A747-7BEB5642F37F}

2012-11-09 13:10:59 -------- d-----w- C:\Users\marc\AppData\Local\{65D45389-7933-41C6-A66A-F133CF896966}

2012-11-09 01:10:34 -------- d-----w- C:\Users\marc\AppData\Local\{232BA210-4F68-4AAA-8113-EE9B5EF7805C}

2012-11-08 13:10:23 -------- d-----w- C:\Users\marc\AppData\Local\{62304DE3-AA5A-49E8-A71F-F3929E0D988D}

2012-11-08 01:09:58 -------- d-----w- C:\Users\marc\AppData\Local\{E07C2D5F-C2F4-4B71-8925-5676D4F1BE72}

2012-11-07 13:09:47 -------- d-----w- C:\Users\marc\AppData\Local\{785E0BEA-0A98-4DA2-927F-F4EFCC363C50}

2012-11-07 01:09:22 -------- d-----w- C:\Users\marc\AppData\Local\{5AFDE9CA-9810-4839-94D3-A7FE3E1ACD73}

2012-11-06 12:48:54 -------- d-----w- C:\Users\marc\AppData\Local\{E7702B40-0DFF-4E79-BD76-154C41EB486C}

2012-11-05 23:39:11 -------- d-----w- C:\Users\marc\AppData\Local\{66C42C16-EFFB-4EE8-B629-F4B75DA5F64D}

2012-10-29 20:57:10 -------- d-----w- C:\Program Files (x86)\Common Files\Intel Corporation

2012-10-29 11:54:47 -------- d-----w- C:\Users\marc\AppData\Local\{8C688A9B-C33E-4E1F-8187-5CC11D0B39D2}

2012-10-28 23:54:22 -------- d-----w- C:\Users\marc\AppData\Local\{42CD7F13-D649-4DE0-931F-98F23A8837CC}

2012-10-28 11:54:11 -------- d-----w- C:\Users\marc\AppData\Local\{3F6AD1D8-D86D-4E59-AAA8-DA02163546E5}

2012-10-27 16:18:39 -------- d-----w- C:\Users\marc\AppData\Local\{AA663234-C9B1-4FEA-94D9-DA79DEFF3D47}

2012-10-27 11:50:36 -------- d-----w- C:\Users\marc\AppData\Local\{5A489831-8D63-45ED-BEE6-3133514ECF82}

2012-10-26 23:11:28 -------- d-----w- C:\Users\marc\AppData\Local\{039A4489-FE77-4EA0-B2D1-3E83BA8FA2DA}

2012-10-26 10:49:50 -------- d-----w- C:\Users\marc\AppData\Local\{F4460B76-E784-486C-B61E-E775239FDBD6}

2012-10-25 22:13:36 -------- d-----w- C:\Users\marc\AppData\Local\{5E73D0BA-3AF5-4A4F-ADBA-A92CBBD6F3BC}

2012-10-25 10:13:24 -------- d-----w- C:\Users\marc\AppData\Local\{9359F8E9-EB24-4D40-BBA0-6A4BF63A7D68}

2012-10-24 22:10:27 -------- d-----w- C:\Users\marc\AppData\Local\{158A3A9F-6F59-41CC-95DB-8175FCDF200C}

2012-10-24 10:10:38 -------- d-----w- C:\Users\marc\AppData\Local\{566A0607-37F8-4B48-9892-634F4739F2E7}

2012-10-23 22:06:51 -------- d-----w- C:\Users\marc\AppData\Local\{7F5807BD-F8A4-4760-B081-9736C89F52DB}

2012-10-23 10:06:36 -------- d-----w- C:\Users\marc\AppData\Local\{A9B7AD7B-44F0-4B8C-A514-BC6585CF4366}

2012-10-22 13:55:13 -------- d-----w- C:\Users\marc\AppData\Local\{E3D518BD-FAAC-4B5B-952C-52B4A6186CCD}

2012-10-22 01:54:48 -------- d-----w- C:\Users\marc\AppData\Local\{D8FEE3FB-CA44-449C-AF1B-F5A03C805957}

2012-10-21 13:54:36 -------- d-----w- C:\Users\marc\AppData\Local\{9EE8C1AA-64FA-4DFA-8C79-B8D85FB8C574}

2012-10-21 01:54:11 -------- d-----w- C:\Users\marc\AppData\Local\{3D9B37B3-2DC8-4985-B8DD-F4EEAB54BE9E}

2012-10-20 13:54:00 -------- d-----w- C:\Users\marc\AppData\Local\{E4ECE40C-C635-44B9-A932-8E134670C96E}

2012-10-20 11:21:20 -------- d-----w- C:\Users\marc\AppData\Local\{E87D9926-E6DC-4A4A-B748-B3C6301FA0FD}

2012-10-19 23:15:52 -------- d-----w- C:\Users\marc\AppData\Local\{281C6FBE-E983-42B7-B3E5-8E98A3F226D4}

2012-10-19 11:15:40 -------- d-----w- C:\Users\marc\AppData\Local\{C3490239-EED7-43D0-A636-2EEA82B03900}

2012-10-18 23:15:16 -------- d-----w- C:\Users\marc\AppData\Local\{DA2BA885-DD73-4D25-B2BC-D547AC4E6DA4}

2012-10-18 10:13:31 -------- d-----w- C:\Users\marc\AppData\Local\{512733CE-69F4-40CD-B815-2CAD05E7FF4A}

2012-10-17 22:12:46 -------- d-----w- C:\Users\marc\AppData\Local\{C90D2E3A-B0B2-4194-9409-42F8396672E8}

2012-10-17 10:12:21 -------- d-----w- C:\Users\marc\AppData\Local\{13102ED3-57D7-400A-8049-BB0002CA17B9}

2012-10-16 22:10:30 -------- d-----w- C:\Users\marc\AppData\Local\{EDD0BCF3-037A-4659-92CD-7F0EAAF1F255}

2012-10-16 10:09:58 -------- d-----w- C:\Users\marc\AppData\Local\{95747659-8677-4A72-A627-B05820BA3AB8}

2012-10-15 14:07:10 -------- d-----w- C:\Users\marc\AppData\Local\{3C0495F4-C31D-4763-AF9D-892CE0A4A196}

2012-10-15 02:06:46 -------- d-----w- C:\Users\marc\AppData\Local\{560D03B1-1836-4A3D-9B5D-ABF00D8B1A41}

.

==================== Find3M ====================

.

2012-10-27 13:05:36 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys

2012-10-09 14:40:10 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-09 14:40:10 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-10-02 19:51:15 3536817 ----a-w- C:\Windows\System32\nvcoproc.bin

2012-10-02 19:51:11 3293544 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-10-02 19:51:04 6200680 ----a-w- C:\Windows\System32\nvcpl.dll

2012-10-02 19:50:57 891240 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-10-02 19:50:57 63336 ----a-w- C:\Windows\System32\nvshext.dll

2012-10-02 19:50:57 118120 ----a-w- C:\Windows\System32\nvmctray.dll

2012-10-02 17:15:52 430952 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

2012-10-02 00:04:39 74703 ----a-w- C:\Windows\SysWow64\mfc45.dll

2012-10-02 00:00:15 31152 ----a-w- C:\Windows\System32\drivers\pmxdrv.sys

2012-10-01 22:03:35 0 ----a-w- C:\Windows\invcol.tmp

2012-09-29 23:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-24 19:32:24 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2012-09-24 19:32:20 473072 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe

2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll

2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 19:13:22.23 ===============

MrCharlie · November 14, 2012

Welcome to the forum.

Please create a new system restore point before running Malwarebytes Anti-Malware.

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

MrC

padlinfool · November 14, 2012

Thanks so much,

it appears to have worked....very easy..... See logs below. There are 2 mbar-log.txt logs.

Norton360 also processed a security risk Trojan.Dropper during the cleanup process. The log for that is also posted below.

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_37

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 2.793000 GHz

Memory total: 6424055808, free: 2950250496

------------ Kernel report ------------

11/13/2012 21:38:58

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\SMR311.SYS

\SystemRoot\System32\drivers\FLTMGR.SYS

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\iaStor.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\SYMEFA64.SYS

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\ccSetx64.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\Ironx64.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\System32\Drivers\N360x64\0604000.009\SYMNETS.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\SystemRoot\system32\drivers\N360x64\0604000.009\SRTSPX64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\??\C:\Windows\system32\drivers\cbfs3.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\BASHDefs\20121030.002\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\drivers\usbehci.sys

\SystemRoot\system32\drivers\USBPORT.SYS

\SystemRoot\system32\DRIVERS\bcmwl664.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\LUsbFilt.Sys

\SystemRoot\system32\DRIVERS\LHidFilt.Sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\LMouFilt.Sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\System32\Drivers\N360x64\0604000.009\SRTSP64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\VirusDefs\20121113.002\EX64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\VirusDefs\20121113.002\ENG64.SYS

\SystemRoot\system32\DRIVERS\k57nd60a.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\IPSDefs\20121113.004\IDSvia64.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\setupapi.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR5

Upper Device Object: 0xfffffa80099ec060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000084\

Lower Device Object: 0xfffffa8009782b60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xfffffa800999a790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000083\

Lower Device Object: 0xfffffa800977db60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xfffffa8009923060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000082\

Lower Device Object: 0xfffffa8009775b60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa8009900790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000081\

Lower Device Object: 0xfffffa800977eb60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa80078bd060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-2\

Lower Device Object: 0xfffffa8005a05050

Lower Device Driver Name: \Driver\iaStor\

Extracting driver name by original object failed

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80078bc060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xfffffa8005a03050

Lower Device Driver Name: \00000406\

Driver name found: iaStor

Downloaded database version: v2012.11.13.09

Downloaded database version: v2012.11.12.01

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80078bc060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80077238f0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80078bc060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005a03050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \00000406\

------------ End ----------

Upper DeviceData: 0xfffff8a0206e18b0, 0xfffffa80078bc060, 0xfffffa8010b6e330

Lower DeviceData: 0xfffff8a01d76e9b0, 0xfffffa8005a03050, 0xfffffa80082289d0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

MBR is forged!

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: CB59CF0B

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 45 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 1 on drive 0 ...

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 81920 Numsec = 25686016

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 25767936 Numsec = 1927753728

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 1000204886016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-44-1953505168-1953525168)...

Sector 1953524731 --> [Forged physical sector]

Sector 1953524732 --> [Forged physical sector]

Sector 1953524733 --> [Forged physical sector]

Sector 1953524734 --> [Forged physical sector]

Sector 1953524735 --> [Forged physical sector]

Sector 1953524736 --> [Forged physical sector]

Sector 1953524737 --> [Forged physical sector]

Sector 1953524738 --> [Forged physical sector]

Sector 1953524739 --> [Forged physical sector]

Sector 1953524740 --> [Forged physical sector]

Sector 1953524741 --> [Forged physical sector]

Sector 1953524742 --> [Forged physical sector]

Sector 1953524743 --> [Forged physical sector]

Sector 1953524744 --> [Forged physical sector]

Sector 1953524745 --> [Forged physical sector]

Sector 1953524746 --> [Forged physical sector]

Sector 1953524747 --> [Forged physical sector]

Sector 1953524748 --> [Forged physical sector]

Sector 1953524749 --> [Forged physical sector]

Sector 1953524750 --> [Forged physical sector]

Sector 1953524751 --> [Forged physical sector]

Sector 1953524752 --> [Forged physical sector]

Sector 1953524753 --> [Forged physical sector]

Sector 1953524754 --> [Forged physical sector]

Sector 1953524755 --> [Forged physical sector]

Sector 1953524756 --> [Forged physical sector]

Sector 1953524757 --> [Forged physical sector]

Sector 1953524758 --> [Forged physical sector]

Sector 1953524759 --> [Forged physical sector]

Sector 1953524760 --> [Forged physical sector]

Sector 1953524761 --> [Forged physical sector]

Sector 1953524762 --> [Forged physical sector]

Sector 1953524763 --> [Forged physical sector]

Sector 1953524764 --> [Forged physical sector]

Sector 1953524765 --> [Forged physical sector]

Sector 1953524766 --> [Forged physical sector]

Sector 1953524767 --> [Forged physical sector]

Sector 1953524768 --> [Forged physical sector]

Sector 1953524769 --> [Forged physical sector]

Sector 1953524770 --> [Forged physical sector]

Sector 1953524771 --> [Forged physical sector]

Sector 1953524772 --> [Forged physical sector]

Sector 1953524773 --> [Forged physical sector]

Sector 1953524774 --> [Forged physical sector]

Sector 1953524775 --> [Forged physical sector]

Sector 1953524776 --> [Forged physical sector]

Sector 1953524777 --> [Forged physical sector]

Sector 1953524778 --> [Forged physical sector]

Sector 1953524779 --> [Forged physical sector]

Sector 1953524780 --> [Forged physical sector]

Sector 1953524781 --> [Forged physical sector]

Sector 1953524782 --> [Forged physical sector]

Sector 1953524783 --> [Forged physical sector]

Sector 1953524784 --> [Forged physical sector]

Sector 1953524785 --> [Forged physical sector]

Sector 1953524786 --> [Forged physical sector]

Sector 1953524787 --> [Forged physical sector]

Sector 1953524788 --> [Forged physical sector]

Sector 1953524789 --> [Forged physical sector]

Sector 1953524790 --> [Forged physical sector]

Sector 1953524791 --> [Forged physical sector]

Sector 1953524792 --> [Forged physical sector]

Sector 1953524793 --> [Forged physical sector]

Sector 1953524794 --> [Forged physical sector]

Sector 1953524795 --> [Forged physical sector]

Sector 1953524796 --> [Forged physical sector]

Sector 1953524797 --> [Forged physical sector]

Sector 1953524798 --> [Forged physical sector]

Sector 1953524799 --> [Forged physical sector]

Sector 1953524800 --> [Forged physical sector]

Sector 1953524801 --> [Forged physical sector]

Sector 1953524802 --> [Forged physical sector]

Sector 1953524803 --> [Forged physical sector]

Sector 1953524804 --> [Forged physical sector]

Sector 1953524805 --> [Forged physical sector]

Sector 1953524806 --> [Forged physical sector]

Sector 1953524807 --> [Forged physical sector]

Sector 1953524808 --> [Forged physical sector]

Sector 1953524809 --> [Forged physical sector]

Sector 1953524810 --> [Forged physical sector]

Sector 1953524811 --> [Forged physical sector]

Sector 1953524812 --> [Forged physical sector]

Sector 1953524813 --> [Forged physical sector]

Sector 1953524814 --> [Forged physical sector]

Sector 1953524815 --> [Forged physical sector]

Sector 1953524816 --> [Forged physical sector]

Sector 1953524817 --> [Forged physical sector]

Sector 1953524818 --> [Forged physical sector]

Sector 1953524819 --> [Forged physical sector]

Sector 1953524820 --> [Forged physical sector]

Sector 1953524821 --> [Forged physical sector]

Sector 1953524822 --> [Forged physical sector]

Sector 1953524823 --> [Forged physical sector]

Sector 1953524824 --> [Forged physical sector]

Sector 1953524825 --> [Forged physical sector]

Sector 1953524826 --> [Forged physical sector]

Sector 1953524827 --> [Forged physical sector]

Sector 1953524828 --> [Forged physical sector]

Sector 1953524829 --> [Forged physical sector]

Sector 1953524830 --> [Forged physical sector]

Sector 1953524831 --> [Forged physical sector]

Sector 1953524832 --> [Forged physical sector]

Sector 1953524833 --> [Forged physical sector]

Sector 1953524834 --> [Forged physical sector]

Sector 1953524835 --> [Forged physical sector]

Sector 1953524836 --> [Forged physical sector]

Sector 1953524837 --> [Forged physical sector]

Sector 1953524838 --> [Forged physical sector]

Sector 1953524839 --> [Forged physical sector]

Sector 1953524840 --> [Forged physical sector]

Sector 1953524841 --> [Forged physical sector]

Sector 1953524842 --> [Forged physical sector]

Sector 1953524843 --> [Forged physical sector]

Sector 1953524844 --> [Forged physical sector]

Sector 1953524845 --> [Forged physical sector]

Sector 1953524846 --> [Forged physical sector]

Sector 1953524847 --> [Forged physical sector]

Sector 1953524848 --> [Forged physical sector]

Sector 1953524849 --> [Forged physical sector]

Sector 1953524850 --> [Forged physical sector]

Sector 1953524851 --> [Forged physical sector]

Sector 1953524852 --> [Forged physical sector]

Sector 1953524853 --> [Forged physical sector]

Sector 1953524854 --> [Forged physical sector]

Sector 1953524855 --> [Forged physical sector]

Sector 1953524856 --> [Forged physical sector]

Sector 1953524857 --> [Forged physical sector]

Sector 1953524858 --> [Forged physical sector]

Sector 1953524859 --> [Forged physical sector]

Sector 1953524860 --> [Forged physical sector]

Sector 1953524861 --> [Forged physical sector]

Sector 1953524862 --> [Forged physical sector]

Sector 1953524863 --> [Forged physical sector]

Sector 1953524864 --> [Forged physical sector]

Sector 1953524865 --> [Forged physical sector]

Sector 1953524866 --> [Forged physical sector]

Sector 1953524867 --> [Forged physical sector]

Sector 1953524868 --> [Forged physical sector]

Sector 1953524869 --> [Forged physical sector]

Sector 1953524870 --> [Forged physical sector]

Sector 1953524871 --> [Forged physical sector]

Sector 1953524872 --> [Forged physical sector]

Sector 1953524873 --> [Forged physical sector]

Sector 1953524874 --> [Forged physical sector]

Sector 1953524875 --> [Forged physical sector]

Sector 1953524876 --> [Forged physical sector]

Sector 1953524877 --> [Forged physical sector]

Sector 1953524878 --> [Forged physical sector]

Sector 1953524879 --> [Forged physical sector]

Sector 1953524880 --> [Forged physical sector]

Sector 1953524881 --> [Forged physical sector]

Sector 1953524882 --> [Forged physical sector]

Sector 1953524883 --> [Forged physical sector]

Sector 1953524884 --> [Forged physical sector]

Sector 1953524885 --> [Forged physical sector]

Sector 1953524886 --> [Forged physical sector]

Sector 1953524887 --> [Forged physical sector]

Sector 1953524888 --> [Forged physical sector]

Sector 1953524889 --> [Forged physical sector]

Sector 1953524890 --> [Forged physical sector]

Sector 1953524891 --> [Forged physical sector]

Sector 1953524892 --> [Forged physical sector]

Sector 1953524893 --> [Forged physical sector]

Sector 1953524894 --> [Forged physical sector]

Sector 1953524895 --> [Forged physical sector]

Sector 1953524896 --> [Forged physical sector]

Sector 1953524897 --> [Forged physical sector]

Sector 1953524898 --> [Forged physical sector]

Sector 1953524899 --> [Forged physical sector]

Sector 1953524900 --> [Forged physical sector]

Sector 1953524901 --> [Forged physical sector]

Sector 1953524902 --> [Forged physical sector]

Sector 1953524903 --> [Forged physical sector]

Sector 1953524904 --> [Forged physical sector]

Sector 1953524905 --> [Forged physical sector]

Sector 1953524906 --> [Forged physical sector]

Sector 1953524907 --> [Forged physical sector]

Sector 1953524908 --> [Forged physical sector]

Sector 1953524909 --> [Forged physical sector]

Sector 1953524910 --> [Forged physical sector]

Sector 1953524911 --> [Forged physical sector]

Sector 1953524912 --> [Forged physical sector]

Sector 1953524913 --> [Forged physical sector]

Sector 1953524914 --> [Forged physical sector]

Sector 1953524915 --> [Forged physical sector]

Sector 1953524916 --> [Forged physical sector]

Sector 1953524917 --> [Forged physical sector]

Sector 1953524918 --> [Forged physical sector]

Sector 1953524919 --> [Forged physical sector]

Sector 1953524920 --> [Forged physical sector]

Sector 1953524921 --> [Forged physical sector]

Sector 1953524922 --> [Forged physical sector]

Sector 1953524923 --> [Forged physical sector]

Sector 1953524924 --> [Forged physical sector]

Sector 1953524925 --> [Forged physical sector]

Sector 1953524926 --> [Forged physical sector]

Sector 1953524927 --> [Forged physical sector]

Sector 1953524928 --> [Forged physical sector]

Sector 1953524929 --> [Forged physical sector]

Sector 1953524930 --> [Forged physical sector]

Sector 1953524931 --> [Forged physical sector]

Sector 1953524932 --> [Forged physical sector]

Sector 1953524933 --> [Forged physical sector]

Sector 1953524934 --> [Forged physical sector]

Sector 1953524935 --> [Forged physical sector]

Sector 1953524936 --> [Forged physical sector]

Sector 1953524937 --> [Forged physical sector]

Sector 1953524938 --> [Forged physical sector]

Sector 1953524939 --> [Forged physical sector]

Sector 1953524940 --> [Forged physical sector]

Sector 1953524941 --> [Forged physical sector]

Sector 1953524942 --> [Forged physical sector]

Sector 1953524943 --> [Forged physical sector]

Sector 1953524944 --> [Forged physical sector]

Sector 1953524945 --> [Forged physical sector]

Sector 1953524946 --> [Forged physical sector]

Sector 1953524947 --> [Forged physical sector]

Sector 1953524948 --> [Forged physical sector]

Sector 1953524949 --> [Forged physical sector]

Sector 1953524950 --> [Forged physical sector]

Sector 1953524951 --> [Forged physical sector]

Sector 1953524952 --> [Forged physical sector]

Sector 1953524953 --> [Forged physical sector]

Sector 1953524954 --> [Forged physical sector]

Sector 1953524955 --> [Forged physical sector]

Sector 1953524956 --> [Forged physical sector]

Sector 1953524957 --> [Forged physical sector]

Sector 1953524958 --> [Forged physical sector]

Sector 1953524959 --> [Forged physical sector]

Sector 1953524960 --> [Forged physical sector]

Sector 1953524961 --> [Forged physical sector]

Sector 1953524962 --> [Forged physical sector]

Sector 1953524963 --> [Forged physical sector]

Sector 1953524964 --> [Forged physical sector]

Sector 1953524965 --> [Forged physical sector]

Sector 1953524966 --> [Forged physical sector]

Sector 1953524967 --> [Forged physical sector]

Sector 1953524968 --> [Forged physical sector]

Sector 1953524969 --> [Forged physical sector]

Sector 1953524970 --> [Forged physical sector]

Sector 1953524971 --> [Forged physical sector]

Sector 1953524972 --> [Forged physical sector]

Sector 1953524973 --> [Forged physical sector]

Sector 1953524974 --> [Forged physical sector]

Sector 1953524975 --> [Forged physical sector]

Sector 1953524976 --> [Forged physical sector]

Sector 1953524977 --> [Forged physical sector]

Sector 1953524978 --> [Forged physical sector]

Sector 1953524979 --> [Forged physical sector]

Sector 1953524980 --> [Forged physical sector]

Sector 1953524981 --> [Forged physical sector]

Sector 1953524982 --> [Forged physical sector]

Sector 1953524983 --> [Forged physical sector]

Sector 1953524984 --> [Forged physical sector]

Sector 1953524985 --> [Forged physical sector]

Sector 1953524986 --> [Forged physical sector]

Sector 1953524987 --> [Forged physical sector]

Sector 1953524988 --> [Forged physical sector]

Sector 1953524989 --> [Forged physical sector]

Sector 1953524990 --> [Forged physical sector]

Sector 1953524991 --> [Forged physical sector]

Sector 1953524992 --> [Forged physical sector]

Sector 1953524993 --> [Forged physical sector]

Sector 1953524994 --> [Forged physical sector]

Sector 1953524995 --> [Forged physical sector]

Sector 1953524996 --> [Forged physical sector]

Sector 1953524997 --> [Forged physical sector]

Sector 1953524998 --> [Forged physical sector]

Sector 1953524999 --> [Forged physical sector]

Sector 1953525000 --> [Forged physical sector]

Sector 1953525001 --> [Forged physical sector]

Sector 1953525002 --> [Forged physical sector]

Sector 1953525003 --> [Forged physical sector]

Sector 1953525004 --> [Forged physical sector]

Sector 1953525005 --> [Forged physical sector]

Sector 1953525006 --> [Forged physical sector]

Sector 1953525007 --> [Forged physical sector]

Sector 1953525008 --> [Forged physical sector]

Sector 1953525009 --> [Forged physical sector]

Sector 1953525010 --> [Forged physical sector]

Sector 1953525011 --> [Forged physical sector]

Sector 1953525012 --> [Forged physical sector]

Sector 1953525013 --> [Forged physical sector]

Sector 1953525014 --> [Forged physical sector]

Sector 1953525015 --> [Forged physical sector]

Sector 1953525016 --> [Forged physical sector]

Sector 1953525017 --> [Forged physical sector]

Sector 1953525018 --> [Forged physical sector]

Sector 1953525019 --> [Forged physical sector]

Sector 1953525020 --> [Forged physical sector]

Sector 1953525021 --> [Forged physical sector]

Sector 1953525022 --> [Forged physical sector]

Sector 1953525023 --> [Forged physical sector]

Sector 1953525024 --> [Forged physical sector]

Sector 1953525025 --> [Forged physical sector]

Sector 1953525026 --> [Forged physical sector]

Sector 1953525027 --> [Forged physical sector]

Sector 1953525028 --> [Forged physical sector]

Sector 1953525029 --> [Forged physical sector]

Sector 1953525030 --> [Forged physical sector]

Sector 1953525031 --> [Forged physical sector]

Sector 1953525032 --> [Forged physical sector]

Sector 1953525033 --> [Forged physical sector]

Sector 1953525034 --> [Forged physical sector]

Sector 1953525035 --> [Forged physical sector]

Sector 1953525036 --> [Forged physical sector]

Sector 1953525037 --> [Forged physical sector]

Sector 1953525038 --> [Forged physical sector]

Sector 1953525039 --> [Forged physical sector]

Sector 1953525040 --> [Forged physical sector]

Sector 1953525041 --> [Forged physical sector]

Sector 1953525042 --> [Forged physical sector]

Sector 1953525043 --> [Forged physical sector]

Sector 1953525044 --> [Forged physical sector]

Sector 1953525045 --> [Forged physical sector]

Sector 1953525046 --> [Forged physical sector]

Sector 1953525047 --> [Forged physical sector]

Sector 1953525048 --> [Forged physical sector]

Sector 1953525049 --> [Forged physical sector]

Sector 1953525050 --> [Forged physical sector]

Sector 1953525051 --> [Forged physical sector]

Sector 1953525052 --> [Forged physical sector]

Sector 1953525053 --> [Forged physical sector]

Sector 1953525054 --> [Forged physical sector]

Sector 1953525055 --> [Forged physical sector]

Sector 1953525056 --> [Forged physical sector]

Sector 1953525057 --> [Forged physical sector]

Sector 1953525058 --> [Forged physical sector]

Sector 1953525059 --> [Forged physical sector]

Sector 1953525060 --> [Forged physical sector]

Sector 1953525061 --> [Forged physical sector]

Sector 1953525062 --> [Forged physical sector]

Sector 1953525063 --> [Forged physical sector]

Sector 1953525064 --> [Forged physical sector]

Sector 1953525065 --> [Forged physical sector]

Sector 1953525066 --> [Forged physical sector]

Sector 1953525067 --> [Forged physical sector]

Sector 1953525068 --> [Forged physical sector]

Sector 1953525069 --> [Forged physical sector]

Sector 1953525070 --> [Forged physical sector]

Sector 1953525071 --> [Forged physical sector]

Sector 1953525072 --> [Forged physical sector]

Sector 1953525073 --> [Forged physical sector]

Sector 1953525074 --> [Forged physical sector]

Sector 1953525075 --> [Forged physical sector]

Sector 1953525076 --> [Forged physical sector]

Sector 1953525077 --> [Forged physical sector]

Sector 1953525078 --> [Forged physical sector]

Sector 1953525079 --> [Forged physical sector]

Sector 1953525080 --> [Forged physical sector]

Sector 1953525081 --> [Forged physical sector]

Sector 1953525082 --> [Forged physical sector]

Sector 1953525083 --> [Forged physical sector]

Sector 1953525084 --> [Forged physical sector]

Sector 1953525085 --> [Forged physical sector]

Sector 1953525086 --> [Forged physical sector]

Sector 1953525087 --> [Forged physical sector]

Sector 1953525088 --> [Forged physical sector]

Sector 1953525089 --> [Forged physical sector]

Sector 1953525090 --> [Forged physical sector]

Sector 1953525091 --> [Forged physical sector]

Sector 1953525092 --> [Forged physical sector]

Sector 1953525093 --> [Forged physical sector]

Sector 1953525094 --> [Forged physical sector]

Sector 1953525095 --> [Forged physical sector]

Sector 1953525096 --> [Forged physical sector]

Sector 1953525097 --> [Forged physical sector]

Sector 1953525098 --> [Forged physical sector]

Sector 1953525099 --> [Forged physical sector]

Sector 1953525100 --> [Forged physical sector]

Sector 1953525101 --> [Forged physical sector]

Sector 1953525102 --> [Forged physical sector]

Sector 1953525103 --> [Forged physical sector]

Sector 1953525104 --> [Forged physical sector]

Sector 1953525105 --> [Forged physical sector]

Sector 1953525106 --> [Forged physical sector]

Sector 1953525107 --> [Forged physical sector]

Sector 1953525108 --> [Forged physical sector]

Sector 1953525109 --> [Forged physical sector]

Sector 1953525110 --> [Forged physical sector]

Sector 1953525111 --> [Forged physical sector]

Sector 1953525112 --> [Forged physical sector]

Sector 1953525113 --> [Forged physical sector]

Sector 1953525114 --> [Forged physical sector]

Sector 1953525115 --> [Forged physical sector]

Sector 1953525116 --> [Forged physical sector]

Sector 1953525117 --> [Forged physical sector]

Sector 1953525118 --> [Forged physical sector]

Sector 1953525119 --> [Forged physical sector]

Sector 1953525120 --> [Forged physical sector]

Sector 1953525121 --> [Forged physical sector]

Sector 1953525122 --> [Forged physical sector]

Sector 1953525123 --> [Forged physical sector]

Sector 1953525124 --> [Forged physical sector]

Sector 1953525125 --> [Forged physical sector]

Sector 1953525126 --> [Forged physical sector]

Sector 1953525127 --> [Forged physical sector]

Sector 1953525128 --> [Forged physical sector]

Sector 1953525129 --> [Forged physical sector]

Sector 1953525130 --> [Forged physical sector]

Sector 1953525131 --> [Forged physical sector]

Sector 1953525132 --> [Forged physical sector]

Sector 1953525133 --> [Forged physical sector]

Sector 1953525134 --> [Forged physical sector]

Sector 1953525135 --> [Forged physical sector]

Sector 1953525136 --> [Forged physical sector]

Sector 1953525137 --> [Forged physical sector]

Sector 1953525138 --> [Forged physical sector]

Sector 1953525139 --> [Forged physical sector]

Sector 1953525140 --> [Forged physical sector]

Sector 1953525141 --> [Forged physical sector]

Sector 1953525142 --> [Forged physical sector]

Sector 1953525143 --> [Forged physical sector]

Sector 1953525144 --> [Forged physical sector]

Sector 1953525145 --> [Forged physical sector]

Sector 1953525146 --> [Forged physical sector]

Sector 1953525147 --> [Forged physical sector]

Sector 1953525148 --> [Forged physical sector]

Sector 1953525149 --> [Forged physical sector]

Sector 1953525150 --> [Forged physical sector]

Sector 1953525151 --> [Forged physical sector]

Sector 1953525152 --> [Forged physical sector]

Sector 1953525153 --> [Forged physical sector]

Sector 1953525154 --> [Forged physical sector]

Sector 1953525155 --> [Forged physical sector]

Sector 1953525156 --> [Forged physical sector]

Sector 1953525157 --> [Forged physical sector]

Sector 1953525158 --> [Forged physical sector]

Sector 1953525159 --> [Forged physical sector]

Sector 1953525160 --> [Forged physical sector]

Sector 1953525161 --> [Forged physical sector]

Sector 1953525162 --> [Forged physical sector]

Sector 1953525163 --> [Forged physical sector]

Sector 1953525164 --> [Forged physical sector]

Sector 1953525165 --> [Forged physical sector]

Sector 1953525166 --> [Forged physical sector]

Sector 1953525167 --> [Forged physical sector]

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa80078bd060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80078bdb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80078bd060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005a05050, DeviceName: \Device\Ide\IAAStorageDevice-2\, DriverName: \Driver\iaStor\

------------ End ----------

Upper DeviceData: 0xfffff8a012caf680, 0xfffffa80078bd060, 0xfffffa80117d5090

Lower DeviceData: 0xfffff8a01eef1620, 0xfffffa8005a05050, 0xfffffa8011b9c210

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: EB275B50

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 96327

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 96390 Numsec = 478415700

Partition file system is NTFS

Partition is bootable

Partition 2 type is Other (0xdb)

Partition is NOT ACTIVE.

Partition starts at LBA: 478528155 Numsec = 9735390

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 250000000000 bytes

Sector size: 512 bytes

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xfffffa8009900790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8009781a50, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8009900790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800977eb60, DeviceName: \Device\00000081\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xfffffa8009923060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8009783b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8009923060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009775b60, DeviceName: \Device\00000082\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xfffffa800999a790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800977fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800999a790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800977db60, DeviceName: \Device\00000083\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 5, DevicePointer: 0xfffffa80099ec060, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80099ecb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80099ec060, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009782b60, DeviceName: \Device\00000084\, DriverName: \Driver\USBSTOR\

------------ End ----------

Done!

Performing system, memory and registry scan...

Read File: File "C:\ProgramData\{04A07C23-5821-4F25-BF46-1188636AE238}\delldock.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{04A07C23-5821-4F25-BF46-1188636AE238}\instance.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{7B344F95-C8A2-414E-BF1A-2D2F08D3D6B2}\Best Buy pc app Setup.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{7B344F95-C8A2-414E-BF1A-2D2F08D3D6B2}\instance.dat" is compressed (flags = 1)

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

BCD Entry for BOOTEMS is missing

Malicious Entry 26000022 for BOOTEMS present!

Removal scheduling successful. System shutdown needed.

System shutdown occured

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_37

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 2.793000 GHz

Memory total: 6424055808, free: 5182767104

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_37

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 2.793000 GHz

Memory total: 6424055808, free: 4646629376

------------ Kernel report ------------

11/13/2012 21:57:26

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\FLTMGR.SYS

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\iaStor.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\SYMEFA64.SYS

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\ccSetx64.sys

\SystemRoot\system32\drivers\N360x64\0604000.009\Ironx64.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\System32\Drivers\N360x64\0604000.009\SYMNETS.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\SystemRoot\system32\drivers\N360x64\0604000.009\SRTSPX64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\IPSDefs\20121113.004\IDSvia64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\??\C:\Windows\system32\drivers\cbfs3.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\BASHDefs\20121030.002\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\drivers\usbehci.sys

\SystemRoot\system32\drivers\USBPORT.SYS

\SystemRoot\system32\DRIVERS\bcmwl664.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\k57nd60a.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\LUsbFilt.Sys

\SystemRoot\system32\DRIVERS\LHidFilt.Sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\LMouFilt.Sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\difxapi.dll

\Windows\System32\Wldap32.dll

\Windows\System32\advapi32.dll

\Windows\System32\nsi.dll

\Windows\System32\usp10.dll

\Windows\System32\setupapi.dll

\Windows\System32\shell32.dll

\Windows\System32\msvcrt.dll

\Windows\System32\imm32.dll

\Windows\System32\wininet.dll

\Windows\System32\comdlg32.dll

\Windows\System32\user32.dll

\Windows\System32\gdi32.dll

\Windows\System32\ole32.dll

\Windows\System32\sechost.dll

\Windows\System32\msctf.dll

\Windows\System32\oleaut32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\normaliz.dll

\Windows\System32\rpcrt4.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR5

Upper Device Object: 0xfffffa8009d09060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000084\

Lower Device Object: 0xfffffa8009cf4a10

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xfffffa8009d0a060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000083\

Lower Device Object: 0xfffffa8009cff750

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xfffffa8009d06060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000082\

Lower Device Object: 0xfffffa8009d05060

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa8009cf4060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000081\

Lower Device Object: 0xfffffa8009cfdb60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa800785a060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-2\

Lower Device Object: 0xfffffa8005aa2050

Lower Device Driver Name: \Driver\iaStor\

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8007859060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xfffffa8005aa4050

Lower Device Driver Name: \Driver\iaStor\

Driver name found: iaStor

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8007859060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8007859b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8007859060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005aa4050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\

------------ End ----------

Upper DeviceData: 0xfffff8a00d5dafe0, 0xfffffa8007859060, 0xfffffa8005c67090

Lower DeviceData: 0xfffff8a00d72b8b0, 0xfffffa8005aa4050, 0xfffffa8005c63a70

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: CB59CF0B

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 81920 Numsec = 25686016

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 25767936 Numsec = 1927753728

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-1953505168-1953525168)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa800785a060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800785ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800785a060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8005aa2050, DeviceName: \Device\Ide\IAAStorageDevice-2\, DriverName: \Driver\iaStor\

------------ End ----------

Upper DeviceData: 0xfffff8a00f28afb0, 0xfffffa800785a060, 0xfffffa8005c5d090

Lower DeviceData: 0xfffff8a00dbf02e0, 0xfffffa8005aa2050, 0xfffffa8005bfb090

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: EB275B50

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 96327

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 96390 Numsec = 478415700

Partition file system is NTFS

Partition is bootable

Partition 2 type is Other (0xdb)

Partition is NOT ACTIVE.

Partition starts at LBA: 478528155 Numsec = 9735390

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 250000000000 bytes

Sector size: 512 bytes

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xfffffa8009cf4060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8009d057e0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8009cf4060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009cfdb60, DeviceName: \Device\00000081\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xfffffa8009d06060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8009d06b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8009d06060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009d05060, DeviceName: \Device\00000082\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xfffffa8009d0a060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8009d0ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8009d0a060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009cff750, DeviceName: \Device\00000083\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 5, DevicePointer: 0xfffffa8009d09060, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8009d09b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8009d09060, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009cf4a10, DeviceName: \Device\00000084\, DriverName: \Driver\USBSTOR\

------------ End ----------

Done!

Performing system, memory and registry scan...

Read File: File "C:\ProgramData\{04A07C23-5821-4F25-BF46-1188636AE238}\delldock.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{04A07C23-5821-4F25-BF46-1188636AE238}\instance.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{7B344F95-C8A2-414E-BF1A-2D2F08D3D6B2}\Best Buy pc app Setup.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{7B344F95-C8A2-414E-BF1A-2D2F08D3D6B2}\instance.dat" is compressed (flags = 1)

Done!

Scan finished

=======================================

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.13.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

marc :: FAMILYROOM [administrator]

11/13/2012 10:11:12 PM

mbar-log-2012-11-13 (22-11-12).txt

Scan type: Quick scan

Scan options disabled: PUP | PUM | P2P

Objects scanned: 26550

Time elapsed: 12 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

earlier MBAR_LOG.TXT

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.13.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

marc :: FAMILYROOM [administrator]

11/13/2012 9:50:35 PM

mbar-log-2012-11-13 (21-50-35).txt

Scan type: Quick scan

Scan options disabled: PUP | PUM | P2P

Objects scanned: 26736

Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 8812 -> Delete on reboot. [44836b4ba1bcfb3b1c43097432d0cd33]

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_45_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot. [53343e92f0bca61cfa4e7b2c1f3cac06]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot. [45edde40c11b9268fbe48e6b0fd794fe]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_1953524731_user.mbam (Forged physical sector) -> Delete on reboot. [8240dd042845ebed5e91aabb51877474]

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot. [44836b4ba1bcfb3b1c43097432d0cd33]

(end)

NORTON360 Log

Full Path: c:\programdata\malwarebytes\malwarebytes' anti-malware\bootstrap_0_0_45_infected.mbam

Threat: Trojan.Dropper

____________________________

On computers as of Not Available

Last Used 11/13/2012 at 10:01:09 PM

Startup Item No

Launched No

____________________________

Unknown

Number of users in the Norton Community that have used this file: Unknown

____________________________

Unknown

This file release is currently not known.

____________________________

High

This file risk is high.

____________________________

Threat Details

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that

medium.

____________________________

File Actions

File: c:\programdata\malwarebytes\malwarebytes' anti-malware\bootstrap_0_0_45_infected.mbam

Removed

____________________________

File Thumbprint - SHA:

d28cf441323fe670745b6baf626f598c86807e2d5dcac5623d7360784911448c

____________________________

File Thumbprint - MD5:

53343e92f0bca61cfa4e7b2c1f3cac06

____________________________

MrCharlie · November 14, 2012

Lets run ComboFix to clean up any other malware on the system.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

padlinfool · November 14, 2012

MrC

I ran combo-fix.... see log below

I think everything was disabled (had a problem disabling the anti-spyware however I think I got it after it warned me) but it ran from my download folder and not the desktop.

I could run again relocated to the desktop but I thought you should see the initial log.

Thanks!

ComboFix 12-11-13.03 - marc 11/13/2012 22:43:47.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6126.3344 [GMT -5:00]

Running from: c:\users\marc\Downloads\ComboFix.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\PCDr\6032\AddOnDownloaded\087abda5-3ca9-433a-8a4e-6b9fc9285607.dll

c:\programdata\PCDr\6032\AddOnDownloaded\2f733848-355c-4a6f-89a5-08a4dcc89c5c.dll

c:\programdata\PCDr\6032\AddOnDownloaded\305a1406-381f-449d-9486-32504a38e5b0.dll

c:\programdata\PCDr\6032\AddOnDownloaded\3b429c4f-8ba9-4a7d-bbb4-4548bb6d2539.dll

c:\programdata\PCDr\6032\AddOnDownloaded\3c49c05a-0eb3-4044-a0f8-d4ea2a439295.dll

c:\programdata\PCDr\6032\AddOnDownloaded\4704833a-6508-40cc-b98b-5ebd235e52ca.dll

c:\programdata\PCDr\6032\AddOnDownloaded\5cd81d7c-326c-42d2-8929-1ee85c69dc1d.dll

c:\programdata\PCDr\6032\AddOnDownloaded\5f169f6e-cfce-411e-b266-aa53ac35ce83.dll

c:\programdata\PCDr\6032\AddOnDownloaded\7119bf4b-d404-4b31-8779-44fac71761fa.dll

c:\programdata\PCDr\6032\AddOnDownloaded\8c199aef-9eca-4ab6-863d-c9136ebec654.dll

c:\programdata\PCDr\6032\AddOnDownloaded\a7201707-7895-43cf-9119-8a0279b75d4c.dll

c:\programdata\PCDr\6032\AddOnDownloaded\a875f6ee-9729-4447-8d2c-63bd2e6396c1.dll

c:\programdata\PCDr\6032\AddOnDownloaded\af728edb-0984-4c06-9a4b-0878bcfa9a26.dll

c:\programdata\PCDr\6032\AddOnDownloaded\b510dd11-341c-4dfa-9f1e-dd5ddcc444f4.dll

c:\programdata\PCDr\6032\AddOnDownloaded\cf9bce06-e765-4c6f-afa9-0d82a3adc417.dll

c:\programdata\PCDr\6032\AddOnDownloaded\dbecb802-efe1-453f-828f-29af4ab73508.dll

c:\programdata\PCDr\6032\AddOnDownloaded\e1ce76af-328a-41dc-b2c4-0dd9771f6aa1.dll

c:\programdata\PCDr\6032\AddOnDownloaded\e3e252fe-80ab-4f89-82a9-b607007220bd.dll

c:\programdata\PCDr\6032\AddOnDownloaded\eb115e4d-8592-4082-bffa-e65ae6b21e95.dll

c:\programdata\PCDr\6032\AddOnDownloaded\ed26c1b3-d9f9-42e8-80e0-cd62e65fd901.dll

c:\programdata\PCDr\6032\AddOnDownloaded\f28ef68b-8cc4-4c00-891d-473fb67bd0b0.dll

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

((((((((((((((((((((((((( Files Created from 2012-10-14 to 2012-11-14 )))))))))))))))))))))))))))))))

.

2012-11-14 03:48 . 2012-11-14 03:48 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-11-14 03:48 . 2012-11-14 03:48 -------- d-----w- c:\users\Jay\AppData\Local\temp

2012-11-14 03:48 . 2012-11-14 03:48 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-13 23:03 . 2012-11-13 23:12 -------- d-----w- c:\users\marc\AppData\Local\NPE

2012-10-29 20:57 . 2012-10-29 20:57 -------- d-----w- c:\program files (x86)\Common Files\Intel Corporation

2012-10-26 21:33 . 2012-10-26 21:33 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-10-19 00:10 . 2012-10-19 00:10 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer

2012-10-19 00:10 . 2012-10-19 00:10 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-27 13:05 . 2011-07-01 22:15 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-10-12 02:43 . 2011-06-28 22:30 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-10-09 14:40 . 2012-09-02 10:54 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-10-09 14:40 . 2011-10-15 10:21 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-02 22:21 . 2012-09-29 10:29 973672 ----a-w- c:\windows\system32\nvumdshimx.dll

2012-10-02 22:21 . 2012-09-29 10:29 1760104 ----a-w- c:\windows\system32\nvdispco64.dll

2012-10-02 22:21 . 2012-09-29 10:29 1482600 ----a-w- c:\windows\system32\nvdispgenco64.dll

2012-10-02 22:21 . 2011-06-14 23:16 14922600 ----a-w- c:\windows\system32\nvwgf2umx.dll

2012-10-02 22:21 . 2011-06-14 23:16 12501352 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-10-02 22:21 . 2011-06-14 23:16 15309160 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-10-02 22:21 . 2011-06-14 23:15 2731880 ----a-w- c:\windows\system32\nvapi64.dll

2012-10-02 19:51 . 2012-09-29 10:30 3536817 ----a-w- c:\windows\system32\nvcoproc.bin

2012-10-02 19:51 . 2011-03-01 01:46 3293544 ----a-w- c:\windows\system32\nvsvc64.dll

2012-10-02 19:51 . 2011-03-01 01:46 6200680 ----a-w- c:\windows\system32\nvcpl.dll

2012-10-02 19:50 . 2011-03-01 01:47 891240 ----a-w- c:\windows\system32\nvvsvc.exe

2012-10-02 19:50 . 2011-03-01 01:47 63336 ----a-w- c:\windows\system32\nvshext.dll

2012-10-02 19:50 . 2011-03-01 01:47 118120 ----a-w- c:\windows\system32\nvmctray.dll

2012-10-02 17:15 . 2012-10-02 17:15 430952 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-10-02 00:04 . 2012-10-02 00:04 74703 ----a-w- c:\windows\SysWow64\mfc45.dll

2012-10-02 00:00 . 2012-10-02 00:00 31152 ----a-w- c:\windows\system32\drivers\pmxdrv.sys

2012-10-01 22:03 . 2012-10-01 22:03 0 ----a-w- c:\windows\invcol.tmp

2012-09-29 23:54 . 2011-12-22 22:17 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-24 19:32 . 2012-09-09 11:31 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll

2012-09-24 19:32 . 2011-04-16 03:07 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-09-14 19:19 . 2012-10-11 22:02 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-11 22:02 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-08-31 18:19 . 2012-10-11 22:05 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys

2012-08-24 18:05 . 2012-10-11 22:02 220160 ----a-w- c:\windows\system32\wintrust.dll

2012-08-24 16:57 . 2012-10-11 22:02 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-08-24 11:15 . 2012-09-23 07:02 17810944 ----a-w- c:\windows\system32\mshtml.dll

2012-08-24 10:39 . 2012-09-23 07:02 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-08-24 10:31 . 2012-09-23 07:02 2312704 ----a-w- c:\windows\system32\jscript9.dll

2012-08-24 10:22 . 2012-09-23 07:02 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-08-24 10:21 . 2012-09-23 07:02 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-08-24 10:20 . 2012-09-23 07:02 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-08-24 10:18 . 2012-09-23 07:02 237056 ----a-w- c:\windows\system32\url.dll

2012-08-24 10:17 . 2012-09-23 07:02 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-08-24 10:14 . 2012-09-23 07:02 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-08-24 10:14 . 2012-09-23 07:02 816640 ----a-w- c:\windows\system32\jscript.dll

2012-08-24 10:13 . 2012-09-23 07:02 599040 ----a-w- c:\windows\system32\vbscript.dll

2012-08-24 10:12 . 2012-09-23 07:02 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-08-24 10:11 . 2012-09-23 07:02 729088 ----a-w- c:\windows\system32\msfeeds.dll

2012-08-24 10:10 . 2012-09-23 07:02 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-08-24 10:09 . 2012-09-23 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-08-24 10:04 . 2012-09-23 07:02 248320 ----a-w- c:\windows\system32\ieui.dll

2012-08-24 06:59 . 2012-09-23 07:02 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-08-24 06:51 . 2012-09-23 07:02 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-08-24 06:51 . 2012-09-23 07:02 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-08-24 06:47 . 2012-09-23 07:02 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-08-24 06:47 . 2012-09-23 07:02 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-08-24 06:43 . 2012-09-23 07:02 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-08-22 18:12 . 2012-09-12 16:52 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-08-22 18:12 . 2012-09-12 16:52 950128 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-08-22 18:12 . 2012-09-12 16:52 376688 ----a-w- c:\windows\system32\drivers\netio.sys

2012-08-22 18:12 . 2012-09-12 16:52 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2012-08-21 21:01 . 2012-09-25 18:46 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2012-08-20 18:48 . 2012-10-11 22:05 362496 ----a-w- c:\windows\system32\wow64win.dll

2012-08-20 18:48 . 2012-10-11 22:05 243200 ----a-w- c:\windows\system32\wow64.dll

2012-08-20 18:48 . 2012-10-11 22:05 13312 ----a-w- c:\windows\system32\wow64cpu.dll

2012-08-20 18:48 . 2012-10-11 22:05 215040 ----a-w- c:\windows\system32\winsrv.dll

2012-08-20 18:48 . 2012-10-11 22:05 16384 ----a-w- c:\windows\system32\ntvdm64.dll

2012-08-20 18:48 . 2012-10-11 22:05 424448 ----a-w- c:\windows\system32\KernelBase.dll

2012-08-20 18:48 . 2012-10-11 22:05 1162240 ----a-w- c:\windows\system32\kernel32.dll

2012-08-20 18:46 . 2012-10-11 22:05 338432 ----a-w- c:\windows\system32\conhost.exe

2012-08-20 18:38 . 2012-10-11 22:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2012-08-20 18:38 . 2012-10-11 22:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2012-08-20 17:40 . 2012-10-11 22:05 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2012-08-20 17:38 . 2012-10-11 22:05 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-08-20 17:38 . 2012-10-11 22:05 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2012-08-20 17:37 . 2012-10-11 22:05 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2012-08-20 17:37 . 2012-10-11 22:05 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll

2012-08-20 17:32 . 2012-10-11 22:05 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll

2012-08-20 17:32 . 2012-10-11 22:05 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll

2012-08-20 17:32 . 2012-10-11 22:05 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]

@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"

[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]

2010-11-30 15:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files (x86)\AWS\WeatherBug\Weather.exe" [2010-10-29 1652736]

"gStart"="c:\program files (x86)\Garmin\gStart.exe" [2008-08-13 1891416]

"Amazon Cloud Drive"="c:\users\marc\AppData\Local\Amazon\Cloud Drive\AmazonCloudDrive.exe" [2012-09-25 875512]

"Akamai NetSession Interface"="c:\users\marc\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]

"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-03-10 237568]

"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-12-01 963584]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="c:\users\marc\Downloads\mbar-1.01.0.1009\mbar\mbar.exe" [2012-11-14 1341800]

.

c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

.

c:\users\marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files (x86)\palmOne\Hotsync.exe [2004-6-9 471040]

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]

Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-10-13 9216]

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R3 AceecaUSBDx64;AceecaUSBDx64;c:\windows\system32\DRIVERS\AceecaUSBDx64.sys [2011-10-03 66552]

R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]

R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2012-10-02 31152]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-20 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0604000.009\SYMDS64.SYS [2012-01-17 451192]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0604000.009\SYMEFA64.SYS [2012-05-22 1129120]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\BASHDefs\20121030.002\BHDrvx64.sys [2012-10-05 1385632]

S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-30 321424]

S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360x64\0604000.009\ccSetx64.sys [2012-06-07 167072]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\IPSDefs\20121113.004\IDSvia64.sys [2012-09-06 513184]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0604000.009\Ironx64.SYS [2012-01-17 190072]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0604000.009\SYMNETS.SYS [2012-01-17 405624]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]

S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-05-17 9761096]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]

S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe [2012-06-16 138272]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]

S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-27 138912]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-16 317440]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2010-06-08 406056]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-02 14:40]

.

2012-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-06 12:23]

.

2012-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-06 12:23]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]

@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"

[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]

2010-11-30 15:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]

@="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"

[HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]

2011-03-04 15:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]

@="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"

[HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]

2011-03-04 15:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]

@="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"

[HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]

2011-03-04 15:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-12-04 167960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-12-04 391704]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-12-04 417304]

"RunDLLEntry_THXCfg"="c:\windows\system32\THXCfg64.dll" [2009-10-15 17920]

"RunDLLEntry_EptMon"="c:\windows\system32\EptMon64.dll" [2009-10-15 21504]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1744152]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.aol.com/?mtmhp=aolmailtoolbar&ncid=hyplognew00000007

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;<local>

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-Nero MediaHome 4 - c:\program files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

Toolbar-Locked - (no file)

AddRemove-Google Chrome - c:\users\marc\AppData\Local\Google\Chrome\Application\22.0.1229.79\Installer\setup.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]

"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\6.4.0.9\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,

7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de

"{A3704FA3-DBF6-46B5-B95E-0677DFD39577}"=hex:51,66,7a,6c,4c,1d,38,12,cd,4c,63,

a7,c4,95,db,03,c6,48,45,37,da,8d,d1,63

"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,

89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b

"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,

07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{326E768D-4182-46FD-9C16-1449A49795F4}"=hex:51,66,7a,6c,4c,1d,38,12,e3,75,7d,

36,b0,0f,93,03,e3,00,57,09,a1,c9,d1,e0

"{5FF49FE8-B332-4CB9-B102-FB6951629E55}"=hex:51,66,7a,6c,4c,1d,38,12,86,9c,e7,

5b,00,fd,d7,09,ce,14,b8,29,54,3c,da,41

"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,

64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c

"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,

69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,

9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,

d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{FBEA8524-8C72-4208-9D12-7FB73E9926EB}"=hex:51,66,7a,6c,4c,1d,38,12,4a,86,f9,

ff,40,c2,66,07,e2,04,3c,f7,3b,c7,62,ff

"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,

fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42

"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,

51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:a3,bd,8e,0b,d5,6f,cd,01

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-13 22:50:34

ComboFix-quarantined-files.txt 2012-11-14 03:50

.

Pre-Run: 805,975,527,424 bytes free

Post-Run: 805,527,453,696 bytes free

.

- - End Of File - - 8BD316C1DCD1E8141F28C37E1EDF861D

MrCharlie · November 14, 2012

Looks Good..........

Please run the fixdamage tool in the Malwarebytes Anti-Rootkit folder and reboot.

~~~~~~~~~~~~~~~~~

Next........

......lets check for adware:

Please download AdwCleaner from here and save it on your Desktop.

Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
Now click on the Search tab.
Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

padlinfool · November 14, 2012

Ran fixdamage and adwcleaner

please see attached log

# AdwCleaner v2.007 - Logfile created 11/14/2012 at 17:54:14

# Updated 06/11/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : marc - FAMILYROOM

# Boot Mode : Normal

# Running from : C:\Users\marc\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Program Files (x86)\Common Files\Software Update Utility

***** [Registry] *****

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}

Key Found : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}

Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE

Key Found : HKLM\SOFTWARE\Classes\dnUpdate

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Found : HKU\S-1-5-21-2509010423-1822620218-1744342139-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [unable to get version]

File : C:\Users\marc\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2438 octets] - [14/11/2012 17:54:14]

########## EOF - C:\AdwCleaner[R1].txt - [2498 octets] ##########

MrCharlie · November 14, 2012

Sopme adware found....lets clear it out.....

Please re-run AdwCleaner
Click on Delete button.
Confirm each time with OK if asked.
Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Then..............

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please Post the contents of that document.
Do Not Attach It!!!

MrC

padlinfool · November 14, 2012

MrC

As requested

# AdwCleaner v2.007 - Logfile created 11/14/2012 at 18:31:10

# Updated 06/11/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : marc - FAMILYROOM

# Boot Mode : Normal

# Running from : C:\Users\marc\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [unable to get version]

File : C:\Users\marc\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2561 octets] - [14/11/2012 17:54:14]

AdwCleaner[s1].txt - [2387 octets] - [14/11/2012 18:31:10]

########## EOF - C:\AdwCleaner[s1].txt - [2447 octets] ##########

Results of screen317's Security Check version 0.99.54

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton 360

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Wise Disk Cleaner 6.15

Wise Registry Cleaner 6.14

Java 6 Update 37

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Thunderbird (3.1.10) Thunderbird out of Date!

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

MrCharlie · November 14, 2012

Java™ 6 Update 37 <-------this is OK
Java version out of Date! <------OK
Adobe Reader 9 Adobe Reader out of Date! <---please check for an update
Mozilla Thunderbird (3.1.10) Thunderbird out of Date! <---please check for an update

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Maurice Naggar · November 16, 2012

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

trojan.agent - winrscmde issue

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information