User Tag List

ZeroAccess virus

This is a discussion on ZeroAccess virus within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi my computer seems to have been infected by the zeroaccess virus and I need some help to remove it


 
 
Thread Tools Search this Thread
Old 05-06-2013, 11:46 AM   #1
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



Hi my computer seems to have been infected by the zeroaccess virus and I need some help to remove it can someone please tell me how to get rid of it.
topogijo is offline  
Sponsored Links
Advertisement
 
Old 05-06-2013, 10:27 PM   #2
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



Preparing for the malware removal process

While a description of the trouble you're having is of help, we need more information. A comprehensive set of logs is required to determine the presence of malware.

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
TB-PsYcHoTiC is offline  
Old 05-07-2013, 08:31 PM   #3
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



Thank you for the info First of all I have I believe a virus called zeroaccess nortons keeps picking it up and it seems to keep revolving and never cleaning it.Second I noticed that my system restore has been turned off and I cannot turn it back on. Norton reports, Trojan.Zeroaccess.B,Trojan, Zeroaccess.C, Trojan.Gen.2,
Here is the dds log
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.21.2
Run by Gilles at 18:38:17 on 2013-05-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3963.2046 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files (x86)\Gigabyte\EnergySaver2\des2svr.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\FileOpen\Services\FileOpenManagerService64.exe
C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
C:\Program Files (x86)\Fighters\SPAMfighter\sfus.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Fighters\FighterSuiteService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapServicex64.exe
C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe
C:\Users\Gilles\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\msdtc.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource=61&CUI=UN83770144210081275&UM=2&UP=SP46150EEE-B930-4ECA-AB66-11E24F98358B
uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
mWinlogon: Userinit = userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: IEPlugin Class: {11222041-111B-46E3-BD29-EFB2449479B1} - C:\Program Files (x86)\ArcSoft\Video Downloader\ArcURLRecord.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: ToolbarBHO Class: {9519AF7E-638D-4933-BAD6-D33D23C79FE5} - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\EXIFToolBar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: RAW Thumbnail Viewer: {F301665A-12F8-4331-804A-5BCBD379668C} - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\EXIFToolBar.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
uRun: [SearchProtect] C:\Users\Gilles\AppData\Roaming\SearchProtect\bin\cltmng.exe
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [Symantec Backup Exec System Recovery 2010] "C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe
mRunOnce: [GBTUpd] C:\Program Files (x86)\Gigabyte\GBTUpd\PreRun.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append to existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Read EXIF - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htm
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{6F029706-9836-4649-8064-35E3582F65BE} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs= acaptuser32.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&CUI=UN17992052880223208&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CUI=UN17992052880223208&UM=2&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Users\Gilles\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\extensions\{bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}\plugins\np-mswmp.dll
FF - plugin: C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\extensions\{bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll
FF - ExtSQL: 2013-05-06 11:30; {bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}; C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\extensions\{bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}
FF - ExtSQL: !HIDDEN! 2013-02-08 23:23; [email protected]; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-11-16 238080]
R2 Backup Exec System Recovery;Backup Exec System Recovery;C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe [2012-6-29 4604808]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2013-2-8 219360]
R2 CltMngSvc;Search Protect by Conduit Updater;C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [2013-4-11 93984]
R2 DES2 Service;DES2 Service for Energy Saving.;C:\Program Files (x86)\Gigabyte\EnergySaver2\des2svr.exe [2013-2-8 68136]
R2 FileOpenManagerService;FileOpen Manager Service;C:\Program Files\FileOpen\Services\FileOpenManagerService64.exe [2012-11-7 335288]
R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-3-20 186200]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-3-3 418376]
R2 SPAMfighter Update Service;SPAMfighter Update Service;C:\Program Files (x86)\Fighters\SPAMfighter\sfus.exe [2013-1-15 216608]
R2 Suite Service;Suite Service;C:\Program Files (x86)\Fighters\FighterSuiteService.exe [2012-11-12 1270376]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-11-10 1775344]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-2-8 2320920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-2-17 138912]
R3 GenericMount;Generic Mount Driver;C:\Windows\System32\drivers\GenericMount.sys [2012-6-29 66608]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-3-3 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-2-9 805088]
R3 SymSnapService;SymSnapService;C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapServicex64.exe [2012-6-29 2969600]
R3 VST64_DPV;VST64_DPV;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 VST64HWBS2;VST64HWBS2;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-13 411136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-3-3 701512]
S3 AODDriver;AODDriver;C:\Program Files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [2013-2-9 57952]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2013-2-8 25640]
S3 GenericMount Helper Service;GenericMount Helper Service;C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Shared\Drivers\GenericMountHelperx64.exe [2012-6-29 2224152]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-2-8 30528]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\Windows\System32\dllhost.exe [2009-7-13 9728]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-2-9 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-2-8 1255736]
.
=============== Created Last 30 ================
.
2013-05-06 18:30:51 -------- d-----w- C:\Program Files (x86)\Conduit
2013-05-06 18:30:49 -------- d-----w- C:\Users\Gilles\AppData\Local\Conduit
2013-05-06 18:30:13 -------- d-----w- C:\Program Files (x86)\SearchProtect
2013-05-06 18:30:09 -------- d-----w- C:\Users\Gilles\AppData\Roaming\SearchProtect
2013-05-06 18:18:34 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-06 18:10:58 -------- d-----w- C:\Users\Gilles\AppData\Local\VisualBeeExe
2013-05-06 18:10:45 -------- d-----w- C:\ProgramData\VisualBee
2013-05-05 21:50:29 -------- d-----w- C:\Users\Gilles\AppData\Local\NPE
2013-05-05 21:50:29 -------- d-----w- C:\ProgramData\Norton
2013-05-05 20:13:21 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys
2013-05-05 20:04:17 -------- d-----w- C:\Program Files (x86)\VideoLAN
2013-05-05 19:56:19 225280 ----a-w- C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll
2013-05-05 19:56:10 -------- d-----w- C:\Program Files (x86)\x264 Video Codec
2013-04-23 19:15:56 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 10:01:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-04-10 10:00:59 887808 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
.
==================== Find3M ====================
.
2013-05-06 18:04:59 25640 ----a-w- C:\Windows\gdrv.sys
2013-04-18 06:50:35 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-18 06:50:35 691592 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-04-11 14:22:56 770384 ----a-w- C:\Windows\SysWow64\msvcr100.dll
2013-04-11 14:22:56 421200 ----a-w- C:\Windows\SysWow64\msvcp100.dll
2013-04-04 21:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-04-04 12:35:05 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 0333 112640 ----a-w- C:\Windows\System32\smss.exe
2013-03-09 09:17:29 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-03-09 09:17:29 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-01 03:36:04 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-02-24 03:44:53 34288 ----a-w- C:\Windows\System32\drivers\GearAspiWDM.sys
2013-02-24 03:44:53 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2013-02-24 03:44:53 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2013-02-22 06:27:49 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-22 06:20:51 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-02-22 06:19:37 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-02-22 06:15:48 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-02-22 06:15:23 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-02-22 06:12:41 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-22 03:46:00 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-02-15 06:08:40 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2013-02-15 0611 3717632 ----a-w- C:\Windows\System32\mstscax.dll
2013-02-15 06:02:26 158720 ----a-w- C:\Windows\System32\aaclient.dll
2013-02-15 04:37:10 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll
2013-02-15 04:34:10 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll
2013-02-15 03:25:51 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-02-10 04:35:27 175616 ----a-w- C:\Windows\System32\msclmd.dll
2013-02-10 04:35:27 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2013-02-09 08:39:05 172592 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-02-09 07:40:01 16384 ----a-w- C:\Windows\SysWow64\lgfwunis.exe
2013-02-09 06:37:28 30528 ----a-w- C:\Windows\GVTDrv64.sys
2013-02-09 06:23:38 25640 ----a-w- C:\Windows\etdrv.sys
2013-02-09 02:58:06 0 ----a-w- C:\Windows\ativpsrm.bin
.
============= FINISH: 18:38:37.86 ===============
Attached Files
File Type: rar Attach.txt.rar (3.6 KB, 57 views)
File Type: rar ark.txt.rar (1.3 KB, 53 views)
topogijo is offline  
Sponsored Links
Advertisement
 
Old 05-07-2013, 09:36 PM   #4
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.
TB-PsYcHoTiC is offline  
Old 05-08-2013, 09:06 AM   #5
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.






While reviewing your log I saw that you used TDSS-Killer to fix something.

For each run of this tool a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt[/list]


Please zip all these logs you can find there and attach the file to your next reply.



Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • When it has finished extracting, double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
TB-PsYcHoTiC is offline  
Old 05-08-2013, 10:39 PM   #6
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



thank you for taking the time to help me. I can't seem to find any TXT files from TDSSKiller only zasubsys0000, zasubsys0001 DTA files that I can't open to send.
Here is the MBAR-log file
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.300000 GHz
Memory total: 4156022784, free: 2185433088

------------ Kernel report ------------
05/08/2013 21:36:05
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\symsnap.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\SRTSP64.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\System32\Drivers\SRTSPX64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\wpsdrvnt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbuhci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\SysWOW64\drivers\Afc.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\VSTBS26.SYS
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\VSTDPV6.SYS
\SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\GenericMount.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\drivers\Dot4Prt.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Program Files\FileOpen\Services\fileopen64.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\Windows\gdrv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\WpsHelper.sys
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130508.003\EX64.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130508.003\ENG64.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\gdi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\advapi32.dll
\Windows\System32\psapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\clbcatq.dll
\Windows\System32\usp10.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\setupapi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\ole32.dll
\Windows\System32\shell32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imm32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\sechost.dll
\Windows\System32\normaliz.dll
\Windows\System32\msvcrt.dll
\Windows\System32\comdlg32.dll
\Windows\System32\lpk.dll
\Windows\System32\kernel32.dll
\Windows\System32\difxapi.dll
\Windows\System32\nsi.dll
\Windows\System32\wininet.dll
\Windows\System32\crypt32.dll
\Windows\System32\wintrust.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8005c47790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007c\
Lower Device Object: 0xfffffa8004e4bb60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8004641060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\
Lower Device Object: 0xfffffa80043dc060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8004640060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\
Lower Device Object: 0xfffffa80043d7060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800463f060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-4\
Lower Device Object: 0xfffffa80043e0060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2013.05.09.01
Downloaded database version: v2013.05.07.01
Initializing...
Done!
<<<2>>>
Device number: 1, partition: 2
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004640060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004640b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004640060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043d5520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043d7060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a011544010, 0xfffffa8004640060, 0xfffffa80077b1430
Lower DeviceData: 0xfffff8a011494560, 0xfffffa80043d7060, 0xfffffa8006787090
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 1, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800463f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800463fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800463f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80040dc9b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043e0060, DeviceName: \Device\Ide\IdeDeviceP0T1L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0113c67a0, 0xfffffa800463f060, 0xfffffa80076e2790
Lower DeviceData: 0xfffff8a010f01230, 0xfffffa80043e0060, 0xfffffa80077b11e0
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 53B030EE

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 488392002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 62F2069B

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 3906820096

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xfffffa8004641060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004641b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004641060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043da580, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043dc060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0105c7f50, 0xfffffa8004641060, 0xfffffa80077c3790
Lower DeviceData: 0xfffff8a01030a810, 0xfffffa80043dc060, 0xfffffa80077af730
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 68084D8C

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8005c47790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005c45b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005c47790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004e4bb60, DeviceName: \Device\0000007c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Infected: c:\Windows\System32\services.exe --> [Rootkit.0Access]
Backup file found for a file c:\Windows\System32\services.exe
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\@ --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L\[email protected] --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U\[email protected] --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U --> [Backdoor.0Access]
Done!
Scan finished
=======================================
topogijo is offline  
Old 05-10-2013, 12:12 AM   #7
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1


Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.
TB-PsYcHoTiC is offline  
Old 05-10-2013, 11:27 PM   #8
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



I ran mbar twice and it seems to have got rid of the zeroaccess that kept popping up on symantec end point but I did get trogan.Gen.2 without thinking I ran my antivirus and the trojan Gen.2 was replaced with a tracking cookie that was deleted. here is the mbar log from the last scan.
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.300000 GHz
Memory total: 4156022784, free: 2185433088

------------ Kernel report ------------
05/08/2013 21:36:05
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\symsnap.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\SRTSP64.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\System32\Drivers\SRTSPX64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\wpsdrvnt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbuhci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\SysWOW64\drivers\Afc.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\VSTBS26.SYS
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\VSTDPV6.SYS
\SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\GenericMount.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\drivers\Dot4Prt.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Program Files\FileOpen\Services\fileopen64.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\Windows\gdrv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\WpsHelper.sys
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130508.003\EX64.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130508.003\ENG64.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\gdi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\advapi32.dll
\Windows\System32\psapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\clbcatq.dll
\Windows\System32\usp10.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\setupapi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\ole32.dll
\Windows\System32\shell32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imm32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\sechost.dll
\Windows\System32\normaliz.dll
\Windows\System32\msvcrt.dll
\Windows\System32\comdlg32.dll
\Windows\System32\lpk.dll
\Windows\System32\kernel32.dll
\Windows\System32\difxapi.dll
\Windows\System32\nsi.dll
\Windows\System32\wininet.dll
\Windows\System32\crypt32.dll
\Windows\System32\wintrust.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8005c47790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007c\
Lower Device Object: 0xfffffa8004e4bb60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8004641060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\
Lower Device Object: 0xfffffa80043dc060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8004640060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\
Lower Device Object: 0xfffffa80043d7060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800463f060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-4\
Lower Device Object: 0xfffffa80043e0060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2013.05.09.01
Downloaded database version: v2013.05.07.01
Initializing...
Done!
<<<2>>>
Device number: 1, partition: 2
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004640060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004640b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004640060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043d5520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043d7060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a011544010, 0xfffffa8004640060, 0xfffffa80077b1430
Lower DeviceData: 0xfffff8a011494560, 0xfffffa80043d7060, 0xfffffa8006787090
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 1, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800463f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800463fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800463f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80040dc9b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043e0060, DeviceName: \Device\Ide\IdeDeviceP0T1L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0113c67a0, 0xfffffa800463f060, 0xfffffa80076e2790
Lower DeviceData: 0xfffff8a010f01230, 0xfffffa80043e0060, 0xfffffa80077b11e0
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 53B030EE

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 488392002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 62F2069B

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 3906820096

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xfffffa8004641060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004641b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004641060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043da580, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043dc060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0105c7f50, 0xfffffa8004641060, 0xfffffa80077c3790
Lower DeviceData: 0xfffff8a01030a810, 0xfffffa80043dc060, 0xfffffa80077af730
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 68084D8C

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8005c47790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005c45b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005c47790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004e4bb60, DeviceName: \Device\0000007c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Infected: c:\Windows\System32\services.exe --> [Rootkit.0Access]
Backup file found for a file c:\Windows\System32\services.exe
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\@ --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L\[email protected] --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U\[email protected] --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U --> [Backdoor.0Access]
Done!
Scan finished
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.300000 GHz
Memory total: 4156022784, free: 2620882944

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.300000 GHz
Memory total: 4156022784, free: 2615160832

------------ Kernel report ------------
05/10/2013 22:31:41
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\symsnap.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\SRTSP64.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\System32\Drivers\SRTSPX64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\wpsdrvnt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbuhci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\SysWOW64\drivers\Afc.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\VSTBS26.SYS
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\VSTDPV6.SYS
\SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\GenericMount.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\drivers\Dot4Prt.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Program Files\FileOpen\Services\fileopen64.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\Windows\gdrv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130509.017\EX64.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130509.017\ENG64.SYS
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\WpsHelper.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\gdi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\advapi32.dll
\Windows\System32\psapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\clbcatq.dll
\Windows\System32\usp10.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\setupapi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\ole32.dll
\Windows\System32\shell32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imm32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\sechost.dll
\Windows\System32\normaliz.dll
\Windows\System32\msvcrt.dll
\Windows\System32\comdlg32.dll
\Windows\System32\lpk.dll
\Windows\System32\kernel32.dll
\Windows\System32\difxapi.dll
\Windows\System32\nsi.dll
\Windows\System32\wininet.dll
\Windows\System32\crypt32.dll
\Windows\System32\wintrust.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR4
Upper Device Object: 0xfffffa800be63790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008a\
Lower Device Object: 0xfffffa800bd83b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8004641060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\
Lower Device Object: 0xfffffa80043dc060
Lower Device Driver Name: \Driver\atapi\
Device already Exists: 0xfffffa80077af730
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8004640060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\
Lower Device Object: 0xfffffa80043d7060
Lower Device Driver Name: \Driver\atapi\
Device already Exists: 0xfffffa8006787090
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800463f060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-4\
Lower Device Object: 0xfffffa80043e0060
Lower Device Driver Name: \Driver\atapi\
Device already Exists: 0xfffffa80077b11e0
Downloaded database version: v2013.05.09.02
Downloaded database version: v2013.05.09.03
Downloaded database version: v2013.05.09.04
Downloaded database version: v2013.05.09.05
Downloaded database version: v2013.05.09.06
Downloaded database version: v2013.05.09.07
Downloaded database version: v2013.05.10.01
Downloaded database version: v2013.05.10.02
Downloaded database version: v2013.05.10.03
Downloaded database version: v2013.05.10.04
Downloaded database version: v2013.05.10.05
Downloaded database version: v2013.05.10.06
Downloaded database version: v2013.05.10.07
Downloaded database version: v2013.05.10.08
Downloaded database version: v2013.05.10.09
Downloaded database version: v2013.05.10.10
Downloaded database version: v2013.05.11.01
Initializing...
Done!
<<<2>>>
Device number: 1, partition: 2
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004640060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004640b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004640060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043d5520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043d7060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0080306c0, 0xfffffa8004640060, 0xfffffa80077b1430
Lower DeviceData: 0xfffff8a0113a9cc0, 0xfffffa80043d7060, 0xfffffa8006787090
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 1, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800463f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800463fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800463f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80040dc9b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043e0060, DeviceName: \Device\Ide\IdeDeviceP0T1L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a01275dce0, 0xfffffa800463f060, 0xfffffa80076e2790
Lower DeviceData: 0xfffff8a001f904b0, 0xfffffa80043e0060, 0xfffffa80077b11e0
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 53B030EE

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 488392002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 62F2069B

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 3906820096

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xfffffa8004641060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004641b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004641060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043da580, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043dc060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a012e8a530, 0xfffffa8004641060, 0xfffffa80077c3790
Lower DeviceData: 0xfffff8a00e05d3e0, 0xfffffa80043dc060, 0xfffffa80077af730
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 68084D8C

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa800be63790, DeviceName: \Device\Harddisk3\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800bdf6580, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800be63790, DeviceName: \Device\Harddisk3\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800bd83b60, DeviceName: \Device\0000008a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Infected: c:\Windows\System32\services.exe --> [Rootkit.0Access]
Backup file found for a file c:\Windows\System32\services.exe
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\@ --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L\[email protected] --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U\[email protected] --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L --> [Backdoor.0Access]
Infected: c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U --> [Backdoor.0Access]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 1, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Executing an action fixdamage.exe...
Success!
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.300000 GHz
Memory total: 4156022784, free: 2221666304

Removal queue found; removal started
Removing c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\@...
Removing c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L\[email protected]
Removing c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U\[email protected]
Removing c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\L...
Removing c:\Windows\Installer\{e3fae36d-b888-f801-2646-89ca3bb4fdc7}\U...
Removal finished
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.300000 GHz
Memory total: 4156022784, free: 2020888576

------------ Kernel report ------------
05/10/2013 22:43:09
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\symsnap.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\SRTSP64.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\System32\Drivers\SRTSPX64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\wpsdrvnt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbuhci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\SysWOW64\drivers\Afc.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\VSTBS26.SYS
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\VSTDPV6.SYS
\SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\GenericMount.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\drivers\Dot4Prt.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\WpsHelper.sys
\??\C:\Program Files\FileOpen\Services\fileopen64.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\Windows\gdrv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130510.022\EX64.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130510.022\ENG64.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\gdi32.dll
\Windows\System32\nsi.dll
\Windows\System32\difxapi.dll
\Windows\System32\psapi.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\advapi32.dll
\Windows\System32\iertutil.dll
\Windows\System32\user32.dll
\Windows\System32\kernel32.dll
\Windows\System32\ole32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\urlmon.dll
\Windows\System32\comdlg32.dll
\Windows\System32\setupapi.dll
\Windows\System32\imm32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\normaliz.dll
\Windows\System32\shlwapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\shell32.dll
\Windows\System32\lpk.dll
\Windows\System32\usp10.dll
\Windows\System32\imagehlp.dll
\Windows\System32\wininet.dll
\Windows\System32\oleaut32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ws2_32.dll
\Windows\System32\wintrust.dll
\Windows\System32\crypt32.dll
\Windows\System32\devobj.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8004788060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007c\
Lower Device Object: 0xfffffa8006107b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa800465a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\
Lower Device Object: 0xfffffa80043f8060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8004659060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\
Lower Device Object: 0xfffffa8004101680
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004658060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-7\
Lower Device Object: 0xfffffa800440a060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initializing...
Done!
<<<2>>>
Device number: 1, partition: 2
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004659060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004659b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004659060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004103520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004101680, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00e910650, 0xfffffa8004659060, 0xfffffa8007f3c790
Lower DeviceData: 0xfffff8a00e900770, 0xfffffa8004101680, 0xfffffa8003cbc320
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 1, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004658060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004658b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004658060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800440d520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa800440a060, DeviceName: \Device\Ide\IdeDeviceP0T1L0-7\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0041e35e0, 0xfffffa8004658060, 0xfffffa8003c88790
Lower DeviceData: 0xfffff8a00ef38a10, 0xfffffa800440a060, 0xfffffa8003c89090
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 53B030EE

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 488392002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 62F2069B

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 3906820096

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xfffffa800465a060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800465ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800465a060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800402ce40, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80043f8060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a0041e3500, 0xfffffa800465a060, 0xfffffa8003cb7790
Lower DeviceData: 0xfffff8a00e86d720, 0xfffffa80043f8060, 0xfffffa8003c29c30
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 68084D8C

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8004788060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006be8040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004788060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006107b60, DeviceName: \Device\0000007c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================
topogijo is offline  
Old 05-13-2013, 05:07 AM   #9
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



Scan with adwCleaner


Please download AdwCleaner to your desktop.



  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • YouŽll find the log file at C:\AdwCleaner[S1].txt also.



ESET online scan


Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
TB-PsYcHoTiC is offline  
Old 05-13-2013, 11:41 PM   #10
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



Here is the ADWCleaner scan
# AdwCleaner v2.300 - Logfile created 05/13/2013 at 20:47:58
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Gilles - GILLES-PC
# Boot Mode : Normal
# Running from : C:\Users\Gilles\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : CltMngSvc


and here is the ESET Scan
C:\Program Files (x86)\Mozilla Firefox\components\sprotector.js Win32/Conduit.SearchProtect.A application
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam Win64/Patched.A.Gen trojan
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam Win64/Patched.A.Gen trojan
C:\TDSSKiller_Quarantine\06.05.2013_11.13.18\zasubsys0000\file0000\tsk0000.dta Win64/Patched.A.Gen trojan
C:\TDSSKiller_Quarantine\06.05.2013_11.13.18\zasubsys0001\file0000\tsk0000.dta Win64/Patched.A.Gen trojan
C:\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam Win64/Patched.A.Gen trojan
C:\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam Win64/Patched.A.Gen trojan
C:\Users\Gilles\AppData\Local\Temp\SecondStepInstaller.exe multiple threats
C:\Users\Gilles\AppData\Local\Temp\AU\SPUpdater.exe multiple threats
C:\Users\Gilles\Downloads\Media_Player_Classic.exe a variant of Win32/InstallCore.AZ application
C:\Users\Gilles\Downloads\SoftonicDownloader_for_ultrasurf-firefox-tool.exe a variant of Win32/SoftonicDownloader.E application
C:\Users\Gilles\Downloads\ultrasurf firefox.exe MSIL/Solimba.H application
F:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
F:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite.A application
F:\Program Files (x86)\Search Results Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
F:\Program Files (x86)\Search Results Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application
F:\ProgramData\Download and Sa\50934a49057df.ocx Win32/Adware.MultiPlug.D application
F:\ProgramData\Download and Sa\50934a4905818.html Win32/Adware.MultiPlug.H application
F:\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam Win64/Patched.A.Gen trojan
F:\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam Win64/Patched.A.Gen trojan
F:\Users\Gilles\AppData\Local\Babylon\Setup\IECookieLow.dll a variant of Win32/Toolbar.Babylon.E application
F:\Users\Gilles\AppData\Local\Babylon\Setup\Setup.exe a variant of Win32/Toolbar.Babylon.E application
F:\Users\Gilles\AppData\Local\Torch\User Data\Default\Extensions\gopipkjpjkchkglpjfaolcalajkiknmh\7.1_0\50934a49055ad1351830089.js Win32/Adware.MultiPlug.H application
F:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\uy6h390c.default\extensions\[email protected]\content\bg.js Win32/Adware.MultiPlug.H application
F:\Users\Gilles\Downloads\setup.exe Win32/InstalleRex.E application
F:\Users\Gilles\Videos\external.php Win32/Toolbar.SearchSuite application
F:\Users\Gilles\Videos\iLividSetup.exe Win32/Toolbar.SearchSuite application
topogijo is offline  
Old 05-13-2013, 11:52 PM   #11
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



It seems that the adwcleaner logfile is incomplete - please post the whole content
TB-PsYcHoTiC is offline  
Old 05-14-2013, 11:43 AM   #12
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



Here is the ADWCleaner S2 txt
# AdwCleaner v2.300 - Logfile created 05/13/2013 at 20:48:57
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Gilles - GILLES-PC
# Boot Mode : Normal
# Running from : C:\Users\Gilles\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\DeviceVM
File Deleted : C:\END
File Deleted : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\searchplugins\Askcom.xml
File Deleted : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\searchplugins\Conduit.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\SearchProtect
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\visualbee
Folder Deleted : C:\Users\Gilles\AppData\Local\Conduit
Folder Deleted : C:\Users\Gilles\AppData\Local\Temp\CT3287802
Folder Deleted : C:\Users\Gilles\AppData\Local\visualbeeexe
Folder Deleted : C:\Users\Gilles\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\CT3287802
Folder Deleted : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\extensions\{bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}
Folder Deleted : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\Smartbar
Folder Deleted : C:\Users\Gilles\AppData\Roaming\SearchProtect

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3287802
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [1]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource=61&CUI=UN83770144210081275&UM=2&UP=SP46150EEE-B930-4ECA-AB66-11E24F98358B --> hxxp://www.google.com

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\prefs.js

Deleted : user_pref("CT3287802.1000082.isPlayDisplay", "true");
Deleted : user_pref("CT3287802.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...]
Deleted : user_pref("CT3287802.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3287802.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Deleted : user_pref("CT3287802.FF19Solved", "true");
Deleted : user_pref("CT3287802.FirstTime", "true");
Deleted : user_pref("CT3287802.FirstTimeFF3", "true");
Deleted : user_pref("CT3287802.PG_ENABLE", "dHJ1ZQ==");
Deleted : user_pref("CT3287802.PG_ENABLE.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3287802.SF_JUST_INSTALLED.enc", "RkFMU0U=");
Deleted : user_pref("CT3287802.SF_STATUS.enc", "RU5BQkxFRA==");
Deleted : user_pref("CT3287802.SF_USER_ID.enc", "Y2lkXzY1MjAxMzExMzA1MTY0ODI2NzQ=");
Deleted : user_pref("CT3287802.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT328[...]
Deleted : user_pref("CT3287802.UserID", "UN17992052880223208");
Deleted : user_pref("CT3287802.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT3287802.autoDisableScopes", -1);
Deleted : user_pref("CT3287802.browser.search.defaultthis.engineName", "true");
Deleted : user_pref("CT3287802.defaultSearch", "true");
Deleted : user_pref("CT3287802.embeddedsData", "[{\"appId\":\"130058504433344387\",\"apiPermissions\":{\"cross[...]
Deleted : user_pref("CT3287802.enableAlerts", "true");
Deleted : user_pref("CT3287802.enableFix404ByUser", "TRUE");
Deleted : user_pref("CT3287802.enableSearchFromAddressBar", "true");
Deleted : user_pref("CT3287802.firstTimeDialogOpened", "true");
Deleted : user_pref("CT3287802.fixPageNotFoundError", "true");
Deleted : user_pref("CT3287802.fixPageNotFoundErrorByUser", "true");
Deleted : user_pref("CT3287802.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT3287802.fixUrls", true);
Deleted : user_pref("CT3287802.homepageuserchanged", true);
Deleted : user_pref("CT3287802.installDate", "6/5/2013 11:30:09");
Deleted : user_pref("CT3287802.installId", "stub.exe");
Deleted : user_pref("CT3287802.installSessionId", "{64AD69AA-84DB-4C77-8E65-63632172A973}");
Deleted : user_pref("CT3287802.installSp", "TRUE");
Deleted : user_pref("CT3287802.installType", "conduitnsisintegration");
Deleted : user_pref("CT3287802.installerVersion", "1.4.1.3");
Deleted : user_pref("CT3287802.isCheckedStartAsHidden", true);
Deleted : user_pref("CT3287802.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3287802.isFirstTimeToolbarLoading", "false");
Deleted : user_pref("CT3287802.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3287802.keyword", "true");
Deleted : user_pref("CT3287802.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit[...]
Deleted : user_pref("CT3287802.lastVersion", "10.15.2.523");
Deleted : user_pref("CT3287802.mam_gk_appStateReportTime.enc", "MTM2Nzg2NTA1MDI5Mw==");
Deleted : user_pref("CT3287802.mam_gk_appState_CouponBuddy.enc", "b24=");
Deleted : user_pref("CT3287802.mam_gk_appState_Easytobook.enc", "b24=");
Deleted : user_pref("CT3287802.mam_gk_appState_Easytobook_targeted.enc", "b24=");
Deleted : user_pref("CT3287802.mam_gk_appState_PriceGong.enc", "b24=");
Deleted : user_pref("CT3287802.mam_gk_appState_WindowShopper.enc", "b24=");
Deleted : user_pref("CT3287802.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9w[...]
Deleted : user_pref("CT3287802.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Deleted : user_pref("CT3287802.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR29uZyIsImN[...]
Deleted : user_pref("CT3287802.mam_gk_currentVersion.enc", "MS40LjQuNg==");
Deleted : user_pref("CT3287802.mam_gk_eventsCache.enc", "eyJlZTcxODgxOS00NjMzLTQ5YzktOTJiNi1jZmI2Yzk3OWUwYzciO[...]
Deleted : user_pref("CT3287802.mam_gk_first_time.enc", "MQ==");
Deleted : user_pref("CT3287802.mam_gk_gadgetOpen.enc", "MA==");
Deleted : user_pref("CT3287802.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Deleted : user_pref("CT3287802.mam_gk_lastLoginTime.enc", "MTM2Nzg2NTA0ODUxNg==");
Deleted : user_pref("CT3287802.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50[...]
Deleted : user_pref("CT3287802.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3287802.mam_gk_settings1.4.4.6.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Deleted : user_pref("CT3287802.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3287802.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Deleted : user_pref("CT3287802.mam_gk_userId.enc", "MjJhMzBlZjAtM2I2YS00ODRmLTk0NjQtZjA4MTA1MGQ1ZWIy");
Deleted : user_pref("CT3287802.migrateAppsAndComponents", true);
Deleted : user_pref("CT3287802.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%[...]
Deleted : user_pref("CT3287802.openThankYouPage", "false");
Deleted : user_pref("CT3287802.openUninstallPage", "true");
Deleted : user_pref("CT3287802.revertSettingsEnabled", "false");
Deleted : user_pref("CT3287802.search.searchAppId", "130058504433344387");
Deleted : user_pref("CT3287802.search.searchCount", "0");
Deleted : user_pref("CT3287802.searchFromAddressBarEnabledByUser", "true");
Deleted : user_pref("CT3287802.searchInNewTabEnabledByUser", "true");
Deleted : user_pref("CT3287802.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT3287802.searchRevert", "false");
Deleted : user_pref("CT3287802.searchUserMode", "2");
Deleted : user_pref("CT3287802.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3287802.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT3287802.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT3287802.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1367865037772");
Deleted : user_pref("CT3287802.serviceLayer_services_appsMetadata_lastUpdate", "1367865040843");
Deleted : user_pref("CT3287802.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1367865037529");
Deleted : user_pref("CT3287802.serviceLayer_services_location_lastUpdate", "1367982439915");
Deleted : user_pref("CT3287802.serviceLayer_services_login_10.15.2.23_lastUpdate", "1367865530056");
Deleted : user_pref("CT3287802.serviceLayer_services_login_10.15.2.523_lastUpdate", "1367982440390");
Deleted : user_pref("CT3287802.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1367865037741");
Deleted : user_pref("CT3287802.serviceLayer_services_searchAPI_lastUpdate", "1367865036549");
Deleted : user_pref("CT3287802.serviceLayer_services_serviceMap_lastUpdate", "1367982439461");
Deleted : user_pref("CT3287802.serviceLayer_services_setupAPI_lastUpdate", "1367865032064");
Deleted : user_pref("CT3287802.serviceLayer_services_toolbarContextMenu_lastUpdate", "1367865037470");
Deleted : user_pref("CT3287802.serviceLayer_services_toolbarSettings_lastUpdate", "1367982440026");
Deleted : user_pref("CT3287802.serviceLayer_services_translation_lastUpdate", "1367982440009");
Deleted : user_pref("CT3287802.settingsINI", true);
Deleted : user_pref("CT3287802.shouldFirstTimeDialog", "false");
Deleted : user_pref("CT3287802.showToolbarPermission", "false");
Deleted : user_pref("CT3287802.smartbar.CTID", "CT3287802");
Deleted : user_pref("CT3287802.smartbar.Uninstall", "0");
Deleted : user_pref("CT3287802.smartbar.homepage", "true");
Deleted : user_pref("CT3287802.smartbar.isHidden", true);
Deleted : user_pref("CT3287802.smartbar.toolbarName", "VisualBee V.3 ");
Deleted : user_pref("CT3287802.startPage", "true");
Deleted : user_pref("CT3287802.toolbarBornServerTime", "6-5-2013");
Deleted : user_pref("CT3287802.toolbarCurrentServerTime", "8-5-2013");
Deleted : user_pref("CT3287802.toolbarLoginClientTime", "Mon May 06 2013 11:30:46 GMT-0700 (Pacific Daylight T[...]
Deleted : user_pref("CT3287802.twitter_v1.8.0_twitter_app_open_t_f.enc", "ZmFsc2U=");
Deleted : user_pref("CT3287802.url_history0001.enc", "aHR0cDovL3d3dy50ZWNoc3VwcG9ydGZvcnVtLmNvbS9mb3J1bXMvbG9n[...]
Deleted : user_pref("CT3287802_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3287802&octid=CT328780[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "VisualBee V.3 Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802[...]
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3287802");
Deleted : user_pref("browser.search.defaultthis.engineName", "VisualBee V.3 Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&CUI[...]
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CU[...]
Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3287802&CUI=UN179920528[...]
Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Deleted : user_pref("smartbar.machineId", "8U9YYGEZ/O8A69OSXDMYZ/0SWWREIGVDQ5MPT+EZRILLXA6CEEILSGTA+4Q/2AVA0QI[...]
Deleted : user_pref("smartbar.originalHomepage", "hxxp://ca.msn.com/");
Deleted : user_pref("smartbar.originalSearchAddressUrl", "");
Deleted : user_pref("smartbar.originalSearchEngine", "Google");

*************************

AdwCleaner[R1].txt - [13457 octets] - [13/05/2013 19:51:44]
AdwCleaner[R2].txt - [13518 octets] - [13/05/2013 20:47:49]
AdwCleaner[R3].txt - [13619 octets] - [13/05/2013 20:48:48]
AdwCleaner[S1].txt - [354 octets] - [13/05/2013 20:47:58]
AdwCleaner[S2].txt - [13903 octets] - [13/05/2013 20:48:57]

########## EOF - C:\AdwCleaner[S2].txt - [13964 octets] ##########
topogijo is offline  
Old 05-14-2013, 11:47 AM   #13
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



I hope this is what you are looking for there are other logs there as well they are labeled R1,R2,R3 I think I may have run the program twice thinking I had screwed up sorry for any confusion.
topogijo is offline  
Old 05-16-2013, 06:02 AM   #14
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



Is your drive F bootable? If yes, boot from that drive and run the adwcleaner.exe again.


  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • YouŽll find the log file at C:\AdwCleaner[S1].txt also.




Combofix

Combofix should only be run when adviced by a team member!
Download Combofix from one of the following mirrors:

Link 1
Link 2

Important - Save the file to your desktop!
  • Download the CFScript.txt attached to this reply and save it to the same location where ComboFix.exe is.
  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.




  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Attached Files
File Type: txt CFScript.txt (1.6 KB, 57 views)
TB-PsYcHoTiC is offline  
Old 05-16-2013, 05:21 PM   #15
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



# AdwCleaner v2.301 - Logfile created 05/16/2013 at 17:13:59
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Gilles - GILLES-PC
# Boot Mode : Normal
# Running from : F:\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : BCUService

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\DeviceVM

***** [Registry] *****

Key Deleted : HKCU\Software\DeviceVM
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{77AA6435-2488-4A94-9FE5-49519DD2ED9B}
Key Deleted : HKLM\Software\DeviceVM
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{BC86E1AB-EDA5-4059-938F-CE307B0C6F0A}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BC86E1AB-EDA5-4059-938F-CE307B0C6F0A}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [BCU]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [13457 octets] - [13/05/2013 19:51:44]
AdwCleaner[R2].txt - [13518 octets] - [13/05/2013 20:47:49]
AdwCleaner[R3].txt - [13619 octets] - [13/05/2013 20:48:48]
AdwCleaner[R4].txt - [1591 octets] - [16/05/2013 17:11:23]
AdwCleaner[R5].txt - [1643 octets] - [16/05/2013 17:12:54]
AdwCleaner[R6].txt - [1703 octets] - [16/05/2013 17:13:51]
I copy and pasted AdwCleaner to F drive not sure if that was ok here is the post from that I plan to format F drive as soon as we clean everything up.

AdwCleaner[S1].txt - [354 octets] - [13/05/2013 20:47:58]
AdwCleaner[S2].txt - [14034 octets] - [13/05/2013 20:48:57]
AdwCleaner[S3].txt - [1660 octets] - [16/05/2013 17:13:59]

########## EOF - C:\AdwCleaner[S3].txt - [1720 octets] ##########
topogijo is offline  
Old 05-16-2013, 05:41 PM   #16
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



here is the log file from the ComboFix scan Also I will not be available from fri 3:00 pm may 17 to 20 so I hope you will not close this post because of your 3 day no action clause. thank you.

ComboFix 13-05-16.02 - Gilles 05/16/2013 17:27:03.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3963.2373 [GMT -7:00]
Running from: c:\users\Gilles\Desktop\ComboFix.exe
Command switches used :: c:\users\Gilles\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\Mozilla Firefox\components\sprotector.js"
"c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam"
"c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam"
"c:\tdsskiller_quarantine\06.05.2013_11.13.18\zasubsys0000\file0000\tsk0000.dta"
"c:\tdsskiller_quarantine\06.05.2013_11.13.18\zasubsys0001\file0000\tsk0000.dta"
"c:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam"
"c:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam"
"c:\users\Gilles\AppData\Local\Temp\AU\SPUpdater.exe"
"c:\users\Gilles\AppData\Local\Temp\SecondStepInstaller.exe"
"c:\users\Gilles\Downloads\Media_Player_Classic.exe"
"c:\users\Gilles\Downloads\SoftonicDownloader_for_ultrasurf-firefox-tool.exe"
"c:\users\Gilles\Downloads\ultrasurf firefox.exe"
"f:\programdata\Download and Sa\50934a49057df.ocx"
"f:\programdata\Download and Sa\50934a4905818.html"
"f:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam"
"f:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam"
"f:\users\Gilles\AppData\Local\Torch\User Data\Default\Extensions\gopipkjpjkchkglpjfaolcalajkiknmh\7.1_0\50934a49055ad1351830089.js"
"f:\users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\uy6h390c.default\extensions\[email protected]\content\bg.js"
"f:\users\Gilles\Downloads\setup.exe"
"f:\users\Gilles\Videos\external.php"
"f:\users\Gilles\Videos\iLividSetup.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Mozilla Firefox\components\sprotector.js
c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam
c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam
c:\tdsskiller_quarantine\06.05.2013_11.13.18\zasubsys0000\file0000\tsk0000.dta
c:\tdsskiller_quarantine\06.05.2013_11.13.18\zasubsys0001\file0000\tsk0000.dta
c:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam
c:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam
c:\users\Gilles\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk
c:\users\Gilles\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
f:\favoritevideo\InvisibleFolder
f:\favoritevideo\InvisibleFolder\20100610145021_pplivenvziwangqiu100610zhu15s.swf
f:\favoritevideo\InvisibleFolder\20100624181647_nvziwangqiu100624zhu5s.swf
f:\favoritevideo\InvisibleFolder\20100813174225_jingji100813zanting15s.swf
f:\favoritevideo\InvisibleFolder\20100827173422_huiyuan100828zanting15s.swf
f:\favoritevideo\InvisibleFolder\20100909114908_fenghuasangu100909bkqipao.swf
f:\favoritevideo\InvisibleFolder\20100910172054_huiyuan100910zhu15s.swf
f:\favoritevideo\InvisibleFolder\20100917173752_pinganchexian100901zanting15s.swf
f:\favoritevideo\InvisibleFolder\20100925200642_yaowan100926qipao.swf
f:\favoritevideo\InvisibleFolder\20101014121336_haoya101014shawa.swf
f:\favoritevideo\InvisibleFolder\20101018170403_baidukongjian101101zhu15s.swf
f:\favoritevideo\InvisibleFolder\20101018182734_shoubiao101019zanting15s.swf
f:\favoritevideo\InvisibleFolder\20101019232344_wushenshenhua101019zanting15s.swf
f:\favoritevideo\InvisibleFolder\20101021215043_wushenshenhua101022bkqipao15s.swf
f:\favoritevideo\InvisibleFolder\20101022101337_wanmei101022zhu15schunji.swf
f:\favoritevideo\InvisibleFolder\20101022101638_wanmei101022zhu15sgelishuangB.swf
f:\favoritevideo\InvisibleFolder\20101022101734_wanmei101022zhu15sjingzhitanli.swf
f:\favoritevideo\InvisibleFolder\20101022101820_wanmei101022zhu15sqiaokeli.swf
f:\favoritevideo\InvisibleFolder\20101022174131_tianxiaer101029bkqipao15s.swf
f:\favoritevideo\InvisibleFolder\20101025123330_beidaqingniao101025zanting15s.swf.tpp
f:\favoritevideo\InvisibleFolder\20101025162303_xiaochunzaixian101025zhu15sa.swf
f:\favoritevideo\InvisibleFolder\20101025171151_shenhua101026zanting15s.swf
f:\favoritevideo\InvisibleFolder\20101027105535_lumi101027zhu15s.swf
f:\favoritevideo\InvisibleFolder\20101029175746_biyadi101029zhu15s.swf
f:\favoritevideo\InvisibleFolder\20101029180124_biyadi101029jiaobiao.swf
f:\favoritevideo\InvisibleFolder\20101029184755_changjiangqihao101029qipao15s.swf
f:\favoritevideo\InvisibleFolder\HTTP_ASF_SOURCE.ax
f:\favoritevideo\InvisibleFolder\pplss2.swf
f:\favoritevideo\InvisibleFolder\ppp.dll
f:\favoritevideo\InvisibleFolder\pptvsetup_2.6.1.0008_s.exe
F:\install.exe
f:\program files (x86)\Search Results Toolbar
f:\program files (x86)\Search Results Toolbar\Datamngr\datamngr.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe
f:\program files (x86)\Search Results Toolbar\Datamngr\DnsBHO.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\chrome.manifest
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\chrome.manifest.alt
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlp.xpt
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF10.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF11.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF12.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF13.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF14.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF15.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF16.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF17.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF3.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF4.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF5.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF6.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF7.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF8.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF9.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\DataMngr.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\DnsBHO.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\Error404BHO.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\NewTabBHO.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\overlay.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\overlay.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\RelatedSearch.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\RequestPreserver.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\SearchBHO.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\SettingManager.js
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\Settings.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\content\Settings.xml.alt
f:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension\install.rdf
f:\program files (x86)\Search Results Toolbar\Datamngr\IEBHO.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\installhelper.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\as_guid.dat
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\custom.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\about.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\custom.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\dtxpanel.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\dtxpaneltransparent.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\dtxpanelwin.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\dtxprefwin.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\dtxtransparentwin.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\dtxwin.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\emailnotifierproviders.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\external.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\neterror.xhtml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\rsspreview.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\rsswin.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\rsswin.xsl
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\lib\wmpstreamer.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\modules\datastore.jsm
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\modules\nsDragAndDrop.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\neterror.xhtml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\preferences.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\template.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\toolbar.htm
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\toolbar.xul
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\vmncode.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\vmnrsswin.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\tb_icon.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\tb_iconFF.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\tb_iconPressed.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\tb_iconPressedFF.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\tb_pref_icon.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\thumbs\tb_thumb_icon.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\widget.jsw
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\widget.jsww
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\com.djboxservice.dj.DJBox\widget.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\radiobeta-buffering.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\radiobeta-connecting.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\radiobeta-ico.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\radiobeta-playing.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\radiobeta-stopped.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\radiobeta.ico
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\tb_icon.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\widget.jsw
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\content\widgets\net.vmn.www.RadioBeta\widget.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\data\search\engines.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\data\search\search.xsl
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\data\weather\icons.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\lib\en.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\locale.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\toolbar\de.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\toolbar\en.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\toolbar\es.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\toolbar\fr.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\locale\toolbar\it.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\blip.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\bluelite.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\bluesky.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn-search-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn-search.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn-settings-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn-settings.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn-widgets-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn-widgets.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\btn_settings.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\custom.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\dailymotion.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\divider.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\ebay.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\facebook.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\find-videos.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\grey.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\icon_games.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\images.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\add.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\alexabutton.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\aol.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\arrow-dn.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\arrow-right-disabled.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\arrow-right.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\arrow-up.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btn-divider.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btn-end.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btn-mdl.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btn-mdl_ff.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btn-start.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btnover-divider.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btnover-end.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btnover-mdl.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btnover-mdl_ff.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\bg-btnover-start.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\blank.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btn-widgets-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btn-widgets.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btn_slider.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btnback-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btnback-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btnleft-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btnleft-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btnright-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\btnright-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\button-splitter-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\button-splitter-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\button-splitter.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\checkmark.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\chevron.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\collapse.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\debugbar\debug.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\dtx-test.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\dtx.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\edit-back-hot.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\edit-back.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\expand.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\found.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\gmail.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\highlight.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\highlight_blue.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\highlight_cyan.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\highlight_lime.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\highlight_magenta.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\highlight_yellow.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\hotmail.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\imap.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\lastsearch-thumb-back.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\launchers.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\loadingMid.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\lock.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\logo-separator.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\mailcom.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menu_bg-basic.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menu_separator_bar.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menu_separator_white.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitem-splitter.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemback-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemback-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemleft-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemleft-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemleft.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemright-down-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\menuitemright-vista.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\minus.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\modify.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\move.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\movetarget.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\css\panels.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\css\popupAbout.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\css\popupGames.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\css\popupWidgets.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\css\dialog.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\bg.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\btn-search.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\btn-wide-close-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\btn-wide-close.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\default.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\tab-off-l.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\tab-off-r.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\tab-on-l.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\tab-on-r.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\transparent.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\ttlbar-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\ttlbar-mdl.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\ttlbar-right.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\win-btm-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\win-btm-mdl.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\win-btm-right-resize.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\win-btm-right.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\win-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\images\win-right.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\main.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\main.html.bak
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\scripts\defscript.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\default\scripts\defscript.js.bak
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\footer.htm
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\gamecategory.xsl
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\gameData.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\gameList.xsl
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\gametype.xsl
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\arrow-dn.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\arrow-sml-drop.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\arrow-sml.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\arrow-up.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\arrowr-bluew5.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\bg-aboutbox.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\bg-btnover.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\bg-pnl520x390.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-addtoolbar-left-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-addtoolbar-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-addtoolbar-right.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-back.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-close-grey.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-close-greyover.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-drag.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-mdl-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-mdl.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-moredetails.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-next-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-next.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-play-left-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-play-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-previous-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-previous.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-right-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-search-pnlbtm.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-try-left-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\btn-try-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\bullet-orange.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\gamethumb-on.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\gamethumb2-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-calendar.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-dollar.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-download.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-joystick24.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-news24.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-play.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\ico-tags.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\icon-Add.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\icon-download.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\icon-Info.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\icon-play.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\icon-shop.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\menul-bgon.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\menul-bgover.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\panel-botm-noscroll.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scroll-bg-206.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scroll-bg.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scroll-topwin.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollb-disable.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollb-down.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollb-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollb.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollt-disable.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollt-down.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollt-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\scrollt.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\searchbox-pnlbtm.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\star_x_grey.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\star_x_orange.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\throbber.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\TRUSTe_about.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\view-detailed-on.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\view-detailed-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\view-thumb-on.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\view-thumb-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\widgets-square-16px.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\widgets-square-24px.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\images\widgets.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\initHTML.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\popupGames.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\popupHTML.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\popupWidgets.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\panels\scroll.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\plus.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\pop.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\radio.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\reload.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\remove.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\rename.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\resize-box.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\rss.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\rsschannelback.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\RSSLogo.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\rsstabdivider.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\scroll-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\scroll-right.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\search-go.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\search.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\separator.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\text-ellipsis.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\throbber.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\toolbarsplitter.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\transparent_1px.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_02.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_03.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_04.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_06.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_07.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_08.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_09.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_10.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_11.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_12.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_13.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_14.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_15.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_16.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_18.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_19.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_20.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\border_21.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\btn-close-grey.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\btn-close-greyover.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\close-hot.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\close-normal.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\loadingMid.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\paneltemplate.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\proxy.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\template.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\template.html.bak
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\template.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\templateFF.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\uwa\throbber.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\icons\cond999.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\icons\icons.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\icons\na-s.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\icons\na-t.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\icons\na.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\icons\weather.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\add.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\box-check.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\ico-check.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\options-weather.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\over-blue.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\over-orange.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\popupWeather.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\weatherbutton\panels\popupWeather.html
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lib\yahoo.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\lichen.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\logo-about.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\logo-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\logo-separator.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\logo.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\menuseparatorback.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\metacafe.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\modify-save.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\modify.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\modifyhot.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\namespacetoolbar.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\options-search.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\options\options-main.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\options\options-search.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\options\options-weather.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\options\options-weather.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\options\options-widgets.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\orange.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\search-over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\search_icon.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\searchbar\searchbar-background-left.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\searchbar\searchbar-background-middle.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\searchbar\searchbar-background-right.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\setting_stb_16x.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\settings.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\settings_stb_19x.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\settings_stb_19x_over.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin-bluelite.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin-bluesky.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin-grey.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin-lichen.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin-orange.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin-yellow.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\skin.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\sv.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\throbber.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\toolbarsplitter.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\TRUSTe_about.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\tv.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\twitter.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\veoh.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\video.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\vimeo.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\vmn.css
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\web.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\websearch.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\yellow.gif
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\chrome\skin\youtube.png
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\components\windowmediator.js
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\dtUser.exe
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\install.ico
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\manifest.xml
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultstb.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\uninstall.exe
f:\program files (x86)\Search Results Toolbar\Datamngr\x64\BrowserConnection.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\x64\datamngr.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\x64\DnsBHO.dll
f:\program files (x86)\Search Results Toolbar\Datamngr\x64\IEBHO.dll
f:\program files (x86)\Search Results Toolbar\sysid.ini
f:\program files (x86)\Search Results Toolbar\uninstall.exe
f:\programdata\Download and Sa\50934a49057df.ocx
f:\programdata\Download and Sa\50934a4905818.html
f:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_kernel.mbam
f:\users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\services.exe_user.mbam
f:\users\Gilles\AppData\Local\Babylon
f:\users\Gilles\AppData\Local\Babylon\Setup\bab033.tbinst.dat
f:\users\Gilles\AppData\Local\Babylon\Setup\bab091.norecovericon.dat
f:\users\Gilles\AppData\Local\Babylon\Setup\Babylon.dat
f:\users\Gilles\AppData\Local\Babylon\Setup\BExternal.dll
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\cmbx.png
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\common.js
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\eula.html
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\lngs.png
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page1.css
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page1.html
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page1.js
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page1Lrg.css
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page2.css
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page2.html
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page2.js
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page2Lrg.css
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\page9.html
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\pBar.gif
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\title1.png
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\title2.png
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\toolBar.jpg
f:\users\Gilles\AppData\Local\Babylon\Setup\HtmlScreens\vIcn.png
f:\users\Gilles\AppData\Local\Babylon\Setup\IECookieLow.dll
f:\users\Gilles\AppData\Local\Babylon\Setup\Setup-tbmntr903-9.0.3.35.zpb
f:\users\Gilles\AppData\Local\Babylon\Setup\Setup.exe
f:\users\Gilles\AppData\Local\Babylon\Setup\SetupStrings.dat
f:\users\Gilles\AppData\Local\Babylon\Setup\sqlite3.dll
f:\users\Gilles\AppData\Local\Torch\User Data\Default\Extensions\gopipkjpjkchkglpjfaolcalajkiknmh\7.1_0\50934a49055ad1351830089.js
f:\users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\uy6h390c.default\extensions\[email protected]\content\bg.js
f:\users\Gilles\Downloads\setup.exe
f:\users\Gilles\Videos\external.php
f:\users\Gilles\Videos\iLividSetup.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-04-17 to 2013-05-17 )))))))))))))))))))))))))))))))
.
.
2013-05-17 00:30 . 2013-05-17 00:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-16 10:03 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-16 10:03 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-16 10:03 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-16 06:04 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 06:04 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 06:04 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-05-16 06:04 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-05-16 06:04 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-16 06:04 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-16 06:03 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll
2013-05-16 06:03 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll
2013-05-16 06:03 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll
2013-05-16 06:03 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-16 06:03 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll
2013-05-16 06:03 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-05-14 04:13 . 2013-05-14 04:13 -------- d-----w- c:\program files (x86)\ESET
2013-05-14 03:49 . 2013-05-14 03:49 99 ----a-w- c:\windows\DeleteOnReboot.bat
2013-05-13 23:23 . 2013-05-13 23:23 -------- d-----w- C:\SearchProtect
2013-05-11 06:02 . 2013-05-11 06:02 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2013-05-11 06:01 . 2013-05-11 06:01 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2013-05-11 06:01 . 2013-05-11 06:01 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2013-05-08 01:49 . 2013-05-08 01:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2013-05-06 18:18 . 2013-05-06 18:18 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-05 21:50 . 2013-05-06 06:13 -------- d-----w- c:\users\Gilles\AppData\Local\NPE
2013-05-05 21:50 . 2013-05-05 21:50 -------- d-----w- c:\programdata\Norton
2013-05-05 20:13 . 2013-05-05 21:01 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2013-05-05 20:04 . 2013-05-05 20:05 -------- d-----w- c:\users\Gilles\AppData\Roaming\vlc
2013-05-05 20:04 . 2013-05-05 20:04 -------- d-----w- c:\program files (x86)\VideoLAN
2013-05-05 19:56 . 2013-05-05 19:56 225280 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
2013-05-05 19:56 . 2013-05-05 19:59 -------- d-----w- c:\program files (x86)\x264 Video Codec
2013-04-23 19:15 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-21 22:38 . 2013-04-21 22:38 -------- d-----w- c:\users\Gilles\AppData\Roaming\CyberLink
2013-04-21 22:38 . 2013-04-21 22:38 -------- d-----w- c:\programdata\CyberLink
2013-04-20 03:04 . 2013-04-20 03:04 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-04-20 03:04 . 2013-04-20 03:04 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 00:15 . 2013-02-09 06:36 25640 ----a-w- c:\windows\gdrv.sys
2013-05-16 10:11 . 2013-02-09 05:38 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-15 06:13 . 2013-02-11 08:17 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-15 06:13 . 2013-02-11 08:17 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-13 05:49 . 2013-05-16 06:04 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 06:04 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 06:04 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 06:04 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 06:04 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 06:04 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-11 14:22 . 2011-06-11 08:58 770384 ----a-w- c:\windows\SysWow64\msvcr100.dll
2013-04-11 14:22 . 2011-06-11 08:58 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2013-04-04 21:50 . 2013-03-03 07:55 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 12:35 . 2013-03-09 09:17 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-19 06:04 . 2013-04-09 23:30 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-09 23:30 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-09 23:30 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-09 23:30 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-09 23:30 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-09 23:30 112640 ----a-w- c:\windows\system32\smss.exe
2013-03-19 00:11 . 2013-03-19 00:11 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2013-03-19 00:11 . 2013-03-19 00:11 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2013-03-19 00:11 . 2013-03-19 00:11 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2013-03-19 00:11 . 2013-03-19 00:11 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2013-03-09 09:17 . 2013-02-27 00:42 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-09 09:17 . 2013-02-27 00:42 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-24 03:44 . 2013-02-24 03:35 34288 ----a-w- c:\windows\system32\drivers\GearAspiWDM.sys
2013-02-24 03:44 . 2013-02-24 03:35 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2013-02-24 03:44 . 2013-02-24 03:35 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"Symantec Backup Exec System Recovery 2010"="c:\program files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe" [2012-06-30 2602384]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GBTUpd"="c:\program files (x86)\Gigabyte\GBTUpd\PreRun.exe" [2008-04-03 297480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R3 AODDriver;AODDriver;c:\program files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [2013-03-09 57952]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2013-02-09 25640]
R3 GenericMount Helper Service;GenericMount Helper Service;c:\program files (x86)\Symantec\Backup Exec System Recovery\Shared\Drivers\GenericMountHelperx64.exe [2012-06-30 2224152]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2013-02-09 30528]
R3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2009-07-14 9728]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-09 1255736]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-15 759048]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-11-16 238080]
S2 Backup Exec System Recovery;Backup Exec System Recovery;c:\program files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe [2012-06-30 4604808]
S2 DES2 Service;DES2 Service for Energy Saving.;c:\program files (x86)\Gigabyte\EnergySaver2\des2svr.exe [2009-06-18 68136]
S2 FileOpenManagerService;FileOpen Manager Service;c:\program files\FileOpen\Services\FileOpenManagerService64.exe [2012-11-08 335288]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-03-20 186200]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files (x86)\Fighters\SPAMfighter\sfus.exe [2013-01-16 216608]
S2 Suite Service;Suite Service;c:\program files (x86)\Fighters\FighterSuiteService.exe [2012-11-12 1270376]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-01-08 138912]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys [2012-06-30 66608]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-18 56344]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-12-27 805088]
S3 SymSnapService;SymSnapService;c:\program files (x86)\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapServicex64.exe [2012-06-30 2969600]
S3 VST64_DPV;VST64_DPV;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 VST64HWBS2;VST64HWBS2;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-11 06:13]
.
.
--------- X64 Entries -----------
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Read EXIF - c:\program files (x86)\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htm
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Gilles\AppData\Roaming\Mozilla\Firefox\Profiles\ds6n25zq.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/
FF - ExtSQL: !HIDDEN! 2013-02-08 23:23; [email protected]; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-Run-SearchProtect - \SearchProtect\bin\cltmng.exe
SafeBoot-Symantec Antvirus
ShellIconOverlayIdentifiers-{1EC23CFF-4C58-458f-924C-8519AEF61B32} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-16 17:31:33
ComboFix-quarantined-files.txt 2013-05-17 00:31
.
Pre-Run: 1,826,847,657,984 bytes free
Post-Run: 1,826,681,626,624 bytes free
.
- - End Of File - - 279B6E5B1D228752C031C21E012911DD
topogijo is offline  
Old 05-18-2013, 08:13 AM   #17
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



Fine - your system is all clean now!



Combofix uninstall

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall



adwCleaner uninstall

Launch adwcleaner.exe and hit delete - answer the question with yes.



Recommendations
Below are some recommendations to lower your chances of (re)infection.

  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  4. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install

  5. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  6. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
TB-PsYcHoTiC is offline  
Old 05-20-2013, 11:14 PM   #18
Registered Member
 
Join Date: Dec 2007
Posts: 13
OS: xp sp2



thank you for all your help everything appears to be working good and I will download those things to help keep my machine clean.
topogijo is offline  
Old 05-20-2013, 11:25 PM   #19
Security Team
Analyst
 
Join Date: Nov 2011
Posts: 754
OS: Win7 SP 1



YouŽre welcome!
TB-PsYcHoTiC is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspecting infection deep in the system
I've had a major problem with my laptop for quite a while now. When I launch certain programs I get the following error -> X.exe - Application Error The application failed to initialize properly (0xc000007b) Click OK to terminate the application. This error comes up if I try to start my...
Starenigma Resolved HJT Threads 17 05-01-2013 04:04 AM
Problems
I believe I have some corruption and/or malware on this system. Its an overall pain in the butt. Here is DDS: DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 10.5.1 Run by Josh at 9:20:56 on 2012-12-01
Jtsou Inactive Malware Help Topics 48 12-21-2012 06:55 AM
svchost virus, or something even worse
So over the past few days I have been doing extensive research on the inner workings of my computer in an attempt to fix a really nasty virus that is effecting, or perhaps simply using the windows process svchost. I thought I had everything under control until today when I changed from Norton...
pumpprodigy Resolved HJT Threads 1 01-15-2012 01:09 AM
Same Virus Twice... PC slower with Error Messages - AntiVirus or Virus caused this?
I have Vista 32 bit, and my PC was working fine until I downloaded the same virus twice. I was unsure what had caused it the first time as I was downloading numerous things, but I only realised what it was after trying to re-download one of the programmes a second time after the first virus....
StoneWall_ Inactive Malware Help Topics 2 09-02-2011 06:07 PM
xp security 2011/ malware removal tool
hello fellow tech heads i've had a day from hell trying to remove the above trojan. none of the things found on the net worked for me like booting into safe mode as the virus was still active and stopping things. blocking task manager so i took things into my own hands and downloaded rkill which...
dragon-lilly Resolved HJT Threads 31 05-26-2011 03:18 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:17 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts