Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Need help removing ICE virus
Message
<blockquote data-quote="bferris" data-source="post: 192587" data-attributes="member: 22039"><p>I did not get further than scanning the computer and finding the txt file. Here is what came up. </p><p></p><p>Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-05-2014 02</p><p>Ran by SYSTEM on REATOGO on 07-05-2014 12:39:42</p><p>Running from H:\</p><p>Windows 7 Home Premium (X86) OS Language: English(US)</p><p>Internet Explorer Version 9</p><p>Boot Mode: Recovery</p><p></p><p>The current controlset is ControlSet001</p><p><strong>ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.</strong></p><p></p><p></p><p>ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.</p><p></p><p>The only official download link for FRST:</p><p>Download link for 32-Bit version: <a href="http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/" target="_blank">http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/</a> </p><p>Download link for 64-Bit Version: <a href="http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/" target="_blank">http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/</a> </p><p>Download link from any site other than Bleeping Computer is unpermitted or outdated.</p><p>See tutorial for FRST: <a href="http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/" target="_blank">http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/</a></p><p></p><p>==================== Registry (Whitelisted) ==================</p><p></p><p>HKLM\...\Run: [LXCTCATS] => C:\Windows\system32\spool\DRIVERS\x64\3\LXCTtime.dll [31744 2006-11-21] (Lexmark International Inc.)</p><p>HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-04-08] (Hewlett-Packard)</p><p>HKU\Brian\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe [247968 2012-01-02] (Adobe Systems, Inc.)</p><p>HKU\Default\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun</p><p>HKU\Default\...\Run: [HPADVISOR] => [X]</p><p>HKU\Default User\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun</p><p>HKU\Default User\...\Run: [HPADVISOR] => [X]</p><p>Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfeolfh9.lnk</p><p>ShortcutTarget: lfeolfh9.lnk -> C:\ProgramData\2992199F9A\9hfloefl.cpp (Microsoft Corporation)</p><p></p><p>========================== Services (Whitelisted) =================</p><p></p><p>S4 AgereModemAudio; C:\Program Files\LSI SoftModem\agr64svc.exe [16896 2009-03-27] (LSI Corporation)</p><p>S2 Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [57008 2012-12-21] (Apple Inc.)</p><p>S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)</p><p>S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)</p><p>S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-06-10] (Microsoft Corporation)</p><p>S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2010-04-14] (Google Inc.)</p><p>S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2010-04-14] (Google Inc.)</p><p>S2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company)</p><p>S3 hpqwmiex; C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe [1129760 2013-05-14] (Hewlett-Packard Company)</p><p>S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856384 2009-06-10] (Microsoft Corporation)</p><p>S2 lxct_device; C:\Windows\system32\lxctcoms.exe [566192 2006-11-22] ( )</p><p>S3 Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [64856 2009-02-26] (Microsoft Corporation)</p><p>S2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-21] (Symantec Corporation)</p><p>S2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.0.43\NST.exe [130104 2014-03-11] (Symantec Corporation)</p><p>S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe [116560 2009-06-10] (Microsoft Corporation)</p><p>S3 odserv; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [440696 2011-07-20] (Microsoft Corporation)</p><p>S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation)</p><p>S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation)</p><p>S2 Winmgmt; C:\ProgramData\2992199F9A\lfeolfh9.faa [332020 2014-04-16] (Microsoft Corporation)</p><p></p><p>==================== Drivers (Whitelisted) ====================</p><p></p><p>S3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1208320 2009-07-09] (LSI Corporation)</p><p>S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)</p><p>S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)</p><p>S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\BASHDefs\20131022.001\BHDrvx64.sys [1524824 2013-10-22] (Symantec Corporation)</p><p>S1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)</p><p>S1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE07000.02B\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation)</p><p>S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)</p><p>S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-04] (Symantec Corporation)</p><p>S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-09-04] (Symantec Corporation)</p><p>S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\IPSDefs\20131025.002\IDSvia64.sys [521816 2013-10-29] (Symantec Corporation)</p><p>S3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [6112672 2009-06-16] (Intel Corporation)</p><p>S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation)</p><p>S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\VirusDefs\20131028.038\ENG64.SYS [126040 2013-09-04] (Symantec Corporation)</p><p>S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\VirusDefs\20131028.038\EX64.SYS [2099288 2013-09-04] (Symantec Corporation)</p><p>S3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [233472 2009-07-13] (Realtek )</p><p>S3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1404000.028\SRTSP64.SYS [796760 2013-05-16] (Symantec Corporation)</p><p>S1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)</p><p>S0 SymDS; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMDS64.SYS [493656 2013-05-21] (Symantec Corporation)</p><p>S0 SymEFA; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-23] (Symantec Corporation)</p><p>S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-17] (Symantec Corporation)</p><p>S1 SymIRON; C:\Windows\system32\drivers\NAVx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)</p><p>S1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)</p><p>S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.)</p><p>S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]</p><p></p><p>==================== NetSvcs (Whitelisted) ===================</p><p></p><p></p><p>==================== One Month Created Files and Folders ========</p><p></p><p>2014-05-06 16:58 - 2014-05-06 18:27 - 00000000 ____D () C:\FRST</p><p></p><p>==================== One Month Modified Files and Folders =======</p><p></p><p>2014-05-06 20:13 - 2009-11-01 23:32 - 00196608 _____ () C:\Windows\System32\Ikeext.etl</p><p>2014-05-06 20:11 - 2009-12-14 23:35 - 00000000 ____D () C:\Program Files\Lx_cats</p><p>2014-05-06 20:10 - 2014-01-28 19:53 - 00001671 _____ () C:\Windows\setupact.log</p><p>2014-05-06 18:27 - 2014-05-06 16:58 - 00000000 ____D () C:\FRST</p><p>2014-05-06 16:58 - 2009-11-01 22:11 - 00000000 ____D () C:\users\Brian</p><p>2014-05-01 23:11 - 2009-09-25 19:21 - 01747087 _____ () C:\Windows\WindowsUpdate.log</p><p>2014-05-01 23:11 - 2009-07-14 00:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0</p><p>2014-05-01 23:11 - 2009-07-14 00:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0</p><p>2014-04-16 16:26 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\tracing</p><p>2014-04-12 17:45 - 2009-11-16 15:08 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log</p><p>2014-04-12 17:44 - 2011-10-29 14:28 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt</p><p>2014-04-10 06:02 - 2013-08-15 06:03 - 00000000 ____D () C:\Windows\System32\MRT</p><p>2014-04-10 06:01 - 2010-03-03 15:22 - 90655440 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe</p><p>2014-04-07 12:02 - 2009-07-14 01:13 - 00697222 _____ () C:\Windows\System32\PerfStringBackup.INI</p><p>2014-04-07 11:56 - 2012-06-04 20:51 - 00278276 _____ () C:\Windows\PFRO.log</p><p>2014-04-07 11:56 - 2012-05-12 06:02 - 00000000 ____D () C:\Program Files\Microsoft Silverlight</p><p></p><p>Some content of TEMP:</p><p>====================</p><p>C:\Users\Brian\AppData\Local\Temp\HPHelpUpdater.exe</p><p>C:\Users\Brian\AppData\Local\Temp\nftn.dll</p><p>C:\Users\Brian\AppData\Local\Temp\sp64126.exe</p><p></p><p></p><p>==================== Known DLLs (Whitelisted) ============</p><p></p><p></p><p>==================== Bamital & volsnap Check =================</p><p></p><p>C:\Windows\explorer.exe</p><p>[2011-04-27 21:58] - [2011-02-26 02:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93</p><p></p><p>C:\Windows\System32\winlogon.exe</p><p>[2010-01-27 12:20] - [2009-10-28 02:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A</p><p></p><p>C:\Windows\System32\wininit.exe</p><p>[2009-07-13 19:52] - [2009-07-13 21:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA</p><p></p><p>C:\Windows\System32\svchost.exe</p><p>[2009-07-13 19:31] - [2009-07-13 21:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D</p><p></p><p>C:\Windows\System32\services.exe</p><p>[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB</p><p></p><p>C:\Windows\System32\User32.dll</p><p>[2009-07-13 19:38] - [2009-07-13 21:41] - 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6</p><p></p><p>C:\Windows\System32\userinit.exe</p><p>[2009-07-13 19:50] - [2009-07-13 21:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE</p><p></p><p>C:\Windows\System32\rpcss.dll</p><p>[2009-07-13 20:00] - [2009-07-13 21:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027</p><p></p><p> ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.</p><p>C:\Windows\System32\Drivers\volsnap.sys</p><p>[2012-12-12 12:16] - [2012-09-06 13:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1</p><p></p><p></p><p>==================== EXE ASSOCIATION =====================</p><p></p><p>HKLM\...\.exe: exefile => OK</p><p>HKLM\...\exefile\DefaultIcon: %1 => OK</p><p>HKLM\...\exefile\open\command: "%1" %* => OK</p><p></p><p>==================== Restore Points =========================</p><p></p><p>Restore point made on: 2014-03-04 06:39:33</p><p>Restore point made on: 2014-03-11 05:39:40</p><p>Restore point made on: 2014-03-13 06:00:21</p><p>Restore point made on: 2014-03-18 05:39:09</p><p>Restore point made on: 2014-03-19 06:00:26</p><p>Restore point made on: 2014-03-25 05:39:37</p><p>Restore point made on: 2014-04-01 05:39:44</p><p>Restore point made on: 2014-04-08 07:56:41</p><p>Restore point made on: 2014-04-10 06:00:21</p><p>Restore point made on: 2014-04-15 03:40:14</p><p></p><p>==================== Memory info =========================== </p><p></p><p>Percentage of memory in use: 10%</p><p>Total physical RAM: 3061.11 MB</p><p>Available physical RAM: 2728.66 MB</p><p>Total Pagefile: 2885.8 MB</p><p>Available Pagefile: 2810.15 MB</p><p>Total Virtual: 2047.88 MB</p><p>Available Virtual: 2000.45 MB</p><p></p><p>==================== Drives ================================</p><p></p><p>Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS</p><p>Drive c: (HP) (Fixed) (Total:286.17 GB) (Free:198.66 GB) NTFS</p><p>Drive g: (FACTORY_IMAGE) (Fixed) (Total:11.83 GB) (Free:2.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]</p><p>Drive h: (GS Drive) (Removable) (Total:7.45 GB) (Free:1.89 GB) FAT32</p><p>Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS</p><p>Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]</p><p></p><p>==================== MBR & Partition Table ==================</p><p></p><p>========================================================</p><p>Disk: 0 (Size: 298 GB) (Disk ID: 1549F232)</p><p>Partition 1: (Not Active) - (Size=100 MB) - (Type=07 NTFS)</p><p>Partition 2: (Not Active) - (Size=286 GB) - (Type=07 NTFS)</p><p>Partition 3: (Active) - (Size=1360 KB) - (Type=17) ATTENTION ===> Suspicious partition bootkit on partition 3</p><p>Partition 4: (Not Active) - (Size=12 GB) - (Type=07 NTFS)</p><p></p><p>========================================================</p><p>Disk: 3 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)</p><p>Partition 1: (Active) - (Size=7 GB) - (Type=0C)</p><p></p><p></p><p>LastRegBack: 2014-04-09 03:50</p><p></p><p>==================== End Of Log ============================</p></blockquote><p></p>
[QUOTE="bferris, post: 192587, member: 22039"] I did not get further than scanning the computer and finding the txt file. Here is what came up. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-05-2014 02 Ran by SYSTEM on REATOGO on 07-05-2014 12:39:42 Running from H:\ Windows 7 Home Premium (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 [b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b] ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK. The only official download link for FRST: Download link for 32-Bit version: [url]http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/[/url] Download link for 64-Bit Version: [url]http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/[/url] Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: [url]http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/[/url] ==================== Registry (Whitelisted) ================== HKLM\...\Run: [LXCTCATS] => C:\Windows\system32\spool\DRIVERS\x64\3\LXCTtime.dll [31744 2006-11-21] (Lexmark International Inc.) HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-04-08] (Hewlett-Packard) HKU\Brian\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe [247968 2012-01-02] (Adobe Systems, Inc.) HKU\Default\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun HKU\Default\...\Run: [HPADVISOR] => [X] HKU\Default User\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun HKU\Default User\...\Run: [HPADVISOR] => [X] Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfeolfh9.lnk ShortcutTarget: lfeolfh9.lnk -> C:\ProgramData\2992199F9A\9hfloefl.cpp (Microsoft Corporation) ========================== Services (Whitelisted) ================= S4 AgereModemAudio; C:\Program Files\LSI SoftModem\agr64svc.exe [16896 2009-03-27] (LSI Corporation) S2 Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [57008 2012-12-21] (Apple Inc.) S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation) S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation) S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-06-10] (Microsoft Corporation) S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2010-04-14] (Google Inc.) S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2010-04-14] (Google Inc.) S2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) S3 hpqwmiex; C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe [1129760 2013-05-14] (Hewlett-Packard Company) S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856384 2009-06-10] (Microsoft Corporation) S2 lxct_device; C:\Windows\system32\lxctcoms.exe [566192 2006-11-22] ( ) S3 Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [64856 2009-02-26] (Microsoft Corporation) S2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-21] (Symantec Corporation) S2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.0.43\NST.exe [130104 2014-03-11] (Symantec Corporation) S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe [116560 2009-06-10] (Microsoft Corporation) S3 odserv; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [440696 2011-07-20] (Microsoft Corporation) S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation) S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation) S2 Winmgmt; C:\ProgramData\2992199F9A\lfeolfh9.faa [332020 2014-04-16] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== S3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1208320 2009-07-09] (LSI Corporation) S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation) S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation) S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\BASHDefs\20131022.001\BHDrvx64.sys [1524824 2013-10-22] (Symantec Corporation) S1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation) S1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE07000.02B\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation) S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-04] (Symantec Corporation) S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-09-04] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\IPSDefs\20131025.002\IDSvia64.sys [521816 2013-10-29] (Symantec Corporation) S3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [6112672 2009-06-16] (Intel Corporation) S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\VirusDefs\20131028.038\ENG64.SYS [126040 2013-09-04] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\VirusDefs\20131028.038\EX64.SYS [2099288 2013-09-04] (Symantec Corporation) S3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [233472 2009-07-13] (Realtek ) S3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1404000.028\SRTSP64.SYS [796760 2013-05-16] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation) S0 SymDS; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMDS64.SYS [493656 2013-05-21] (Symantec Corporation) S0 SymEFA; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-23] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-17] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NAVx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation) S1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.) S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-05-06 16:58 - 2014-05-06 18:27 - 00000000 ____D () C:\FRST ==================== One Month Modified Files and Folders ======= 2014-05-06 20:13 - 2009-11-01 23:32 - 00196608 _____ () C:\Windows\System32\Ikeext.etl 2014-05-06 20:11 - 2009-12-14 23:35 - 00000000 ____D () C:\Program Files\Lx_cats 2014-05-06 20:10 - 2014-01-28 19:53 - 00001671 _____ () C:\Windows\setupact.log 2014-05-06 18:27 - 2014-05-06 16:58 - 00000000 ____D () C:\FRST 2014-05-06 16:58 - 2009-11-01 22:11 - 00000000 ____D () C:\users\Brian 2014-05-01 23:11 - 2009-09-25 19:21 - 01747087 _____ () C:\Windows\WindowsUpdate.log 2014-05-01 23:11 - 2009-07-14 00:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-05-01 23:11 - 2009-07-14 00:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-04-16 16:26 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\tracing 2014-04-12 17:45 - 2009-11-16 15:08 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log 2014-04-12 17:44 - 2011-10-29 14:28 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt 2014-04-10 06:02 - 2013-08-15 06:03 - 00000000 ____D () C:\Windows\System32\MRT 2014-04-10 06:01 - 2010-03-03 15:22 - 90655440 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe 2014-04-07 12:02 - 2009-07-14 01:13 - 00697222 _____ () C:\Windows\System32\PerfStringBackup.INI 2014-04-07 11:56 - 2012-06-04 20:51 - 00278276 _____ () C:\Windows\PFRO.log 2014-04-07 11:56 - 2012-05-12 06:02 - 00000000 ____D () C:\Program Files\Microsoft Silverlight Some content of TEMP: ==================== C:\Users\Brian\AppData\Local\Temp\HPHelpUpdater.exe C:\Users\Brian\AppData\Local\Temp\nftn.dll C:\Users\Brian\AppData\Local\Temp\sp64126.exe ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe [2011-04-27 21:58] - [2011-02-26 02:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93 C:\Windows\System32\winlogon.exe [2010-01-27 12:20] - [2009-10-28 02:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A C:\Windows\System32\wininit.exe [2009-07-13 19:52] - [2009-07-13 21:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA C:\Windows\System32\svchost.exe [2009-07-13 19:31] - [2009-07-13 21:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D C:\Windows\System32\services.exe [2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\User32.dll [2009-07-13 19:38] - [2009-07-13 21:41] - 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6 C:\Windows\System32\userinit.exe [2009-07-13 19:50] - [2009-07-13 21:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE C:\Windows\System32\rpcss.dll [2009-07-13 20:00] - [2009-07-13 21:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected. C:\Windows\System32\Drivers\volsnap.sys [2012-12-12 12:16] - [2012-09-06 13:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1 ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2014-03-04 06:39:33 Restore point made on: 2014-03-11 05:39:40 Restore point made on: 2014-03-13 06:00:21 Restore point made on: 2014-03-18 05:39:09 Restore point made on: 2014-03-19 06:00:26 Restore point made on: 2014-03-25 05:39:37 Restore point made on: 2014-04-01 05:39:44 Restore point made on: 2014-04-08 07:56:41 Restore point made on: 2014-04-10 06:00:21 Restore point made on: 2014-04-15 03:40:14 ==================== Memory info =========================== Percentage of memory in use: 10% Total physical RAM: 3061.11 MB Available physical RAM: 2728.66 MB Total Pagefile: 2885.8 MB Available Pagefile: 2810.15 MB Total Virtual: 2047.88 MB Available Virtual: 2000.45 MB ==================== Drives ================================ Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS Drive c: (HP) (Fixed) (Total:286.17 GB) (Free:198.66 GB) NTFS Drive g: (FACTORY_IMAGE) (Fixed) (Total:11.83 GB) (Free:2.16 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive h: (GS Drive) (Removable) (Total:7.45 GB) (Free:1.89 GB) FAT32 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 298 GB) (Disk ID: 1549F232) Partition 1: (Not Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=286 GB) - (Type=07 NTFS) Partition 3: (Active) - (Size=1360 KB) - (Type=17) ATTENTION ===> Suspicious partition bootkit on partition 3 Partition 4: (Not Active) - (Size=12 GB) - (Type=07 NTFS) ======================================================== Disk: 3 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18) Partition 1: (Active) - (Size=7 GB) - (Type=0C) LastRegBack: 2014-04-09 03:50 ==================== End Of Log ============================ [/QUOTE]
Insert quotes…
Verification
Post reply
Top
