Thank you for taking the time to view the following logs.
This laptop isn't used much but is updated / scanned for virus and malware regularly. While my brother was here recovering from knee surgery he used the laptop frequently. While I was using it recently I noticed a considerable difference in the performance.
Some most annoying symptoms: Terrible redirects, mouse movement / clicks are not normal, system runs very slowly after being on for sometime.
I have been poking around trying to figure out what happend and noticed that Norton had Quarantined the Coupon Companion Plug_in on Jan 4 and again on Jan 7...he was trying to download the "Easy Tag" program for his music files. I am still puzzled as to why he would have ignored the warnings that Norton gave him...but it is done.
If Norton had quarantined it I don't know how this thing has taken over the system...
While running the Gmer a message appeared asking to "Help us improve by Reporting". I did click ok to the following message:
Error Details: mod_Registery_IniGetStrings (s File=System.ini, sSection=Boot, sValue=Shell
Error #5 invalid procedure call or argument
A log was produced and is following. I hope it is correct...
Thanks so very much for any assistance in assessing this system for me!!!
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 32 bit
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz, x64 Family 6 Model 15 Stepping 13
Processor Count: 2
RAM: 2939 Mb
Graphics Card: Mobile Intel(R) 4 Series Express Chipset Family, 1341 Mb
Hard Drives: C: Total - 60954 MB, Free - 40367 MB;
Motherboard: TOSHIBA, Portable PC
Antivirus: Norton 360 Premier Edition, Updated and Enabled
HijackThis Log File:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:38:59 PM, on 2/15/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Users\S&M Productions\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKCU\..\Run: [RockMelt Update] "C:\Users\S&M Productions\AppData\Local\RockMelt\Update\RockMeltUpdate.exe" /c
O4 - HKCU\..\Run: [Spybot-S&D Cleaning] "C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
--
End of file - 6709 bytes
Ark.txt log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:38:59 PM, on 2/15/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Users\S&M Productions\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKCU\..\Run: [RockMelt Update] "C:\Users\S&M Productions\AppData\Local\RockMelt\Update\RockMeltUpdate.exe" /c
O4 - HKCU\..\Run: [Spybot-S&D Cleaning] "C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
--
End of file - 6709 bytes
Thank you!GMER 2.1.18952 - http://www.gmer.net
Rootkit scan 2013-02-15 19:00:22
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\0000006b ATA_____ rev.040H 59.63GB
Running: user70s.exe; Driver: C:\Users\S&MPRO~1\AppData\Local\Temp\pfdiakod.sys
---- System - GMER 2.1 ----
SSDT 87AD6B88 ZwAlertResumeThread
SSDT 88144448 ZwAlertThread
SSDT 87AB4840 ZwAllocateVirtualMemory
SSDT 87A422F0 ZwAlpcConnectPort
SSDT 87AB3CE8 ZwAssignProcessToJobObject
SSDT 87AD66F0 ZwCreateMutant
SSDT 857BAF60 ZwCreateSymbolicLinkObject
SSDT 87AAD238 ZwCreateThread
SSDT 87AAEF70 ZwCreateThreadEx
SSDT 87AB3FD0 ZwDebugActiveProcess
SSDT 87AB4210 ZwDuplicateObject
SSDT 87AB45F8 ZwFreeVirtualMemory
SSDT 87AD69E8 ZwImpersonateAnonymousToken
SSDT 87AD6AC8 ZwImpersonateThread
SSDT 87A4C0F0 ZwLoadDriver
SSDT 87AB44F8 ZwMapViewOfSection
SSDT 87AD6610 ZwOpenEvent
SSDT 87AAEE00 ZwOpenProcess
SSDT 87AB4930 ZwOpenProcessToken
SSDT 87AD6248 ZwOpenSection
SSDT 87AB42E0 ZwOpenThread
SSDT 856D9258 ZwProtectVirtualMemory
SSDT 88144528 ZwResumeThread
SSDT 88144988 ZwSetContextThread
SSDT 88144A68 ZwSetInformationProcess
SSDT 87AD6100 ZwSetSystemInformation
SSDT 87AD6530 ZwSuspendProcess
SSDT 881447C8 ZwSuspendThread
SSDT 87AAE998 ZwTerminateProcess
SSDT 881448A8 ZwTerminateThread
SSDT 88144B38 ZwUnmapViewOfSection
SSDT 87AB46E8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8288A9E9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828C41C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 828CB1F0 8 Bytes [88, 6B, AD, 87, 48, 44, 14, ...] {MOV [EBX-0x53], CH; XCHG [EAX+0x44], ECX; ADC AL, 0x88}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 828CB208 4 Bytes [40, 48, AB, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 828CB214 4 Bytes [F0, 22, A4, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 828CB268 4 Bytes [E8, 3C, AB, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 828CB2E4 4 Bytes [F0, 66, AD, 87]
.text ...
PAGE peauth.sys 98B5DB9B 72 Bytes [8E, F3, 59, E8, 25, 7E, A4, ...]
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1476] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1476] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00100930
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1560] ntdll.dll!NtTerminateThread 770E68D8 3 Bytes JMP 000F004C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1560] ntdll.dll!NtTerminateThread + 4 770E68DC 1 Byte [89]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1560] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00110930
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1596] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0020004C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1596] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00220930
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1620] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1620] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 001E0930
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[1728] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[1728] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 003A0AF4
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1880] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1880] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 002B0AF4
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2024] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2024] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 000F0930
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2276] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0012004C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2276] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00B40930
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[2384] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[2384] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00210AF4
.text C:\Program Files\Winamp\winampa.exe[3692] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0022004C
.text C:\Program Files\Winamp\winampa.exe[3692] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00240930
.text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3700] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3700] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 001F0930
.text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3976] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0033004C
.text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3976] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00350930
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4048] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4048] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00200AF4
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4208] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4208] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00250AF4
.text C:\Users\S&M Productions\Desktop\user70s.exe[4800] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Users\S&M Productions\Desktop\user70s.exe[4800] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 001F0930
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- EOF - GMER 2.1 ----
Ugh, sorry about that log file duplicate...
This laptop isn't used much but is updated / scanned for virus and malware regularly. While my brother was here recovering from knee surgery he used the laptop frequently. While I was using it recently I noticed a considerable difference in the performance.
Some most annoying symptoms: Terrible redirects, mouse movement / clicks are not normal, system runs very slowly after being on for sometime.
I have been poking around trying to figure out what happend and noticed that Norton had Quarantined the Coupon Companion Plug_in on Jan 4 and again on Jan 7...he was trying to download the "Easy Tag" program for his music files. I am still puzzled as to why he would have ignored the warnings that Norton gave him...but it is done.
If Norton had quarantined it I don't know how this thing has taken over the system...
While running the Gmer a message appeared asking to "Help us improve by Reporting". I did click ok to the following message:
Error Details: mod_Registery_IniGetStrings (s File=System.ini, sSection=Boot, sValue=Shell
Error #5 invalid procedure call or argument
A log was produced and is following. I hope it is correct...
Thanks so very much for any assistance in assessing this system for me!!!
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 32 bit
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz, x64 Family 6 Model 15 Stepping 13
Processor Count: 2
RAM: 2939 Mb
Graphics Card: Mobile Intel(R) 4 Series Express Chipset Family, 1341 Mb
Hard Drives: C: Total - 60954 MB, Free - 40367 MB;
Motherboard: TOSHIBA, Portable PC
Antivirus: Norton 360 Premier Edition, Updated and Enabled
HijackThis Log File:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:38:59 PM, on 2/15/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Users\S&M Productions\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKCU\..\Run: [RockMelt Update] "C:\Users\S&M Productions\AppData\Local\RockMelt\Update\RockMeltUpdate.exe" /c
O4 - HKCU\..\Run: [Spybot-S&D Cleaning] "C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
--
End of file - 6709 bytes
Ark.txt log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:38:59 PM, on 2/15/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Users\S&M Productions\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKCU\..\Run: [RockMelt Update] "C:\Users\S&M Productions\AppData\Local\RockMelt\Update\RockMeltUpdate.exe" /c
O4 - HKCU\..\Run: [Spybot-S&D Cleaning] "C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\20.2.1.22\ccSvcHst.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
--
End of file - 6709 bytes
Thank you!GMER 2.1.18952 - http://www.gmer.net
Rootkit scan 2013-02-15 19:00:22
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\0000006b ATA_____ rev.040H 59.63GB
Running: user70s.exe; Driver: C:\Users\S&MPRO~1\AppData\Local\Temp\pfdiakod.sys
---- System - GMER 2.1 ----
SSDT 87AD6B88 ZwAlertResumeThread
SSDT 88144448 ZwAlertThread
SSDT 87AB4840 ZwAllocateVirtualMemory
SSDT 87A422F0 ZwAlpcConnectPort
SSDT 87AB3CE8 ZwAssignProcessToJobObject
SSDT 87AD66F0 ZwCreateMutant
SSDT 857BAF60 ZwCreateSymbolicLinkObject
SSDT 87AAD238 ZwCreateThread
SSDT 87AAEF70 ZwCreateThreadEx
SSDT 87AB3FD0 ZwDebugActiveProcess
SSDT 87AB4210 ZwDuplicateObject
SSDT 87AB45F8 ZwFreeVirtualMemory
SSDT 87AD69E8 ZwImpersonateAnonymousToken
SSDT 87AD6AC8 ZwImpersonateThread
SSDT 87A4C0F0 ZwLoadDriver
SSDT 87AB44F8 ZwMapViewOfSection
SSDT 87AD6610 ZwOpenEvent
SSDT 87AAEE00 ZwOpenProcess
SSDT 87AB4930 ZwOpenProcessToken
SSDT 87AD6248 ZwOpenSection
SSDT 87AB42E0 ZwOpenThread
SSDT 856D9258 ZwProtectVirtualMemory
SSDT 88144528 ZwResumeThread
SSDT 88144988 ZwSetContextThread
SSDT 88144A68 ZwSetInformationProcess
SSDT 87AD6100 ZwSetSystemInformation
SSDT 87AD6530 ZwSuspendProcess
SSDT 881447C8 ZwSuspendThread
SSDT 87AAE998 ZwTerminateProcess
SSDT 881448A8 ZwTerminateThread
SSDT 88144B38 ZwUnmapViewOfSection
SSDT 87AB46E8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8288A9E9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828C41C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 828CB1F0 8 Bytes [88, 6B, AD, 87, 48, 44, 14, ...] {MOV [EBX-0x53], CH; XCHG [EAX+0x44], ECX; ADC AL, 0x88}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 828CB208 4 Bytes [40, 48, AB, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 828CB214 4 Bytes [F0, 22, A4, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 828CB268 4 Bytes [E8, 3C, AB, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 828CB2E4 4 Bytes [F0, 66, AD, 87]
.text ...
PAGE peauth.sys 98B5DB9B 72 Bytes [8E, F3, 59, E8, 25, 7E, A4, ...]
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1476] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1476] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00100930
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1560] ntdll.dll!NtTerminateThread 770E68D8 3 Bytes JMP 000F004C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1560] ntdll.dll!NtTerminateThread + 4 770E68DC 1 Byte [89]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1560] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00110930
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1596] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0020004C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1596] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00220930
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1620] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1620] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 001E0930
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[1728] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[1728] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 003A0AF4
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1880] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1880] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 002B0AF4
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2024] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2024] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 000F0930
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2276] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0012004C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2276] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00B40930
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[2384] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[2384] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00210AF4
.text C:\Program Files\Winamp\winampa.exe[3692] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0022004C
.text C:\Program Files\Winamp\winampa.exe[3692] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00240930
.text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3700] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3700] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 001F0930
.text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3976] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0033004C
.text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3976] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00350930
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4048] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4048] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00200AF4
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4208] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4208] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 00250AF4
.text C:\Users\S&M Productions\Desktop\user70s.exe[4800] ntdll.dll!NtTerminateThread 770E68D8 5 Bytes JMP 0002004C
.text C:\Users\S&M Productions\Desktop\user70s.exe[4800] USER32.dll!RecordShutdownReason + 372 75E906C2 7 Bytes JMP 001F0930
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- EOF - GMER 2.1 ----
Ugh, sorry about that log file duplicate...