[Not curable-Virut] Virus Infection

Inactive
By AlbionPT
Jun 25, 2013
  1. Greetings!

    One of my work colleagues asked me if I could give an eye on her 3 'broken' computers. As I know a thing or two about Pc's I quickly figured out that both 3 had issues with Virus & Malware.
    So I fixed one of those and I'm currently stuck with computer "B".

    I ran Malware Bytes who discovered and deleted a few infections (Brontok,Virtus, etc..) but then I noticed that it was still infecting my pens.

    Anti-Virus:
    - The computer has NO anti-virus protection. I installed Avast 7 (Apparently Avast 8 does not work properly on this computer) who discovered a TON of files infected with Virtus (?). Repair does not work, Quarentine makes Windows 7 unbootable (Have to Restore to a previous date to be able to use Windows again).

    I don't have access to Win7 Cd so format is not a solution in here for now.

    Here goes the current Logs. Thanks in Advance!
    ---------------------------------------------------------------------------------------------------------------------------
    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.06.17.04

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    rui :: RUI-PC [administrator]

    03-08-2012 23:34:48
    mbam-log-2012-08-03 (23-34-48).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 191390
    Time elapsed: 7 minute(s), 34 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  2. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 15-12-2013 17:13:00
    System Uptime: 03-08-2012 23:31:30 (0 hours ago)
    .
    Motherboard: | | 775VM800
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPUSocket | 3199/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 77 GiB total, 60,633 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP3: 08-04-2013 18:45:11 - Installed QuickTime
    RP4: 12-04-2013 15:41:48 - Windows Update
    RP5: 18-09-2013 15:01:17 - Windows Update
    RP6: 18-09-2013 15:50:12 - Windows Update
    RP7: 18-09-2013 15:50:43 - avast! Free Antivirus Instalação
    RP8: 22-09-2013 20:28:41 - avast! Free Antivirus Instalação
    RP9: 22-09-2013 22:03:30 - avast! Free Antivirus Instalação
    .
    ==== Installed Programs ======================
    .
    Actualização para Microsoft Outlook Social Connector (KB2289116)
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader XI - Português
    Adobe Shockwave Player 11.6
    Apple Software Update
    avast! Free Antivirus
    C-Media WDM Audio Driver
    Definition update for Microsoft Office 2010 (KB982726)
    Java 7 Update 10
    Java Auto Updater
    K-Lite Codec Pack 9.6.0 (Full)
    Malwarebytes Anti-Malware versão 1.75.0.1300
    Microsoft Office Access MUI (Portuguese (Portugal)) 2010
    Microsoft Office Casa e Negócios 2010
    Microsoft Office Excel MUI (Portuguese (Portugal)) 2010
    Microsoft Office OneNote MUI (Portuguese (Portugal)) 2010
    Microsoft Office Outlook MUI (Portuguese (Portugal)) 2010
    Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Portuguese (Portugal)) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (Portuguese (Portugal)) 2010
    Microsoft Office Publisher MUI (Portuguese (Portugal)) 2010
    Microsoft Office Shared MUI (Portuguese (Portugal)) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (Portuguese (Portugal)) 2010
    Microsoft Outlook Social Connector (KB2289116) ªº§ó·s
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 6.0 (x86 pt-PT)
    Nero Burning ROM
    Nero Burning ROM Help (CHM)
    Nero BurningROM 12
    Nero ControlCenter
    Nero ControlCenter Help (CHM)
    Nero Core Components
    Nero SharedVideoCodecs
    Nero Update
    Prerequisite installer
    QuickTime
    Realtek AC'97 Audio
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft Word 2010 (KB2345000)
    SUPERAntiSpyware
    Suporte para Aplicações Apple
    swMSM
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft OneNote 2010 (KB2433299)
    .
    ==== End Of File ===========================
  3. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.10.2
    Run by rui at 23:47:00 on 2012-08-03
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.351.2070.18.1215.827 [GMT 1:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\srvany.exe
    C:\Windows\KMService.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\SOUNDMAN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Nero\Update\NASvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:0
    mPolicies-System: EnableInstallerDetection = dword:0
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&nviar para o OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    TCP: NameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{1EA7894E-0F53-4542-9D2D-C03242195ACD} : DHCPNameServer = 192.168.1.254 192.168.1.254
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    SSODL: WebCheck - <orphaned>
    STS: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - c:\windows\system32\DreamScene.dll
    SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\rui\appdata\roaming\mozilla\firefox\profiles\ymy4zoe6.default\
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-9-22 49376]
    R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-9-22 174664]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
    R2 KMService;KMService;c:\windows\system32\srvany.exe [2012-12-14 35840]
    R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2012-7-13 769432]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-12 62464]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-7-15 77184]
    S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-12 25600]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
    S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
    S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-12 112640]
    S3 WatAdminSvc;Serviço de Tecnologias de Activação do Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-14 1343400]
    .
    =============== Created Last 30 ================
    .
    2013-12-15 17:46:19--------d-----w-c:\users\rui\appdata\local\Microsoft Games
    2013-12-15 17:12:31--------d-sh--wec:\programdata\Modelos
    2013-12-15 17:12:31--------d-sh--wec:\programdata\Menu Iniciar
    2013-12-15 17:12:31--------d-sh--wec:\programdata\Favoritos
    2013-12-15 17:12:31--------d-sh--wec:\programdata\Documentos
    2013-12-15 17:12:31--------d-sh--wec:\programdata\Ambiente de trabalho
    2013-12-15 17:12:31--------d-sh--weC:\Programas
    2013-12-15 17:12:31--------d-sh--wec:\program files\Ficheiros comuns
    2013-12-15 17:12:31--------d-sh--wec:\program files\common files\Sistema
    2013-12-15 17:12:31--------d-sh--w-C:\Recovery
    2013-09-22 19:34:45174664----a-w-c:\windows\system32\drivers\aswVmm.sys
    2013-09-22 19:34:4449376----a-w-c:\windows\system32\drivers\aswRvrt.sys
    2013-09-22 19:30:2941664----a-w-c:\windows\avastSS.scr
    2013-09-22 18:20:37--------d-----w-c:\users\rui\appdata\roaming\Malwarebytes
    2013-09-22 18:20:30--------d-----w-c:\programdata\Malwarebytes
    2013-09-22 18:20:2922856----a-w-c:\windows\system32\drivers\mbam.sys
    2013-09-22 18:20:29--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2013-09-22 18:20:16--------d-----w-c:\users\rui\appdata\local\Programs
    2013-09-22 13:20:59--------d-----w-c:\users\rui\appdata\roaming\SUPERAntiSpyware.com
    2013-09-22 13:20:15--------d-----w-c:\programdata\SUPERAntiSpyware.com
    2013-09-22 13:20:15--------d-----w-c:\program files\SUPERAntiSpyware
    2013-09-22 12:48:12--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-22
    2013-09-18 14:52:33--------d-----w-c:\program files\AVAST Software
    2013-09-18 14:49:52--------d-----w-c:\programdata\AVAST Software
    2013-09-18 14:42:5612393----a-w-c:\users\rui\appdata\local\Bron.tok.A12.em.bin
    2013-09-18 14:12:36--------d-----w-c:\users\rui\appdata\local\Macromedia
    2013-09-18 14:08:16--------d-----w-c:\windows\pss
    2013-09-18 13:50:31--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-18
    2013-06-09 13:42:36--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-9
    2013-04-17 13:02:07--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-17
    2013-04-12 15:10:03159744----a-w-c:\program files\internet explorer\plugins\npqtplugin7.dll
    2013-04-12 15:10:03159744----a-w-c:\program files\internet explorer\plugins\npqtplugin6.dll
    2013-04-12 15:10:03159744----a-w-c:\program files\internet explorer\plugins\npqtplugin5.dll
    2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin4.dll
    2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin3.dll
    2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin2.dll
    2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin.dll
    2013-04-12 14:39:57--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-12
    2013-04-10 12:33:43--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-10
    2013-04-08 17:46:18--------d-----w-c:\users\rui\appdata\local\Loc.Mail.Bron.Tok
    2013-04-08 17:45:28--------d-----w-c:\users\rui\appdata\local\Ok-SendMail-Bron-tok
    2013-04-08 17:44:28--------d-----w-c:\users\rui\appdata\local\Apple
    2013-04-08 17:40:10--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-8
    2013-04-08 17:03:20--------d-----w-c:\users\rui\appdata\local\ElevatedDiagnostics
    2013-04-06 10:58:48--------d-----w-c:\users\rui\appdata\local\Microsoft Help
    2012-12-14 19:57:57--------d-----w-c:\windows\system32\Wat
    2012-12-14 19:48:5635840----a-w-c:\windows\system32\srvany.exe
    2012-12-14 19:48:56184108----a-w-c:\windows\KMService.exe
    2012-12-14 19:39:31--------d-----w-c:\windows\PCHEALTH
    2012-12-14 19:36:06--------d-----w-c:\program files\Microsoft Analysis Services
    2012-12-14 19:11:43--------d-----w-c:\program files\Nero
    2012-12-14 19:11:38--------d-----w-c:\programdata\Nero
    2012-12-14 19:07:02178688----a-w-c:\windows\system32\unrar.dll
    2012-12-14 19:04:46--------d-sh--w-c:\windows\Installer
    2012-12-14 18:08:31--------d-----w-c:\windows\Panther
    2012-12-14 18:07:5858880----a-r-c:\windows\system32\CMDOW.EXE
    2012-12-14 18:07:58351----a-r-c:\windows\system32\final.vbs
    2012-12-14 18:07:581079----a-r-c:\windows\system32\tweaks7.reg
    2012-12-14 18:07:58107----a-r-c:\windows\system32\final.bat
    2012-12-14 18:07:51--------d-----w-C:\Systools
    .
    ==================== Find3M ====================
    .
    2012-12-14 19:58:0913824----a-w-c:\windows\system32\slwga.dll
    2012-12-14 19:58:08409088----a-w-c:\windows\system32\systemcpl.dll
    2012-12-14 19:58:05811520----a-w-c:\windows\system32\user32.dll
    2012-12-14 19:06:1893640----a-w-c:\windows\system32\WindowsAccessBridge.dll
    2012-12-14 19:06:18859072----a-w-c:\windows\system32\npDeployJava1.dll
    2012-12-14 19:06:18779704----a-w-c:\windows\system32\deployJava1.dll
    2012-12-14 19:06:1173656----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-12-14 19:06:11697272----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-12-14 19:00:09917504----a-w-c:\windows\system\cmids3d.dll
    2012-12-14 19:00:0932768----a-w-c:\windows\system32\udaprop.dll
    2012-12-14 19:00:0928672----a-w-c:\windows\system32\cmirmdrv.dll
    2012-12-14 19:00:09262144----a-w-c:\windows\system32\cmirmdrv.exe
    2012-12-14 19:00:09172032----a-w-c:\windows\system32\cmuda.dll
    2012-12-14 19:00:091486848----a-w-c:\windows\system\SmWizard.exe
    2012-12-14 19:00:091372992----a-w-c:\windows\system32\drivers\cmuda.sys
    2012-12-14 19:00:08712704----a-w-c:\windows\system32\Audio3D.dll
    2012-12-14 19:00:08712704----a-w-c:\windows\system32\a3d.dll
    2012-12-14 18:34:45348160----a-w-c:\windows\HideWin.exe
    2012-12-14 18:34:28604704----a-w-c:\windows\SOUNDMAN.EXE
    2012-12-14 18:34:2810975264----a-w-c:\windows\system32\RTLCPL.EXE
    2012-12-14 18:34:27965664----a-w-c:\windows\system32\RtkPgExt.dll
    2012-12-14 18:34:274172832----a-w-c:\windows\system32\drivers\RTKVAC.SYS
    2012-12-14 18:34:272510368----a-w-c:\windows\system32\RtkAPO.dll
    2012-12-14 18:34:2719036704----a-w-c:\windows\system32\ALSNDMGR.CPL
    2012-12-14 18:34:27154144----a-w-c:\windows\system32\RTLCPAPI.dll
    2012-12-14 18:34:27141856----a-w-c:\windows\system32\RtkCfg.dll
    2012-12-14 18:34:26223776----a-w-c:\windows\alcrmv.exe
    2012-12-14 18:34:25524288----a-w-c:\windows\RtlExUpd.dll
    2012-12-14 18:34:25344064----a-w-c:\windows\alcupd.exe
    .
    ============= FINISH: 23:47:24,22 ===============
  4. Broni

    Broni Malware Annihilator Posts: 46,335   +252

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  5. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    Great, I just read that "Vitro" is a nasty one...

    Either way here go the logs:

    RogueKiller V8.6.1 [Jun 25 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : hxxp://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : rui [Admin rights]
    Mode : Scan -- Date : 08/04/2012 01:03:01
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 7 ¤¤¤
    [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ POL] HKCU\[...]\System : DisableCMD (0) -> FOUND
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [Aslr][File] explorer.exe : C:\Windows\explorer.exe [-] --> FOUND

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hxxp://www.w3.org/TR/html4/strict.dtd">
    <html lang='en'>
    <head>
    <meta name="description" content="Yahoo! GeoCities offers you a free web site and all the tools you need to build a dynamic site. Features include easy-to-use site building tools, online help, web site statistics, secure and reliable hosting, and an intuitive control panel.">
    <title>Yahoo! GeoCities: Get a web site with easy-to-use site building tools.</title>
    <link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/combo?yui/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css&smbiz/css/headfoot_6.css&smbiz/css/ysbs_glossary_1.css">
    <link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/lib/smbiz/css/geocities_84954.css">
    <style>
    h1 { line-height:30px;height:30px; padding-left:15px; font-weight:bold;font-size:1.6em;color:#1f296a;}
    .services li { margin-left:1.0em; padding-left:0.5em; background:url("hxxp://l.yimg.com/a/lib/smbiz/I/geo_bullet_3x3_1.gif") no-repeat 0 0.5em; margin-bottom:0.5em;margin-left:1.5em;margin-right:0.5em;width:6em}
    .services li {float:left; width:17em; font-size:116%;margin-top:0.8em}
    .services { font-size:116%; padding-bottom:20px }
    .learnmore a {color:#2882DE;font-size:16px}
    .image_web {float:right; margin:15px 0 0 15px}
    p {margin:20px;font-size:1em;}
    h2 {margin:20px 0 0 20px;color:#1F296;font-weight:bold;font-size:1.25em;color:#1f296a;}
    h3 {margin:20px;color:#1F296;font-weight:bold;font-size:1.15em;color:#1f296a;}
    li.rule {border-top:solid 1px #DBE1E6;}
    </style>
    </head>
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: HDS728080PLAT20 ATA Device +++++
    --- User ---
    [MBR] d4502f5730815e4b7907ddb8d13a97ff
    [BSP] cfbd67b944874a1b8fde47459a48c7ab : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 78431 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_S_08042012_010301.txt >>
  6. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    RogueKiller V8.6.1 [Jun 25 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : hxxp://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : rui [Admin rights]
    Mode : Remove -- Date : 08/04/2012 01:07:20
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 7 ¤¤¤
    [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL] HKCU\[...]\System : DisableCMD (0) -> DELETED
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> REPLACED (1)
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [Aslr][File] explorer.exe : C:\Windows\explorer.exe [-] --> REPLACED AT REBOOT -> (C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe)

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hxxp://www.w3.org/TR/html4/strict.dtd">
    <html lang='en'>
    <head>
    <meta name="description" content="Yahoo! GeoCities offers you a free web site and all the tools you need to build a dynamic site. Features include easy-to-use site building tools, online help, web site statistics, secure and reliable hosting, and an intuitive control panel.">
    <title>Yahoo! GeoCities: Get a web site with easy-to-use site building tools.</title>
    <link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/combo?yui/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css&smbiz/css/headfoot_6.css&smbiz/css/ysbs_glossary_1.css">
    <link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/lib/smbiz/css/geocities_84954.css">
    <style>
    h1 { line-height:30px;height:30px; padding-left:15px; font-weight:bold;font-size:1.6em;color:#1f296a;}
    .services li { margin-left:1.0em; padding-left:0.5em; background:url("hxxp://l.yimg.com/a/lib/smbiz/I/geo_bullet_3x3_1.gif") no-repeat 0 0.5em; margin-bottom:0.5em;margin-left:1.5em;margin-right:0.5em;width:6em}
    .services li {float:left; width:17em; font-size:116%;margin-top:0.8em}
    .services { font-size:116%; padding-bottom:20px }
    .learnmore a {color:#2882DE;font-size:16px}
    .image_web {float:right; margin:15px 0 0 15px}
    p {margin:20px;font-size:1em;}
    h2 {margin:20px 0 0 20px;color:#1F296;font-weight:bold;font-size:1.25em;color:#1f296a;}
    h3 {margin:20px;color:#1F296;font-weight:bold;font-size:1.15em;color:#1f296a;}
    li.rule {border-top:solid 1px #DBE1E6;}
    </style>
    </head>
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: HDS728080PLAT20 ATA Device +++++
    --- User ---
    [MBR] d4502f5730815e4b7907ddb8d13a97ff
    [BSP] cfbd67b944874a1b8fde47459a48c7ab : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 78431 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_08042012_010720.txt >>
    RKreport[0]_S_08042012_010301.txt
  7. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x86

    Account is Administrative

    Internet Explorer version: 9.0.8112.16421

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 3.199000 GHz
    Memory total: 1274339328, free: 863358976

    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x86

    Account is Administrative

    Internet Explorer version: 9.0.8112.16421

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 3.199000 GHz
    Memory total: 1274339328, free: 836263936

    Downloaded database version: v2013.06.25.10
    Initializing...
    ------------ Kernel report ------------
    08/04/2012 01:38:25
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\viaide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\vsmraid.sys
    \SystemRoot\system32\drivers\storport.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\uagp35.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\aswVmm.sys
    \SystemRoot\System32\Drivers\aswRvrt.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\vgapnp.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\drivers\cmuda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\framebuf.dll
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\DRIVERS\parvdm.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\fetnd6.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\shell32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\sechost.dll
    \Windows\System32\msctf.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\psapi.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\user32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\nsi.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\lpk.dll
    \Windows\System32\wininet.dll
    \Windows\System32\imm32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8536a828
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xffffffff843cd5c8
    Lower Device Driver Name: \Driver\atapi\
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8536a828, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8536a468, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff8536a828, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8503ec10, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff843cd5c8, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 17121711

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 160626688

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 82348277760 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-160816480-160836480)...
    Done!
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x86

    Account is Administrative

    Internet Explorer version: 9.0.8112.16421

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 3.199000 GHz
    Memory total: 1274339328, free: 769200128

    Initializing...
    ------------ Kernel report ------------
    08/04/2012 02:12:45
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\viaide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\vsmraid.sys
    \SystemRoot\system32\drivers\storport.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\uagp35.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\aswVmm.sys
    \SystemRoot\System32\Drivers\aswRvrt.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\vgapnp.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\drivers\cmuda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\fetnd6.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\framebuf.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\DRIVERS\parvdm.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff85366a00
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xffffffff85054030
    Lower Device Driver Name: \Driver\atapi\
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff85366a00, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff85366640, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff85366a00, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff85056918, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff85054030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 17121711

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 160626688

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 82348277760 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-160816480-160836480)...
    Done!
    Infected: c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_k.mbam --> [Trojan.FakeMS]
    Infected: c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_r.mbam --> [Trojan.FakeMS]
    Infected: c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_u.mbam --> [Trojan.FakeMS]
    Infected file c:\Windows\System32\SecEdit.exe could not be remediated because backup file is not available
    Scan finished
    Creating System Restore point...
    Cleaning up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    Removal queue found; removal started
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_k.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_u.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_r.mbam...
    Removal finished
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x86

    Account is Administrative

    Internet Explorer version: 9.0.8112.16421

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 3.199000 GHz
    Memory total: 1274339328, free: 850608128

    Initializing...
    ------------ Kernel report ------------
    08/04/2012 13:40:37
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\viaide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\vsmraid.sys
    \SystemRoot\system32\drivers\storport.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\uagp35.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\aswVmm.sys
    \SystemRoot\System32\Drivers\aswRvrt.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\vgapnp.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\drivers\cmuda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\fetnd6.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\framebuf.dll
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\DRIVERS\parvdm.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\msvcrt.dll
    \Windows\System32\psapi.dll
    \Windows\System32\usp10.dll
    \Windows\System32\ole32.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\msctf.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\sechost.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\imm32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\wininet.dll
    \Windows\System32\shell32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\user32.dll
    \Windows\System32\lpk.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff85366ac8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xffffffff85054030
    Lower Device Driver Name: \Driver\atapi\
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff85366ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff853667b0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff85366ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff85069918, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff85054030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 17121711

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 160626688

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 82348277760 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-160816480-160836480)...
    Done!
    Infected file c:\Windows\System32\SecEdit.exe could not be remediated because backup file is not available
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_k.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_u.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_r.mbam...
    Removal finished
  8. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    Malwarebytes Anti-Rootkit BETA 1.06.0.1004
    www.malwarebytes.org

    Database version: v2013.06.25.10

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    rui :: RUI-PC [administrator]

    04-08-2012 02:13:03
    mbar-log-2012-08-04 (02-13-03).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: PUP
    Objects scanned: 195133
    Time elapsed: 29 minute(s), 45 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_k.mbam (Trojan.FakeMS) -> Delete on reboot.
    c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_r.mbam (Trojan.FakeMS) -> Delete on reboot.
    c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_u.mbam (Trojan.FakeMS) -> Delete on reboot.

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
  9. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    Malwarebytes Anti-Rootkit BETA 1.06.0.1004
    www.malwarebytes.org

    Database version: v2013.06.25.10

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    rui :: RUI-PC [administrator]

    04-08-2012 13:40:46
    mbar-log-2012-08-04 (13-40-46).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: PUP
    Objects scanned: 194522
    Time elapsed: 30 minute(s), 18 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
  10. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    MalwareBytes Anti-Rootkit also informed that there was a SecEdit.exe file located on System32 that was infected but could not be remediated (no backup found).

    I wonder if it wouldn't be wiser to ask the owner to search for the Original Win7 Cd's and perform a complete reformat & reinstall. I fear the Vitro/Virut infection has spread beyond any hope...
  11. Broni

    Broni Malware Annihilator Posts: 46,335   +252

    [​IMG] Open Windows Explorer. Go Tools>Folder Options>View tab (Windows 8 users. Open File Manager. Go View>Options>Change folder and search options>View tab), put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\Windows\System32\SecEdit.exe
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.

    [​IMG] Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
    Code:
    :filefind
    secedit.exe
    
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  12. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    SystemLook.txt

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:17 on 27/06/2013 by rui
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "secedit.exe"
    C:\Windows\System32\SecEdit.exe --a---- 62976 bytes [23:33 13/07/2009] [01:14 14/07/2009] 342942361EA1C3F14BF0FC59D8F91662
    -= EOF =-


    virustotal report

    Agnitum Win32.Virut.AB.Gen 20130627
    AhnLab-V3 Win32/Virut.F 20130627
    AntiVir W32/Virut.Gen 20130627
    Antiy-AVL 20130627
    Avast Win32:Vitro 20130627
    AVG Win32/Virut 20130627
    BitDefender Win32.Virtob.Gen.12 20130627
    ByteHero 20130613
    CAT-QuickHeal W32.Virut.G 20130627
    ClamAV 20130627
    Commtouch W32/Virut.E.gen!Eldorado 20130627
    Comodo 20130627
    DrWeb Win32.Virut.56 20130627
    Emsisoft Win32.Virtob.Gen.12 (B) 20130627
    eSafe 20130625
    ESET-NOD32 Win32/Virut.NBP 20130627
    F-Prot W32/Virut.E.gen!Eldorado 20130627
    F-Secure Win32.Virtob.Gen.12 20130627
    Fortinet W32/Virut.CE 20130627
    GData Win32.Virtob.Gen.12 20130627
    Ikarus Virus.Win32.Virut 20130627
    Jiangmin Win32/Virut.bt 20130627
    K7AntiVirus Virus 20130627
    K7GW Virus 20130627
    Kaspersky Virus.Win32.Virut.ce 20130627
    Kingsoft Win32.Virut.dd.368640 20130506
    Malwarebytes Trojan.FakeMS 20130627
    McAfee W32/Virut.n.gen 20130627
    McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20130627
    Microsoft Virus:Win32/Virut.gen!ep 20130627
    MicroWorld-eScan 20130627
    NANO-Antivirus Virus.Win32.Virut.hpeg 20130627
    Norman Virut.HL 20130627
    nProtect 20130627
    Panda W32/Sality.AO 20130627
    PCTools Malware.Virut 20130521
    Rising Win32.Virut.dy 20130627
    Sophos W32/Scribble-B 20130627
    SUPERAntiSpyware 20130627
    Symantec W32.Virut.CF 20130627
    TheHacker 20130625
    TotalDefense Win32/Virut.17408 20130627
    TrendMicro PE_VIRUX.R 20130627
    TrendMicro-HouseCall PE_VIRUX.R 20130627
    VBA32 Virus.Virut.14 20130627
    VIPRE Virus.Win32.Virut.ce.5 (v) 20130627
    ViRobot Win32.Virut.AM 20130627
  13. Broni

    Broni Malware Annihilator Posts: 46,335   +252

    This is actually very bad news :(

    You are infected with a polymorphic file infector (Virut). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
    *.exe
    *.scr
    *.htm
    *.html
    *.xml
    *.zip
    *.rar
    *.doc
    *.jpg
    *.pdf

    Backup all your documents and important items only.
    DO NOT backup any files mentioned above.

    I suggest you do the following immediately:

    * Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    * From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    * DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

    To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

    Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

    To find out more information about how you may have got infected in the first place, you can read this article.

    I am sorry I cannot give any better news.
  14. AlbionPT

    AlbionPT Newcomer, in training Topic Starter Posts: 31

    Well, I guess I have to forward the bad news to my work mate.

    Time to put this computer aside and pick computer 'C' . I will create a new thread if I see I need help on that one.

    Either way: Thanks for all your help Broni! (You can close the thread now)
  15. Broni

    Broni Malware Annihilator Posts: 46,335   +252

    You're very welcome [​IMG]


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.