Inactive [Not curable-Virut] Virus Infection

[AlbionPT]

Greetings!

One of my work colleagues asked me if I could give an eye on her 3 'broken' computers. As I know a thing or two about Pc's I quickly figured out that both 3 had issues with Virus & Malware.
So I fixed one of those and I'm currently stuck with computer "B".

I ran Malware Bytes who discovered and deleted a few infections (Brontok,Virtus, etc..) but then I noticed that it was still infecting my pens.

Anti-Virus:
- The computer has NO anti-virus protection. I installed Avast 7 (Apparently Avast 8 does not work properly on this computer) who discovered a TON of files infected with Virtus (?). Repair does not work, Quarentine makes Windows 7 unbootable (Have to Restore to a previous date to be able to use Windows again).

I don't have access to Win7 Cd so format is not a solution in here for now.

Here goes the current Logs. Thanks in Advance!
---------------------------------------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.17.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
rui :: RUI-PC [administrator]

03-08-2012 23:34:48
mbam-log-2012-08-03 (23-34-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191390
Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[AlbionPT]

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 15-12-2013 17:13:00
System Uptime: 03-08-2012 23:31:30 (0 hours ago)
.
Motherboard: | | 775VM800
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPUSocket | 3199/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 77 GiB total, 60,633 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 08-04-2013 18:45:11 - Installed QuickTime
RP4: 12-04-2013 15:41:48 - Windows Update
RP5: 18-09-2013 15:01:17 - Windows Update
RP6: 18-09-2013 15:50:12 - Windows Update
RP7: 18-09-2013 15:50:43 - avast! Free Antivirus Instalação
RP8: 22-09-2013 20:28:41 - avast! Free Antivirus Instalação
RP9: 22-09-2013 22:03:30 - avast! Free Antivirus Instalação
.
==== Installed Programs ======================
.
Actualização para Microsoft Outlook Social Connector (KB2289116)
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI - Português
Adobe Shockwave Player 11.6
Apple Software Update
avast! Free Antivirus
C-Media WDM Audio Driver
Definition update for Microsoft Office 2010 (KB982726)
Java 7 Update 10
Java Auto Updater
K-Lite Codec Pack 9.6.0 (Full)
Malwarebytes Anti-Malware versão 1.75.0.1300
Microsoft Office Access MUI (Portuguese (Portugal)) 2010
Microsoft Office Casa e Negócios 2010
Microsoft Office Excel MUI (Portuguese (Portugal)) 2010
Microsoft Office OneNote MUI (Portuguese (Portugal)) 2010
Microsoft Office Outlook MUI (Portuguese (Portugal)) 2010
Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Portuguese (Portugal)) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (Portuguese (Portugal)) 2010
Microsoft Office Publisher MUI (Portuguese (Portugal)) 2010
Microsoft Office Shared MUI (Portuguese (Portugal)) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (Portuguese (Portugal)) 2010
Microsoft Outlook Social Connector (KB2289116) ªº§ó·s
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 6.0 (x86 pt-PT)
Nero Burning ROM
Nero Burning ROM Help (CHM)
Nero BurningROM 12
Nero ControlCenter
Nero ControlCenter Help (CHM)
Nero Core Components
Nero SharedVideoCodecs
Nero Update
Prerequisite installer
QuickTime
Realtek AC'97 Audio
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
SUPERAntiSpyware
Suporte para Aplicações Apple
swMSM
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft OneNote 2010 (KB2433299)
.
==== End Of File ===========================

 

[AlbionPT]

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.10.2
Run by rui at 23:47:00 on 2012-08-03
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.351.2070.18.1215.827 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\srvany.exe
C:\Windows\KMService.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:0
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&nviar para o OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{1EA7894E-0F53-4542-9D2D-C03242195ACD} : DHCPNameServer = 192.168.1.254 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
STS: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - c:\windows\system32\DreamScene.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rui\appdata\roaming\mozilla\firefox\profiles\ymy4zoe6.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-9-22 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-9-22 174664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2012-12-14 35840]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2012-7-13 769432]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-12 62464]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-7-15 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-12 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-12 112640]
S3 WatAdminSvc;Serviço de Tecnologias de Activação do Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-14 1343400]
.
=============== Created Last 30 ================
.
2013-12-15 17:46:19--------d-----w-c:\users\rui\appdata\local\Microsoft Games
2013-12-15 17:12:31--------d-sh--wec:\programdata\Modelos
2013-12-15 17:12:31--------d-sh--wec:\programdata\Menu Iniciar
2013-12-15 17:12:31--------d-sh--wec:\programdata\Favoritos
2013-12-15 17:12:31--------d-sh--wec:\programdata\Documentos
2013-12-15 17:12:31--------d-sh--wec:\programdata\Ambiente de trabalho
2013-12-15 17:12:31--------d-sh--weC:\Programas
2013-12-15 17:12:31--------d-sh--wec:\program files\Ficheiros comuns
2013-12-15 17:12:31--------d-sh--wec:\program files\common files\Sistema
2013-12-15 17:12:31--------d-sh--w-C:\Recovery
2013-09-22 19:34:45174664----a-w-c:\windows\system32\drivers\aswVmm.sys
2013-09-22 19:34:4449376----a-w-c:\windows\system32\drivers\aswRvrt.sys
2013-09-22 19:30:2941664----a-w-c:\windows\avastSS.scr
2013-09-22 18:20:37--------d-----w-c:\users\rui\appdata\roaming\Malwarebytes
2013-09-22 18:20:30--------d-----w-c:\programdata\Malwarebytes
2013-09-22 18:20:2922856----a-w-c:\windows\system32\drivers\mbam.sys
2013-09-22 18:20:29--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2013-09-22 18:20:16--------d-----w-c:\users\rui\appdata\local\Programs
2013-09-22 13:20:59--------d-----w-c:\users\rui\appdata\roaming\SUPERAntiSpyware.com
2013-09-22 13:20:15--------d-----w-c:\programdata\SUPERAntiSpyware.com
2013-09-22 13:20:15--------d-----w-c:\program files\SUPERAntiSpyware
2013-09-22 12:48:12--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-22
2013-09-18 14:52:33--------d-----w-c:\program files\AVAST Software
2013-09-18 14:49:52--------d-----w-c:\programdata\AVAST Software
2013-09-18 14:42:5612393----a-w-c:\users\rui\appdata\local\Bron.tok.A12.em.bin
2013-09-18 14:12:36--------d-----w-c:\users\rui\appdata\local\Macromedia
2013-09-18 14:08:16--------d-----w-c:\windows\pss
2013-09-18 13:50:31--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-18
2013-06-09 13:42:36--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-9
2013-04-17 13:02:07--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-17
2013-04-12 15:10:03159744----a-w-c:\program files\internet explorer\plugins\npqtplugin7.dll
2013-04-12 15:10:03159744----a-w-c:\program files\internet explorer\plugins\npqtplugin6.dll
2013-04-12 15:10:03159744----a-w-c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-04-12 15:10:02159744----a-w-c:\program files\internet explorer\plugins\npqtplugin.dll
2013-04-12 14:39:57--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-12
2013-04-10 12:33:43--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-10
2013-04-08 17:46:18--------d-----w-c:\users\rui\appdata\local\Loc.Mail.Bron.Tok
2013-04-08 17:45:28--------d-----w-c:\users\rui\appdata\local\Ok-SendMail-Bron-tok
2013-04-08 17:44:28--------d-----w-c:\users\rui\appdata\local\Apple
2013-04-08 17:40:10--------d-----w-c:\users\rui\appdata\local\Bron.tok-12-8
2013-04-08 17:03:20--------d-----w-c:\users\rui\appdata\local\ElevatedDiagnostics
2013-04-06 10:58:48--------d-----w-c:\users\rui\appdata\local\Microsoft Help
2012-12-14 19:57:57--------d-----w-c:\windows\system32\Wat
2012-12-14 19:48:5635840----a-w-c:\windows\system32\srvany.exe
2012-12-14 19:48:56184108----a-w-c:\windows\KMService.exe
2012-12-14 19:39:31--------d-----w-c:\windows\PCHEALTH
2012-12-14 19:36:06--------d-----w-c:\program files\Microsoft Analysis Services
2012-12-14 19:11:43--------d-----w-c:\program files\Nero
2012-12-14 19:11:38--------d-----w-c:\programdata\Nero
2012-12-14 19:07:02178688----a-w-c:\windows\system32\unrar.dll
2012-12-14 19:04:46--------d-sh--w-c:\windows\Installer
2012-12-14 18:08:31--------d-----w-c:\windows\Panther
2012-12-14 18:07:5858880----a-r-c:\windows\system32\CMDOW.EXE
2012-12-14 18:07:58351----a-r-c:\windows\system32\final.vbs
2012-12-14 18:07:581079----a-r-c:\windows\system32\tweaks7.reg
2012-12-14 18:07:58107----a-r-c:\windows\system32\final.bat
2012-12-14 18:07:51--------d-----w-C:\Systools
.
==================== Find3M ====================
.
2012-12-14 19:58:0913824----a-w-c:\windows\system32\slwga.dll
2012-12-14 19:58:08409088----a-w-c:\windows\system32\systemcpl.dll
2012-12-14 19:58:05811520----a-w-c:\windows\system32\user32.dll
2012-12-14 19:06:1893640----a-w-c:\windows\system32\WindowsAccessBridge.dll
2012-12-14 19:06:18859072----a-w-c:\windows\system32\npDeployJava1.dll
2012-12-14 19:06:18779704----a-w-c:\windows\system32\deployJava1.dll
2012-12-14 19:06:1173656----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 19:06:11697272----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-12-14 19:00:09917504----a-w-c:\windows\system\cmids3d.dll
2012-12-14 19:00:0932768----a-w-c:\windows\system32\udaprop.dll
2012-12-14 19:00:0928672----a-w-c:\windows\system32\cmirmdrv.dll
2012-12-14 19:00:09262144----a-w-c:\windows\system32\cmirmdrv.exe
2012-12-14 19:00:09172032----a-w-c:\windows\system32\cmuda.dll
2012-12-14 19:00:091486848----a-w-c:\windows\system\SmWizard.exe
2012-12-14 19:00:091372992----a-w-c:\windows\system32\drivers\cmuda.sys
2012-12-14 19:00:08712704----a-w-c:\windows\system32\Audio3D.dll
2012-12-14 19:00:08712704----a-w-c:\windows\system32\a3d.dll
2012-12-14 18:34:45348160----a-w-c:\windows\HideWin.exe
2012-12-14 18:34:28604704----a-w-c:\windows\SOUNDMAN.EXE
2012-12-14 18:34:2810975264----a-w-c:\windows\system32\RTLCPL.EXE
2012-12-14 18:34:27965664----a-w-c:\windows\system32\RtkPgExt.dll
2012-12-14 18:34:274172832----a-w-c:\windows\system32\drivers\RTKVAC.SYS
2012-12-14 18:34:272510368----a-w-c:\windows\system32\RtkAPO.dll
2012-12-14 18:34:2719036704----a-w-c:\windows\system32\ALSNDMGR.CPL
2012-12-14 18:34:27154144----a-w-c:\windows\system32\RTLCPAPI.dll
2012-12-14 18:34:27141856----a-w-c:\windows\system32\RtkCfg.dll
2012-12-14 18:34:26223776----a-w-c:\windows\alcrmv.exe
2012-12-14 18:34:25524288----a-w-c:\windows\RtlExUpd.dll
2012-12-14 18:34:25344064----a-w-c:\windows\alcupd.exe
.
============= FINISH: 23:47:24,22 ===============

 

[Broni]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==================================

Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.

• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• Wait until the Status box shows Scan Finished
• Click on Delete.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

Download Malwarebytes Anti-Rootkit (MBAR) from HERE

• Unzip downloaded file.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

 

[AlbionPT]

Great, I just read that "Vitro" is a nasty one...

Either way here go the logs:

RogueKiller V8.6.1 [Jun 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : rui [Admin rights]
Mode : Scan -- Date : 08/04/2012 01:03:01
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Aslr][File] explorer.exe : C:\Windows\explorer.exe [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hxxp://www.w3.org/TR/html4/strict.dtd">
<html lang='en'>
<head>
<meta name="description" content="Yahoo! GeoCities offers you a free web site and all the tools you need to build a dynamic site. Features include easy-to-use site building tools, online help, web site statistics, secure and reliable hosting, and an intuitive control panel.">
<title>Yahoo! GeoCities: Get a web site with easy-to-use site building tools.</title>
<link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/combo?yui/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css&smbiz/css/headfoot_6.css&smbiz/css/ysbs_glossary_1.css">
<link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/lib/smbiz/css/geocities_84954.css">
<style>
h1 { line-height:30px;height:30px; padding-left:15px; font-weight:bold;font-size:1.6em;color:#1f296a;}
.services li { margin-left:1.0em; padding-left:0.5em; background:url("hxxp://l.yimg.com/a/lib/smbiz/I/geo_bullet_3x3_1.gif") no-repeat 0 0.5em; margin-bottom:0.5em;margin-left:1.5em;margin-right:0.5em;width:6em}
.services li {float:left; width:17em; font-size:116%;margin-top:0.8em}
.services { font-size:116%; padding-bottom:20px }
.learnmore a {color:#2882DE;font-size:16px}
.image_web {float:right; margin:15px 0 0 15px}
p {margin:20px;font-size:1em;}
h2 {margin:20px 0 0 20px;color:#1F296;font-weight:bold;font-size:1.25em;color:#1f296a;}
h3 {margin:20px;color:#1F296;font-weight:bold;font-size:1.15em;color:#1f296a;}
li.rule {border-top:solid 1px #DBE1E6;}
</style>
</head>
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDS728080PLAT20 ATA Device +++++
--- User ---
[MBR] d4502f5730815e4b7907ddb8d13a97ff
[BSP] cfbd67b944874a1b8fde47459a48c7ab : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 78431 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08042012_010301.txt >>

 

[AlbionPT]

RogueKiller V8.6.1 [Jun 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : rui [Admin rights]
Mode : Remove -- Date : 08/04/2012 01:07:20
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL] HKCU\[...]\System : DisableCMD (0) -> DELETED
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> REPLACED (1)
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Aslr][File] explorer.exe : C:\Windows\explorer.exe [-] --> REPLACED AT REBOOT -> (C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe)

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hxxp://www.w3.org/TR/html4/strict.dtd">
<html lang='en'>
<head>
<meta name="description" content="Yahoo! GeoCities offers you a free web site and all the tools you need to build a dynamic site. Features include easy-to-use site building tools, online help, web site statistics, secure and reliable hosting, and an intuitive control panel.">
<title>Yahoo! GeoCities: Get a web site with easy-to-use site building tools.</title>
<link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/combo?yui/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css&smbiz/css/headfoot_6.css&smbiz/css/ysbs_glossary_1.css">
<link rel="stylesheet" type="text/css" media="all" href="hxxp://l.yimg.com/a/lib/smbiz/css/geocities_84954.css">
<style>
h1 { line-height:30px;height:30px; padding-left:15px; font-weight:bold;font-size:1.6em;color:#1f296a;}
.services li { margin-left:1.0em; padding-left:0.5em; background:url("hxxp://l.yimg.com/a/lib/smbiz/I/geo_bullet_3x3_1.gif") no-repeat 0 0.5em; margin-bottom:0.5em;margin-left:1.5em;margin-right:0.5em;width:6em}
.services li {float:left; width:17em; font-size:116%;margin-top:0.8em}
.services { font-size:116%; padding-bottom:20px }
.learnmore a {color:#2882DE;font-size:16px}
.image_web {float:right; margin:15px 0 0 15px}
p {margin:20px;font-size:1em;}
h2 {margin:20px 0 0 20px;color:#1F296;font-weight:bold;font-size:1.25em;color:#1f296a;}
h3 {margin:20px;color:#1F296;font-weight:bold;font-size:1.15em;color:#1f296a;}
li.rule {border-top:solid 1px #DBE1E6;}
</style>
</head>
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDS728080PLAT20 ATA Device +++++
--- User ---
[MBR] d4502f5730815e4b7907ddb8d13a97ff
[BSP] cfbd67b944874a1b8fde47459a48c7ab : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 78431 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_08042012_010720.txt >>
RKreport[0]_S_08042012_010301.txt

 

[AlbionPT]

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.199000 GHz
Memory total: 1274339328, free: 863358976

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.199000 GHz
Memory total: 1274339328, free: 836263936

Downloaded database version: v2013.06.25.10
Initializing...
------------ Kernel report ------------
08/04/2012 01:38:25
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\viaide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\vsmraid.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\uagp35.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\vgapnp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\cmuda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\fetnd6.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\shell32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\setupapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\ws2_32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\ole32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\urlmon.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\gdi32.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\psapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\user32.dll
\Windows\System32\usp10.dll
\Windows\System32\comdlg32.dll
\Windows\System32\difxapi.dll
\Windows\System32\nsi.dll
\Windows\System32\iertutil.dll
\Windows\System32\clbcatq.dll
\Windows\System32\kernel32.dll
\Windows\System32\lpk.dll
\Windows\System32\wininet.dll
\Windows\System32\imm32.dll
\Windows\System32\devobj.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\crypt32.dll
\Windows\System32\comctl32.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8536a828
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff843cd5c8
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8536a828, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8536a468, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8536a828, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8503ec10, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff843cd5c8, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 17121711

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 160626688

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 82348277760 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-160816480-160836480)...
Done!
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.199000 GHz
Memory total: 1274339328, free: 769200128

Initializing...
------------ Kernel report ------------
08/04/2012 02:12:45
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\viaide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\vsmraid.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\uagp35.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\vgapnp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\cmuda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fetnd6.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85366a00
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85054030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85366a00, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85366640, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85366a00, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85056918, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85054030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 17121711

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 160626688

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 82348277760 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-160816480-160836480)...
Done!
Infected: c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_k.mbam --> [Trojan.FakeMS]
Infected: c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_r.mbam --> [Trojan.FakeMS]
Infected: c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_u.mbam --> [Trojan.FakeMS]
Infected file c:\Windows\System32\SecEdit.exe could not be remediated because backup file is not available
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_k.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_u.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.199000 GHz
Memory total: 1274339328, free: 850608128

Initializing...
------------ Kernel report ------------
08/04/2012 13:40:37
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\viaide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\vsmraid.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\uagp35.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\vgapnp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\cmuda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\fetnd6.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\msvcrt.dll
\Windows\System32\psapi.dll
\Windows\System32\usp10.dll
\Windows\System32\ole32.dll
\Windows\System32\gdi32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\msctf.dll
\Windows\System32\imagehlp.dll
\Windows\System32\sechost.dll
\Windows\System32\kernel32.dll
\Windows\System32\advapi32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\imm32.dll
\Windows\System32\nsi.dll
\Windows\System32\wininet.dll
\Windows\System32\shell32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\iertutil.dll
\Windows\System32\user32.dll
\Windows\System32\lpk.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\normaliz.dll
\Windows\System32\difxapi.dll
\Windows\System32\setupapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\oleaut32.dll
\Windows\System32\devobj.dll
\Windows\System32\comctl32.dll
\Windows\System32\wintrust.dll
\Windows\System32\crypt32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85366ac8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85054030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85366ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff853667b0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85366ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85069918, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85054030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 17121711

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 160626688

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 82348277760 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-160816480-160836480)...
Done!
Infected file c:\Windows\System32\SecEdit.exe could not be remediated because backup file is not available
Scan finished
=======================================


Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_k.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_u.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\secedit.exe_r.mbam...
Removal finished

 

[AlbionPT]

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.25.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
rui :: RUI-PC [administrator]

04-08-2012 02:13:03
mbar-log-2012-08-04 (02-13-03).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 195133
Time elapsed: 29 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_k.mbam (Trojan.FakeMS) -> Delete on reboot.
c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_r.mbam (Trojan.FakeMS) -> Delete on reboot.
c:\ProgramData\Malwarebytes' Anti-Malware (portable)\secedit.exe_u.mbam (Trojan.FakeMS) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

[AlbionPT]

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.25.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
rui :: RUI-PC [administrator]

04-08-2012 13:40:46
mbar-log-2012-08-04 (13-40-46).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 194522
Time elapsed: 30 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

[AlbionPT]

MalwareBytes Anti-Rootkit also informed that there was a SecEdit.exe file located on System32 that was infected but could not be remediated (no backup found).

I wonder if it wouldn't be wiser to ask the owner to search for the Original Win7 Cd's and perform a complete reformat & reinstall. I fear the Vitro/Virut infection has spread beyond any hope...

 

[Broni]

Open Windows Explorer. Go Tools>Folder Options>View tab (Windows 8 users. Open File Manager. Go View>Options>Change folder and search options>View tab), put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- c:\Windows\System32\SecEdit.exe
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:

:filefind
secedit.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[AlbionPT]

SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 19:17 on 27/06/2013 by rui
Administrator - Elevation successful
========== filefind ==========
Searching for "secedit.exe"
C:\Windows\System32\SecEdit.exe --a---- 62976 bytes [23:33 13/07/2009] [01:14 14/07/2009] 342942361EA1C3F14BF0FC59D8F91662
-= EOF =-


virustotal report

Agnitum Win32.Virut.AB.Gen 20130627
AhnLab-V3 Win32/Virut.F 20130627
AntiVir W32/Virut.Gen 20130627
Antiy-AVL 20130627
Avast Win32:Vitro 20130627
AVG Win32/Virut 20130627
BitDefender Win32.Virtob.Gen.12 20130627
ByteHero 20130613
CAT-QuickHeal W32.Virut.G 20130627
ClamAV 20130627
Commtouch W32/Virut.E.gen!Eldorado 20130627
Comodo 20130627
DrWeb Win32.Virut.56 20130627
Emsisoft Win32.Virtob.Gen.12 (B) 20130627
eSafe 20130625
ESET-NOD32 Win32/Virut.NBP 20130627
F-Prot W32/Virut.E.gen!Eldorado 20130627
F-Secure Win32.Virtob.Gen.12 20130627
Fortinet W32/Virut.CE 20130627
GData Win32.Virtob.Gen.12 20130627
Ikarus Virus.Win32.Virut 20130627
Jiangmin Win32/Virut.bt 20130627
K7AntiVirus Virus 20130627
K7GW Virus 20130627
Kaspersky Virus.Win32.Virut.ce 20130627
Kingsoft Win32.Virut.dd.368640 20130506
Malwarebytes Trojan.FakeMS 20130627
McAfee W32/Virut.n.gen 20130627
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20130627
Microsoft Virus:Win32/Virut.gen!ep 20130627
MicroWorld-eScan 20130627
NANO-Antivirus Virus.Win32.Virut.hpeg 20130627
Norman Virut.HL 20130627
nProtect 20130627
Panda W32/Sality.AO 20130627
PCTools Malware.Virut 20130521
Rising Win32.Virut.dy 20130627
Sophos W32/Scribble-B 20130627
SUPERAntiSpyware 20130627
Symantec W32.Virut.CF 20130627
TheHacker 20130625
TotalDefense Win32/Virut.17408 20130627
TrendMicro PE_VIRUX.R 20130627
TrendMicro-HouseCall PE_VIRUX.R 20130627
VBA32 Virus.Virut.14 20130627
VIPRE Virus.Win32.Virut.ce.5 (v) 20130627
ViRobot Win32.Virut.AM 20130627

 

[Broni]

This is actually very bad news

You are infected with a polymorphic file infector (Virut). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

 

[AlbionPT]

Well, I guess I have to forward the bad news to my work mate.

Time to put this computer aside and pick computer 'C' . I will create a new thread if I see I need help on that one.

Either way: Thanks for all your help Broni! (You can close the thread now)

 

[Broni]

You're very welcome