Solved Trojan.zeroaccess!inf infection

packer68

Posts: 27   +0
I would appreciate help removing this from my wife's pc.

Am I supposed to start the prelim removal process you suggest or wait for your reply?

Thanks
packer68
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Here's result of mbam scan

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.02.07
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19272
Administrator :: WISAVISTALAPTOP [administrator]
8/2/2012 12:56:39 PM
mbam-log-2012-08-02 (12-56-39).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218537
Time elapsed: 9 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\netbt (Rootkit.0Access) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Windows\System32\drivers\netbt.sys (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\phil\AppData\Local\Temp\532914kas16449.exe (Trojan.FakeMS.IEDW) -> Quarantined and deleted successfully.
(end)
I need to reboot - will post others soon
 
Thanks for the help.
DDS.TXT
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 13:37:10 on 2012-08-02
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2030.716 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Program Files\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Program Files\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Norton Internet Security\Engine\19.7.1.5\WSCStub.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.live.com
uDefault_Page_URL = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\19.7.1.5\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\19.7.1.5\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.7.1.5\coIEPlg.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [RoxioDragToDisc] c:\program files\lenovo\drag-to-disc\DrgToDsc.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\Amsg.exe /startup
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWlIcon] c:\program files\thinkpad\connectutilities\ACWlIcon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://allscripts.webex.com/client/T27L10NSP21/webex/ieatgpc1.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{CB0E066F-CDEC-498A-B6BA-5C0BBBE6676C} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{F31A7278-09E0-4255-BC65-2A0AEEB2B1E6} : DhcpNameServer = 209.18.47.61 209.18.47.62
LSA: Notification Packages = scecli ACGina
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-11-6 24304]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1307010.005\symds.sys [2012-5-17 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1307010.005\symefa.sys [2012-5-17 905336]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2010-6-16 20592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\bashdefs\20120711.002\BHDrvx86.sys [2012-7-12 821920]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1307010.005\ccsetx86.sys [2012-5-17 132744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\ipsdefs\20120801.001\IDSvix86.sys [2012-8-1 382624]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-11-6 13480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1307010.005\ironx86.sys [2012-5-17 149624]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1307010.005\symtdiv.sys [2012-5-17 345208]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-11-6 132456]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2010-11-6 93032]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.7.1.5\ccsvchst.exe [2012-5-17 138232]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-11-6 75112]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 63928]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-7-10 569344]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-11-6 45496]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe --> c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-9-8 21360]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-02 16:54:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-02 16:54:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 04:53:06 -------- d-----w- C:\FRST
2012-07-31 21:44:08 -------- d-----w- c:\users\administrator\appdata\local\NPE
2012-07-31 21:39:32 -------- d-----w- c:\users\administrator\appdata\roaming\FixZeroAccess
2012-07-11 15:04:37 2055680 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 12:01:45 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 12:01:41 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 12:01:41 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 12:01:39 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 12:01:39 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 12:01:39 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
==================== Find3M ====================
.
2012-07-27 00:01:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-27 00:01:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 13:38:00.27 ===============
ATTACH.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 8/31/2008 9:40:55 PM
System Uptime: 8/2/2012 1:28:23 PM (0 hours ago)
.
Motherboard: LENOVO | | 6459CTO
Processor: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz | None | 2401/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 143 GiB total, 79.71 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #2
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0002
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #3
PNP Device ID: ROOT\*TUNMP\0002
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0003
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #4
PNP Device ID: ROOT\*TUNMP\0003
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0004
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #5
PNP Device ID: ROOT\*TUNMP\0004
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0005
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #6
PNP Device ID: ROOT\*TUNMP\0005
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0006
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0006
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0007
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0007
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0008
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0008
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0009
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0009
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0010
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0010
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0011
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0011
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0012
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0012
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0013
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0013
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0014
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0014
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0015
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0015
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0016
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0016
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0017
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0017
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0018
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0018
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0019
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0019
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0020
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0020
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0021
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0021
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0022
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0022
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0023
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0023
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0024
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0024
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0025
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0025
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0026
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0026
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0027
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0027
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0028
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0028
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0029
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0029
Service: tunmp
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Access Help
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11
Apple Application Support
Apple Software Update
Business Contact Manager for Outlook 2007 SP2
CameraHelperMsi
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Client Security Solution
Diskeeper Home
Drag-to-Disc
erLT
Help Center
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Integrated Camera
Intel(R) PRO Network Connections Drivers
InterVideo Register Manager
InterVideo WinDVD
Java Auto Updater
Java(TM) 6 Update 31
Learn Windows Vista
Lenovo Auto Scroll Utility
Lenovo Battery Program
Lenovo Registration
Lenovo System Interface Driver
Lenovo ThinkVantage Toolbox
Logitech Vid HD
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Maintenance Manager
Malwarebytes Anti-Malware version 1.62.0.1300
Message Center
Message Center Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Center For Think Offerings
Norton Internet Security
NVIDIA Drivers
OGA Notifier 2.0.0048.0
On Screen Display
Picasa 3
Presentation Director
Print Server Driver
Productivity Center Supplement for ThinkPad
QuickTime
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Sonic Icons for Lenovo
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
System Migration Assistant
System Update
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Integration Setup
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Mobility Center Customization
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Wallpapers
WebEx
Windows Driver Package - Intel (e1express) Net (04/26/2007 9.7.240.0)
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
Windows Driver Package - Ricoh Company MMC Host Controller (08/08/2007 6.00.03.02)
Windows Driver Package - Ricoh Company MS Host Controller (07/30/2007 6.00.01.11)
Windows Driver Package - Ricoh Company xD Host Controller (07/30/2007 6.00.01.13)
Windows Live Mesh ActiveX Control for Remote Connections
.
==== End Of File ===========================
 
My bad!
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-02 13:26:53
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.BBCZ
Running: yz2jp58k.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kftoruoc.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs tvtfilter.sys (Rescue and Recovery filter driver/Lenovo)
AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
 
  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

=====================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
Broni,
The RKreport and aswMBR logs are posted. Thanks again for the help.

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date: 08/02/2012 14:32:38
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x826A25C3 -> HOOKED (Unknown @ 0x879E47F0)
SSDT[14] : NtAlertThread @ 0x8261B255 -> HOOKED (Unknown @ 0x87F012F8)
SSDT[18] : NtAllocateVirtualMemory @ 0x826574FB -> HOOKED (Unknown @ 0x879DF318)
SSDT[21] : NtAlpcConnectPort @ 0x825F9887 -> HOOKED (Unknown @ 0x878FE3F0)
SSDT[42] : NtAssignProcessToJobObject @ 0x825CCB43 -> HOOKED (Unknown @ 0x879DF640)
SSDT[67] : NtCreateMutant @ 0x8262F812 -> HOOKED (Unknown @ 0x87A44008)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x825CF35A -> HOOKED (Unknown @ 0x87A30508)
SSDT[78] : NtCreateThread @ 0x826A0BE0 -> HOOKED (Unknown @ 0x879E41E0)
SSDT[116] : NtDebugActiveProcess @ 0x82673D22 -> HOOKED (Unknown @ 0x879DF700)
SSDT[129] : NtDuplicateObject @ 0x82607551 -> HOOKED (Unknown @ 0x879DF4A8)
SSDT[147] : NtFreeVirtualMemory @ 0x82493F1D -> HOOKED (Unknown @ 0x879DF178)
SSDT[156] : NtImpersonateAnonymousToken @ 0x825C9F12 -> HOOKED (Unknown @ 0x879E4910)
SSDT[158] : NtImpersonateThread @ 0x825DF54F -> HOOKED (Unknown @ 0x87A3D9D0)
SSDT[165] : NtLoadDriver @ 0x8257ADEE -> HOOKED (Unknown @ 0x878AF2B8)
SSDT[177] : NtMapViewOfSection @ 0x8261F89A -> HOOKED (Unknown @ 0x879DF098)
SSDT[184] : NtOpenEvent @ 0x82608DCF -> HOOKED (Unknown @ 0x87A44150)
SSDT[194] : NtOpenProcess @ 0x8262FFAE -> HOOKED (Unknown @ 0x879E40C8)
SSDT[195] : NtOpenProcessToken @ 0x82610A2E -> HOOKED (Unknown @ 0x879DF3E8)
SSDT[197] : NtOpenSection @ 0x8262066D -> HOOKED (Unknown @ 0x87999868)
SSDT[201] : NtOpenThread @ 0x8262B4FF -> HOOKED (Unknown @ 0x879DF008)
SSDT[210] : NtProtectVirtualMemory @ 0x826292E2 -> HOOKED (Unknown @ 0x87A306D8)
SSDT[282] : NtResumeThread @ 0x8262AB4A -> HOOKED (Unknown @ 0x879E4FD0)
SSDT[289] : NtSetContextThread @ 0x826A206F -> HOOKED (Unknown @ 0x87A2AB60)
SSDT[305] : NtSetInformationProcess @ 0x826238C8 -> HOOKED (Unknown @ 0x87A2AC40)
SSDT[317] : NtSetSystemInformation @ 0x825F5EEB -> HOOKED (Unknown @ 0x87999720)
SSDT[330] : NtSuspendProcess @ 0x826A24FF -> HOOKED (Unknown @ 0x87A44090)
SSDT[331] : NtSuspendThread @ 0x825A992B -> HOOKED (Unknown @ 0x87A30398)
SSDT[334] : NtTerminateProcess @ 0x82600143 -> HOOKED (Unknown @ 0x879E42C0)
SSDT[335] : NtTerminateThread @ 0x8262B534 -> HOOKED (Unknown @ 0x87A2A9E0)
SSDT[348] : NtUnmapViewOfSection @ 0x8261FB5D -> HOOKED (Unknown @ 0x87A2AD30)
SSDT[358] : NtWriteVirtualMemory @ 0x8261C92D -> HOOKED (Unknown @ 0x879DF248)
SSDT[382] : NtCreateThreadEx @ 0x8262AFE9 -> HOOKED (Unknown @ 0x87A305F8)
S_SSDT[317] : Unknown -> HOOKED (Unknown @ 0x961FCEC0)
S_SSDT[397] : Unknown -> HOOKED (Unknown @ 0x974A28F8)
S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x961FFC80)
S_SSDT[430] : Unknown -> HOOKED (Unknown @ 0x8782B098)
S_SSDT[442] : Unknown -> HOOKED (Unknown @ 0x961FA540)
S_SSDT[479] : Unknown -> HOOKED (Unknown @ 0x961FF958)
S_SSDT[497] : Unknown -> HOOKED (Unknown @ 0x961FFBB0)
S_SSDT[498] : Unknown -> HOOKED (Unknown @ 0x961FFA28)
S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x974A3CA0)
S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x881DFB88)
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: HITACHI HTS542516K9SA00 +++++
--- User ---
[MBR] 0f8ac52cbb51bc118affb4b741b5a8f1
[BSP] b49e413f441beb7cb468d752f53dab9c : Lenovo tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 6438 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 13187072 | Size: 146187 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-02 14:34:18
-----------------------------
14:34:18.809 OS Version: Windows 6.0.6002 Service Pack 2
14:34:18.809 Number of processors: 2 586 0x1706
14:34:18.809 ComputerName: WISAVISTALAPTOP UserName: Administrator
14:34:19.994 Initialize success
14:35:22.569 AVAST engine defs: 12080200
14:35:35.439 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
14:35:35.439 Disk 0 Vendor: HITACHI_ BBCZ Size: 152627MB BusType: 3
14:35:35.470 Disk 0 MBR read successfully
14:35:35.470 Disk 0 MBR scan
14:35:35.470 Disk 0 unknown MBR code
14:35:35.485 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 6438 MB offset 2048
14:35:35.501 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 146187 MB offset 13187072
14:35:35.532 Disk 0 scanning sectors +312578048
14:35:35.641 Disk 0 scanning C:\Windows\system32\drivers
14:35:52.630 Service scanning
14:36:27.823 Modules scanning
14:36:39.321 Disk 0 trace - called modules:
14:36:39.352 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
14:36:39.352 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f80ac8]
14:36:39.352 3 CLASSPNP.SYS[889ca8b3] -> nt!IofCallDriver -> [0x854533f0]
14:36:39.367 5 acpi.sys[8068c6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85408028]
14:36:40.179 AVAST engine scan C:\Windows
14:36:44.375 AVAST engine scan C:\Windows\system32
14:40:16.129 AVAST engine scan C:\Windows\system32\drivers
14:40:30.029 AVAST engine scan C:\Users\Administrator
14:41:21.150 AVAST engine scan C:\ProgramData
14:42:57.683 Scan finished successfully
14:44:23.202 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
14:44:23.202 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Broni,
I've run into a snag. ComboFix has been running for over 25 minutes now.
I still have disk activity, but that could be the defrag that comes with Vista on this Lenovo.
Clock is still ticking.
Before I started CF I made sure all aspects of NIS2012 were disabled plus windows firewall, windows defender etc
After CF started it still said my Norton A/V was running so I rechecked it in detail - EVERYTHING was disabled.
I went ahead and ran the scan, but I'm not sure it's going to finish.
I'm still looking at '...may ealisy double'.

Suggestions?

Thanks
 
And just got msg that Windows detected that freeware version of XCALCS has stopped running.
This mabye because of no Internet since CF started?
Just making sure not to worry about it.
 
Broni,
CF finally finished with a msg that I'm infected with RootkitZeroAccess! and has inserted itself in the TCP stack and may be difficut to fix. I then get a ROOTKIT popup saying 'Rootkit is detected. Be patient as this may take some moments.'

Also popup saying Recycle bin on C:\ is corrupted - do you want to empty the Recycle Bin for this drive?

Popup says Combofix has deteted presence of rootkit activity and needs to reboot the machine.

I rebooted, but have not re-enabled Internet access.

This is not what I was hoping to see at all.

Awaiting your call on this one.

Thanks again for all you do.
 
A popup asked if I wanted to empty the recycle bin C:\$Recycle.BIN - 2 files 129bytes total - I said yes, but it hung for over 5 minutes. I cancled it and proceeded to shutdown and reboot the thing.
 
Restarted in safe mode/no network. Started ComboFix - it still says Norton A/V is active. I can uninstall Norton if necessary to go on.
 
OK, I ignored msg about Norton; reran ComboFix from safe mode.
Still says detects rootkit and wanted to reboot so I did to safe mode again. Still no log file.
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt
 
Here you go.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 02-08-2012 19:17:56
Running from F:\
Windows Vista (TM) Business (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r [62312 2010-03-26] (Lenovo Group Limited)
HKLM\...\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor [894312 2010-08-24] (Lenovo Group Limited)
HKLM\...\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog [214576 2010-08-24] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1725736 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [69560 2010-07-27] (Lenovo Group Limited)
HKLM\...\Run: [] [x]
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [256576 2009-11-30] (Lenovo Group Ltd.)
HKLM\...\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt" [x]
HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-03-04] (Lenovo Group Limited)
HKLM\...\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [217176 2006-11-15] (Diskeeper Corporation)
HKLM\...\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE [91688 2006-11-07] (Lenovo Group Limited)
HKLM\...\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [185688 2009-07-22] (Lenovo Group Limited)
HKLM\...\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe [1116920 2007-03-13] (Roxio)
HKLM\...\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent [2630968 2007-08-09] (Lenovo Group Limited)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
HKLM\...\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start [49976 2009-05-27] ()
HKLM\...\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe [62752 2009-08-20] (Lenovo Group Limited)
HKLM\...\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper [992816 2007-02-26] (Lenovo)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13556256 2008-11-15] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-11-15] (NVIDIA Corporation)
HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1282048 2007-12-07] (Analog Devices, Inc.)
HKLM\...\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe [124248 2009-07-22] (Lenovo Group Limited)
HKLM\...\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe /startup [436800 2009-09-03] (LENOVO)
HKLM\...\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-11] (Logitech Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [425984 2011-10-24] (Lenovo)
HKLM\...\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe [188416 2011-10-24] (Lenovo)
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKU\Administrator\...\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [x]
HKU\phil\...\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [x]
HKU\phil\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [x]
Lsa: [Notification Packages] scecli
ACGina
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\phil\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
================================ Services (Whitelisted) ==================
2 Diskeeper; "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" [634988 2006-11-15] (Diskeeper Corporation)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
2 IPSSVC; C:\Windows\System32\IPSSVC.EXE [108080 2007-01-29] (Lenovo Group Limited)
2 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [45496 2010-04-07] (Lenovo Group Limited)
2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [93032 2010-04-07] (Lenovo Group Limited)
2 NIS; "C:\Program Files\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe" /s "NIS" /m "C:\Program Files\Norton Internet Security\Engine\19.7.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 TSSCoreService; "C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe" [722232 2007-08-09] (IBM)
2 TVT Backup Protection Service; "C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe" [569344 2007-07-10] ()
2 TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [1433600 2010-08-18] (Lenovo Group Limited)
2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2011-08-19] (Logitech Inc.)
3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
2 Security Activity Dashboard Service; C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
2 SUService; c:\program files\lenovo\system update\suservice.exe [x]
2 TVT Scheduler; "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [x]
========================== Drivers (Whitelisted) =============
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [821920 2012-06-18] (Symantec Corporation)
1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1307010.005\ccSetx86.sys [132744 2011-11-29] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-05-31] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-31] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120801.001\IDSvix86.sys [382624 2012-06-14] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120801.037\NAVENG.SYS [87928 2012-05-15] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120801.037\NAVEX15.SYS [1589752 2012-05-15] (Symantec Corporation)
2 PROCDD; C:\Windows\System32\DRIVERS\PROCDD.SYS [12080 2006-11-06] (Lenovo Group Limited)
3 SRTSP; C:\Windows\System32\Drivers\NIS\1307010.005\SRTSP.SYS [574072 2012-03-28] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NIS\1307010.005\SRTSPX.SYS [32888 2012-03-28] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NIS\1307010.005\SYMDS.SYS [340088 2011-07-25] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NIS\1307010.005\SYMEFA.SYS [905336 2012-03-28] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-03-23] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NIS\1307010.005\Ironx86.SYS [149624 2012-03-28] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1307010.005\SYMTDIV.SYS [345208 2012-03-28] (Symantec Corporation)
3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2009-04-10] (Microsoft Corporation)
3 catchme; \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys [x]
4 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 neokdss; C:\Windows\System32\Drivers\neokdss.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 PCDSRVC{3037D694-FD904ACA-06020000}_0; \??\c:\program files\pc-doctor\pcdsrvc.pkms [x]
3 rcvpn; C:\Windows\System32\DRIVERS\rcvpn.sys [x]
3 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]
3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-02 14:50 - 2012-08-02 14:54 - 00000000 ___SD C:\ComboFix
2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\MSDOS.SYS
2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\IO.SYS
2012-08-02 12:15 - 2012-08-02 12:53 - 00000000 ____D C:\Users\Administrator\Local Settings\Application Data\CrashDumps
2012-08-02 12:15 - 2012-08-02 12:53 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
2012-08-02 11:39 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-02 11:39 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-02 11:39 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-02 11:39 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-02 11:39 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-02 11:39 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-02 11:39 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-02 11:39 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-02 11:31 - 2012-08-02 11:39 - 00000000 ____D C:\Qoobox
2012-08-02 11:31 - 2012-08-02 11:31 - 00000000 ____D C:\Windows\erdnt
2012-08-02 11:28 - 2012-08-02 11:28 - 04722680 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
2012-08-02 10:44 - 2012-08-02 10:44 - 00001949 ____A C:\Users\Administrator\Desktop\aswMBR.txt
2012-08-02 10:44 - 2012-08-02 10:44 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
2012-08-02 10:32 - 2012-08-02 10:32 - 00004377 ____A C:\Users\Administrator\Desktop\RKreport[1].txt
2012-08-02 10:31 - 2012-08-02 10:32 - 00000000 ____D C:\Users\Administrator\Desktop\RK_Quarantine
2012-08-02 10:29 - 2012-08-02 10:29 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Desktop\aswMBR.exe
2012-08-02 10:28 - 2012-08-02 10:28 - 01552384 ____A C:\Users\Administrator\Desktop\RogueKiller.exe
2012-08-02 09:39 - 2012-08-02 09:39 - 00016894 ____A C:\Users\Administrator\Desktop\Attach.txt
2012-08-02 09:38 - 2012-08-02 09:38 - 00016105 ____A C:\Users\Administrator\Desktop\DDS.txt
2012-08-02 09:31 - 2012-08-02 09:31 - 00607260 ___RA (Swearware) C:\Users\Administrator\Desktop\dds.scr
2012-08-02 09:26 - 2012-08-02 09:26 - 00001179 ____A C:\Users\Administrator\Desktop\gmer.log
2012-08-02 09:22 - 2012-08-02 09:22 - 00302592 ____A C:\Users\Administrator\Desktop\yz2jp58k.exe
2012-08-02 08:54 - 2012-08-02 08:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-08-02 08:54 - 2012-07-03 09:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-02 08:46 - 2012-08-02 08:46 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-31 20:53 - 2012-07-31 20:53 - 00000000 ____D C:\FRST
2012-07-31 13:44 - 2012-08-01 09:30 - 00000000 ____D C:\Users\Administrator\Local Settings\Application Data\NPE
2012-07-31 13:44 - 2012-08-01 09:30 - 00000000 ____D C:\Users\Administrator\AppData\Local\NPE
2012-07-31 13:39 - 2012-07-31 13:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FixZeroAccess
2012-07-11 07:04 - 2012-06-13 05:20 - 02055680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 04:01 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 04:01 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 04:01 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 04:01 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 04:01 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 04:01 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
============ 3 Months Modified Files ========================
2012-08-02 14:55 - 2010-09-19 13:17 - 01211720 ____A C:\Windows\PFRO.log
2012-08-02 14:44 - 2008-08-31 17:39 - 01526387 ____A C:\Windows\WindowsUpdate.log
2012-08-02 14:44 - 2006-11-02 05:01 - 00032546 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-02 14:44 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-02 14:44 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-02 14:44 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-02 14:43 - 2012-06-21 17:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 14:43 - 2008-09-17 13:57 - 00042464 ____A C:\Users\All Users\nvModes.001
2012-08-02 14:43 - 2008-09-08 14:04 - 00000416 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{7D0A9B2B-A02A-4A6B-9DF0-B9E3EEF4E5BB}.job
2012-08-02 13:20 - 2008-08-31 19:00 - 00065946 ____A C:\Windows\System32\LenovoOobeOffers.log
2012-08-02 13:19 - 2007-07-26 22:37 - 00025269 ____A C:\Windows\System32\PROCDB.INI
2012-08-02 13:19 - 2007-07-26 22:37 - 00000380 ____A C:\Windows\System32\IPSCtrl.INI
2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\MSDOS.SYS
2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\IO.SYS
2012-08-02 11:28 - 2012-08-02 11:28 - 04722680 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
2012-08-02 10:44 - 2012-08-02 10:44 - 00001949 ____A C:\Users\Administrator\Desktop\aswMBR.txt
2012-08-02 10:44 - 2012-08-02 10:44 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
2012-08-02 10:32 - 2012-08-02 10:32 - 00004377 ____A C:\Users\Administrator\Desktop\RKreport[1].txt
2012-08-02 10:29 - 2012-08-02 10:29 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Desktop\aswMBR.exe
2012-08-02 10:28 - 2012-08-02 10:28 - 01552384 ____A C:\Users\Administrator\Desktop\RogueKiller.exe
2012-08-02 09:39 - 2012-08-02 09:39 - 00016894 ____A C:\Users\Administrator\Desktop\Attach.txt
2012-08-02 09:38 - 2012-08-02 09:38 - 00016105 ____A C:\Users\Administrator\Desktop\DDS.txt
2012-08-02 09:31 - 2012-08-02 09:31 - 00607260 ___RA (Swearware) C:\Users\Administrator\Desktop\dds.scr
2012-08-02 09:26 - 2012-08-02 09:26 - 00001179 ____A C:\Users\Administrator\Desktop\gmer.log
2012-08-02 09:22 - 2012-08-02 09:22 - 00302592 ____A C:\Users\Administrator\Desktop\yz2jp58k.exe
2012-08-02 08:56 - 2010-11-06 06:52 - 00000382 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-08-02 08:46 - 2012-08-02 08:46 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-31 17:00 - 2006-11-02 02:33 - 00847266 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-31 13:41 - 2010-11-06 06:52 - 00000528 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-07-26 16:01 - 2012-04-04 02:59 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-26 16:01 - 2011-05-14 03:13 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-11 10:00 - 2006-11-02 04:47 - 00414424 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 07:03 - 2006-11-02 02:23 - 00000277 ____A C:\Windows\win.ini
2012-07-11 07:00 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-03 09:46 - 2012-08-02 08:54 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 07:15 - 2008-09-08 13:37 - 00008268 ____A C:\Users\phil\AppData\Local\d3d9caps.dat
2012-06-18 07:28 - 2009-01-18 09:21 - 00019968 ____A C:\Users\phil\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-14 16:18 - 2008-09-17 13:57 - 00042464 ____A C:\Users\All Users\nvModes.dat
2012-06-13 05:20 - 2012-07-11 07:04 - 02055680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-11 04:01 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 08:47 - 2012-07-11 04:01 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-11 04:01 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-11 04:01 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 15:32 - 2011-11-06 13:03 - 00000926 ____A C:\Users\phil\Desktop\Dropbox.lnk
2012-06-02 14:19 - 2012-06-18 14:49 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 14:49 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 14:49 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 14:49 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 14:49 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-18 14:49 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-18 14:49 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-18 14:48 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-18 14:48 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 16:04 - 2012-07-11 04:01 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-11 04:01 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-19 04:36 - 2011-11-09 04:06 - 00002214 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2012-05-18 17:00 - 2012-05-18 17:00 - 00001736 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-14 22:37 - 2012-06-12 14:17 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-14 22:37 - 2012-06-12 14:17 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 22:37 - 2012-06-12 14:17 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-14 22:35 - 2012-06-12 14:17 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-14 22:33 - 2012-06-12 14:17 - 06007808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-14 22:33 - 2012-06-12 14:17 - 00629760 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-14 22:33 - 2012-06-12 14:17 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-14 22:33 - 2012-06-12 14:17 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-14 22:33 - 2012-06-12 14:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-14 22:32 - 2012-06-12 14:17 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-14 22:32 - 2012-06-12 14:17 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-14 22:32 - 2012-06-12 14:17 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-05-14 22:31 - 2012-06-12 14:17 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-05-14 21:01 - 2012-06-12 14:17 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-14 19:26 - 2012-06-12 14:17 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-14 19:25 - 2012-06-12 14:17 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-14 19:24 - 2012-06-12 14:17 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-05-14 19:23 - 2012-06-12 14:17 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

ZeroAccess :
C:\Windows\$NtUninstallKB38096$
C:\Windows\$NtUninstallKB38096$\3165202553\L
C:\Windows\$NtUninstallKB38096$\3165202553\U
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 22%
Total physical RAM: 2029.69 MB
Available physical RAM: 1565.96 MB
Total Pagefile: 1799.16 MB
Available Pagefile: 1629.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.35 MB
======================= Partitions =========================
1 Drive c: (SW_Preload) (Fixed) (Total:142.76 GB) (Free:79.5 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (ServiceV002) (Fixed) (Total:6.29 GB) (Free:0.52 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:1.89 GB) (Free:0.09 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1849 KB
Disk 1 Online 1936 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 6438 MB 1024 KB
Partition 2 Primary 143 GB 6439 MB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E ServiceV002 NTFS Partition 6438 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C SW_Preload NTFS Partition 143 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1936 MB 44 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F FAT32 Removable 1936 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-08-02 13:26
======================= End Of Log ==========================


Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-02 19:19:35
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-07-03 03:16] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:25] - [2008-01-20 18:25] - 0279040 ____N (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\System32\services.exe
[2009-07-03 03:16] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
=== End Of Search ===
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally and see if you can run Combofix.
 

Attachments

  • fixlist.txt
    123 bytes · Views: 1
Here's the Fixlog.txt. I was able to boot normally and disable Norton and then run ComboFIx, but it never produced any output.
I checked for C:\combolog.txt but don't find any.
 
oops, Fixlog here

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-02 19:49:33 Run:1
Running from F:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\$NtUninstallKB38096$ moved successfully.
==== End of Fixlog ====
 
Back