Trojan.zeroaccess!inf infection

Solved
By packer68
Aug 2, 2012
  1. I would appreciate help removing this from my wife's pc.

    Am I supposed to start the prelim removal process you suggest or wait for your reply?

    Thanks
    packer68
  2. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Here's result of mbam scan

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.08.02.07
    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19272
    Administrator :: WISAVISTALAPTOP [administrator]
    8/2/2012 12:56:39 PM
    mbam-log-2012-08-02 (12-56-39).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 218537
    Time elapsed: 9 minute(s), 8 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKLM\SYSTEM\CurrentControlSet\Services\netbt (Rootkit.0Access) -> Quarantined and deleted successfully.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 2
    C:\Windows\System32\drivers\netbt.sys (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Users\phil\AppData\Local\Temp\532914kas16449.exe (Trojan.FakeMS.IEDW) -> Quarantined and deleted successfully.
    (end)
    I need to reboot - will post others soon
  4. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Thanks for the help.
    DDS.TXT
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_31
    Run by Administrator at 13:37:10 on 2012-08-02
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2030.716 [GMT -4:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Windows\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\AEADISRV.EXE
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
    C:\Program Files\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe
    C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Windows\system32\taskeng.exe
    C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
    C:\Program Files\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
    C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
    C:\Windows\WindowsMobile\wmdSync.exe
    C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
    C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
    C:\Program Files\ThinkVantage\AMSG\Amsg.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
    C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Norton Internet Security\Engine\19.7.1.5\WSCStub.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://lenovo.live.com
    uDefault_Page_URL = hxxp://lenovo.live.com
    mDefault_Page_URL = hxxp://lenovo.live.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\19.7.1.5\coIEPlg.dll
    BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\19.7.1.5\ips\IPSBHO.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.7.1.5\coIEPlg.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
    mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
    mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
    mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
    mRun: [<NO NAME>]
    mRun: [TpShocks] TpShocks.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
    mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
    mRun: [RoxioDragToDisc] c:\program files\lenovo\drag-to-disc\DrgToDsc.exe
    mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
    mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
    mRun: [AMSG] c:\progra~1\thinkv~1\amsg\Amsg.exe /startup
    mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [ACWlIcon] c:\program files\thinkpad\connectutilities\ACWlIcon.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://allscripts.webex.com/client/T27L10NSP21/webex/ieatgpc1.cab
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{CB0E066F-CDEC-498A-B6BA-5C0BBBE6676C} : DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{F31A7278-09E0-4255-BC65-2A0AEEB2B1E6} : DhcpNameServer = 209.18.47.61 209.18.47.62
    LSA: Notification Packages = scecli ACGina
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-11-6 24304]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1307010.005\symds.sys [2012-5-17 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1307010.005\symefa.sys [2012-5-17 905336]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2010-6-16 20592]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\bashdefs\20120711.002\BHDrvx86.sys [2012-7-12 821920]
    R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1307010.005\ccsetx86.sys [2012-5-17 132744]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\ipsdefs\20120801.001\IDSvix86.sys [2012-8-1 382624]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-11-6 13480]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1307010.005\ironx86.sys [2012-5-17 149624]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1307010.005\symtdiv.sys [2012-5-17 345208]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
    R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-11-6 132456]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2010-11-6 93032]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.7.1.5\ccsvchst.exe [2012-5-17 138232]
    R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-11-6 75112]
    R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 63928]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-7-10 569344]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-11-6 45496]
    S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe --> c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]
    S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-9-8 21360]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-08-02 16:54:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-02 16:54:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-08-01 04:53:06 -------- d-----w- C:\FRST
    2012-07-31 21:44:08 -------- d-----w- c:\users\administrator\appdata\local\NPE
    2012-07-31 21:39:32 -------- d-----w- c:\users\administrator\appdata\roaming\FixZeroAccess
    2012-07-11 15:04:37 2055680 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 12:01:45 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2012-07-11 12:01:41 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 12:01:41 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 12:01:39 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 12:01:39 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 12:01:39 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    ==================== Find3M ====================
    .
    2012-07-27 00:01:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-27 00:01:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 13:38:00.27 ===============
    ATTACH.txt
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/31/2008 9:40:55 PM
    System Uptime: 8/2/2012 1:28:23 PM (0 hours ago)
    .
    Motherboard: LENOVO | | 6459CTO
    Processor: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz | None | 2401/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 143 GiB total, 79.71 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0001
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #2
    PNP Device ID: ROOT\*TUNMP\0001
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0002
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #3
    PNP Device ID: ROOT\*TUNMP\0002
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0003
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #4
    PNP Device ID: ROOT\*TUNMP\0003
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0004
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #5
    PNP Device ID: ROOT\*TUNMP\0004
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0005
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #6
    PNP Device ID: ROOT\*TUNMP\0005
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0006
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0006
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0007
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0007
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0008
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0008
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0009
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0009
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0010
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0010
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0011
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0011
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0012
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0012
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0013
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0013
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0014
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0014
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0015
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0015
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0016
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0016
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0017
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0017
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0018
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0018
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0019
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0019
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0020
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0020
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0021
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0021
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0022
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0022
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0023
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0023
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0024
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0024
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0025
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0025
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0026
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0026
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0027
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0027
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0028
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0028
    Service: tunmp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0029
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0029
    Service: tunmp
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    Update for Microsoft Office 2007 (KB2508958)
    2007 Microsoft Office system
    Access Help
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.3)
    Adobe Shockwave Player 11
    Apple Application Support
    Apple Software Update
    Business Contact Manager for Outlook 2007 SP2
    CameraHelperMsi
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Client Security Solution
    Diskeeper Home
    Drag-to-Disc
    erLT
    Help Center
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Integrated Camera
    Intel(R) PRO Network Connections Drivers
    InterVideo Register Manager
    InterVideo WinDVD
    Java Auto Updater
    Java(TM) 6 Update 31
    Learn Windows Vista
    Lenovo Auto Scroll Utility
    Lenovo Battery Program
    Lenovo Registration
    Lenovo System Interface Driver
    Lenovo ThinkVantage Toolbox
    Logitech Vid HD
    Logitech Webcam Software
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Motion Detection
    LWS Pictures And Video
    LWS Twitter
    LWS Video Mask Maker
    LWS VideoEffects
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Maintenance Manager
    Malwarebytes Anti-Malware version 1.62.0.1300
    Message Center
    Message Center Plus
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Multimedia Center For Think Offerings
    Norton Internet Security
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    On Screen Display
    Picasa 3
    Presentation Director
    Print Server Driver
    Productivity Center Supplement for ThinkPad
    QuickTime
    Registry patch for Windows Vista USB S3 PM Enablement
    Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
    Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
    Registry patch to improve USB device detection on resume from sleep for Windows Vista
    Rescue and Recovery
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Sonic Icons for Lenovo
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 8
    System Migration Assistant
    System Update
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Integration Setup
    ThinkPad Hotkey Features Setup
    ThinkPad Keyboard Customizer Utility
    ThinkPad Mobility Center Customization
    ThinkPad Modem
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Utility
    Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    ThinkVantage Productivity Center
    ThinkVantage Technologies Welcome Message
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Wallpapers
    WebEx
    Windows Driver Package - Intel (e1express) Net (04/26/2007 9.7.240.0)
    Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
    Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
    Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
    Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
    Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
    Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
    Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
    Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
    Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
    Windows Driver Package - Ricoh Company MMC Host Controller (08/08/2007 6.00.03.02)
    Windows Driver Package - Ricoh Company MS Host Controller (07/30/2007 6.00.01.11)
    Windows Driver Package - Ricoh Company xD Host Controller (07/30/2007 6.00.01.13)
    Windows Live Mesh ActiveX Control for Remote Connections
    .
    ==== End Of File ===========================
  5. Broni

    Broni Malware Annihilator Posts: 45,279   +243

  6. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    My bad!
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-08-02 13:26:53
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.BBCZ
    Running: yz2jp58k.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kftoruoc.sys

    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs tvtfilter.sys (Rescue and Recovery filter driver/Lenovo)
    AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    ---- EOF - GMER 1.0.15 ----
  7. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =====================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  8. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Broni,
    The RKreport and aswMBR logs are posted. Thanks again for the help.

    RogueKiller V7.6.4 [07/17/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User: Administrator [Admin rights]
    Mode: Scan -- Date: 08/02/2012 14:32:38
    ¤¤¤ Bad processes: 0 ¤¤¤
    ¤¤¤ Registry Entries: 3 ¤¤¤
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver: [LOADED] ¤¤¤
    SSDT[13] : NtAlertResumeThread @ 0x826A25C3 -> HOOKED (Unknown @ 0x879E47F0)
    SSDT[14] : NtAlertThread @ 0x8261B255 -> HOOKED (Unknown @ 0x87F012F8)
    SSDT[18] : NtAllocateVirtualMemory @ 0x826574FB -> HOOKED (Unknown @ 0x879DF318)
    SSDT[21] : NtAlpcConnectPort @ 0x825F9887 -> HOOKED (Unknown @ 0x878FE3F0)
    SSDT[42] : NtAssignProcessToJobObject @ 0x825CCB43 -> HOOKED (Unknown @ 0x879DF640)
    SSDT[67] : NtCreateMutant @ 0x8262F812 -> HOOKED (Unknown @ 0x87A44008)
    SSDT[77] : NtCreateSymbolicLinkObject @ 0x825CF35A -> HOOKED (Unknown @ 0x87A30508)
    SSDT[78] : NtCreateThread @ 0x826A0BE0 -> HOOKED (Unknown @ 0x879E41E0)
    SSDT[116] : NtDebugActiveProcess @ 0x82673D22 -> HOOKED (Unknown @ 0x879DF700)
    SSDT[129] : NtDuplicateObject @ 0x82607551 -> HOOKED (Unknown @ 0x879DF4A8)
    SSDT[147] : NtFreeVirtualMemory @ 0x82493F1D -> HOOKED (Unknown @ 0x879DF178)
    SSDT[156] : NtImpersonateAnonymousToken @ 0x825C9F12 -> HOOKED (Unknown @ 0x879E4910)
    SSDT[158] : NtImpersonateThread @ 0x825DF54F -> HOOKED (Unknown @ 0x87A3D9D0)
    SSDT[165] : NtLoadDriver @ 0x8257ADEE -> HOOKED (Unknown @ 0x878AF2B8)
    SSDT[177] : NtMapViewOfSection @ 0x8261F89A -> HOOKED (Unknown @ 0x879DF098)
    SSDT[184] : NtOpenEvent @ 0x82608DCF -> HOOKED (Unknown @ 0x87A44150)
    SSDT[194] : NtOpenProcess @ 0x8262FFAE -> HOOKED (Unknown @ 0x879E40C8)
    SSDT[195] : NtOpenProcessToken @ 0x82610A2E -> HOOKED (Unknown @ 0x879DF3E8)
    SSDT[197] : NtOpenSection @ 0x8262066D -> HOOKED (Unknown @ 0x87999868)
    SSDT[201] : NtOpenThread @ 0x8262B4FF -> HOOKED (Unknown @ 0x879DF008)
    SSDT[210] : NtProtectVirtualMemory @ 0x826292E2 -> HOOKED (Unknown @ 0x87A306D8)
    SSDT[282] : NtResumeThread @ 0x8262AB4A -> HOOKED (Unknown @ 0x879E4FD0)
    SSDT[289] : NtSetContextThread @ 0x826A206F -> HOOKED (Unknown @ 0x87A2AB60)
    SSDT[305] : NtSetInformationProcess @ 0x826238C8 -> HOOKED (Unknown @ 0x87A2AC40)
    SSDT[317] : NtSetSystemInformation @ 0x825F5EEB -> HOOKED (Unknown @ 0x87999720)
    SSDT[330] : NtSuspendProcess @ 0x826A24FF -> HOOKED (Unknown @ 0x87A44090)
    SSDT[331] : NtSuspendThread @ 0x825A992B -> HOOKED (Unknown @ 0x87A30398)
    SSDT[334] : NtTerminateProcess @ 0x82600143 -> HOOKED (Unknown @ 0x879E42C0)
    SSDT[335] : NtTerminateThread @ 0x8262B534 -> HOOKED (Unknown @ 0x87A2A9E0)
    SSDT[348] : NtUnmapViewOfSection @ 0x8261FB5D -> HOOKED (Unknown @ 0x87A2AD30)
    SSDT[358] : NtWriteVirtualMemory @ 0x8261C92D -> HOOKED (Unknown @ 0x879DF248)
    SSDT[382] : NtCreateThreadEx @ 0x8262AFE9 -> HOOKED (Unknown @ 0x87A305F8)
    S_SSDT[317] : Unknown -> HOOKED (Unknown @ 0x961FCEC0)
    S_SSDT[397] : Unknown -> HOOKED (Unknown @ 0x974A28F8)
    S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x961FFC80)
    S_SSDT[430] : Unknown -> HOOKED (Unknown @ 0x8782B098)
    S_SSDT[442] : Unknown -> HOOKED (Unknown @ 0x961FA540)
    S_SSDT[479] : Unknown -> HOOKED (Unknown @ 0x961FF958)
    S_SSDT[497] : Unknown -> HOOKED (Unknown @ 0x961FFBB0)
    S_SSDT[498] : Unknown -> HOOKED (Unknown @ 0x961FFA28)
    S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x974A3CA0)
    S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x881DFB88)
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: HITACHI HTS542516K9SA00 +++++
    --- User ---
    [MBR] 0f8ac52cbb51bc118affb4b741b5a8f1
    [BSP] b49e413f441beb7cb468d752f53dab9c : Lenovo tatooed MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 6438 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 13187072 | Size: 146187 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-02 14:34:18
    -----------------------------
    14:34:18.809 OS Version: Windows 6.0.6002 Service Pack 2
    14:34:18.809 Number of processors: 2 586 0x1706
    14:34:18.809 ComputerName: WISAVISTALAPTOP UserName: Administrator
    14:34:19.994 Initialize success
    14:35:22.569 AVAST engine defs: 12080200
    14:35:35.439 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    14:35:35.439 Disk 0 Vendor: HITACHI_ BBCZ Size: 152627MB BusType: 3
    14:35:35.470 Disk 0 MBR read successfully
    14:35:35.470 Disk 0 MBR scan
    14:35:35.470 Disk 0 unknown MBR code
    14:35:35.485 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 6438 MB offset 2048
    14:35:35.501 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 146187 MB offset 13187072
    14:35:35.532 Disk 0 scanning sectors +312578048
    14:35:35.641 Disk 0 scanning C:\Windows\system32\drivers
    14:35:52.630 Service scanning
    14:36:27.823 Modules scanning
    14:36:39.321 Disk 0 trace - called modules:
    14:36:39.352 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
    14:36:39.352 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f80ac8]
    14:36:39.352 3 CLASSPNP.SYS[889ca8b3] -> nt!IofCallDriver -> [0x854533f0]
    14:36:39.367 5 acpi.sys[8068c6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85408028]
    14:36:40.179 AVAST engine scan C:\Windows
    14:36:44.375 AVAST engine scan C:\Windows\system32
    14:40:16.129 AVAST engine scan C:\Windows\system32\drivers
    14:40:30.029 AVAST engine scan C:\Users\Administrator
    14:41:21.150 AVAST engine scan C:\ProgramData
    14:42:57.683 Scan finished successfully
    14:44:23.202 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
    14:44:23.202 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
  9. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  10. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Broni,
    I've run into a snag. ComboFix has been running for over 25 minutes now.
    I still have disk activity, but that could be the defrag that comes with Vista on this Lenovo.
    Clock is still ticking.
    Before I started CF I made sure all aspects of NIS2012 were disabled plus windows firewall, windows defender etc
    After CF started it still said my Norton A/V was running so I rechecked it in detail - EVERYTHING was disabled.
    I went ahead and ran the scan, but I'm not sure it's going to finish.
    I'm still looking at '...may ealisy double'.

    Suggestions?

    Thanks
  11. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    And just got msg that Windows detected that freeware version of XCALCS has stopped running.
    This mabye because of no Internet since CF started?
    Just making sure not to worry about it.
  12. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Broni,
    CF finally finished with a msg that I'm infected with RootkitZeroAccess! and has inserted itself in the TCP stack and may be difficut to fix. I then get a ROOTKIT popup saying 'Rootkit is detected. Be patient as this may take some moments.'

    Also popup saying Recycle bin on C:\ is corrupted - do you want to empty the Recycle Bin for this drive?

    Popup says Combofix has deteted presence of rootkit activity and needs to reboot the machine.

    I rebooted, but have not re-enabled Internet access.

    This is not what I was hoping to see at all.

    Awaiting your call on this one.

    Thanks again for all you do.
  13. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    A popup asked if I wanted to empty the recycle bin C:\$Recycle.BIN - 2 files 129bytes total - I said yes, but it hung for over 5 minutes. I cancled it and proceeded to shutdown and reboot the thing.
     
  14. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Let me know....
  15. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    I'm booted up, but no CF log was created. Internet is disabled for now. Where to next?
  16. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Restart to safe mode and re-run Combofix.
  17. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Restarted in safe mode/no network. Started ComboFix - it still says Norton A/V is active. I can uninstall Norton if necessary to go on.
  18. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    No, in safe mode mode you can disregard that warning.
  19. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    OK, I ignored msg about Norton; reran ComboFix from safe mode.
    Still says detects rootkit and wanted to reboot so I did to safe mode again. Still no log file.
  20. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  21. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Here you go.

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 02-08-2012 19:17:56
    Running from F:\
    Windows Vista (TM) Business (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r [62312 2010-03-26] (Lenovo Group Limited)
    HKLM\...\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor [894312 2010-08-24] (Lenovo Group Limited)
    HKLM\...\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog [214576 2010-08-24] ()
    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1725736 2010-04-22] (Synaptics Incorporated)
    HKLM\...\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [69560 2010-07-27] (Lenovo Group Limited)
    HKLM\...\Run: [] [x]
    HKLM\...\Run: [TpShocks] TpShocks.exe [x]
    HKLM\...\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [256576 2009-11-30] (Lenovo Group Ltd.)
    HKLM\...\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt" [x]
    HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-03-04] (Lenovo Group Limited)
    HKLM\...\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [217176 2006-11-15] (Diskeeper Corporation)
    HKLM\...\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE [91688 2006-11-07] (Lenovo Group Limited)
    HKLM\...\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [185688 2009-07-22] (Lenovo Group Limited)
    HKLM\...\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe [1116920 2007-03-13] (Roxio)
    HKLM\...\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent [2630968 2007-08-09] (Lenovo Group Limited)
    HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
    HKLM\...\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start [49976 2009-05-27] ()
    HKLM\...\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe [62752 2009-08-20] (Lenovo Group Limited)
    HKLM\...\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper [992816 2007-02-26] (Lenovo)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13556256 2008-11-15] (NVIDIA Corporation)
    HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-11-15] (NVIDIA Corporation)
    HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1282048 2007-12-07] (Analog Devices, Inc.)
    HKLM\...\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe [124248 2009-07-22] (Lenovo Group Limited)
    HKLM\...\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe /startup [436800 2009-09-03] (LENOVO)
    HKLM\...\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-11] (Logitech Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM\...\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [425984 2011-10-24] (Lenovo)
    HKLM\...\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe [188416 2011-10-24] (Lenovo)
    HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
    HKU\Administrator\...\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [x]
    HKU\phil\...\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [x]
    HKU\phil\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [x]
    Lsa: [Notification Packages] scecli
    ACGina
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
    Startup: C:\Users\phil\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    ================================ Services (Whitelisted) ==================
    2 Diskeeper; "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" [634988 2006-11-15] (Diskeeper Corporation)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
    2 IPSSVC; C:\Windows\System32\IPSSVC.EXE [108080 2007-01-29] (Lenovo Group Limited)
    2 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [45496 2010-04-07] (Lenovo Group Limited)
    2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [93032 2010-04-07] (Lenovo Group Limited)
    2 NIS; "C:\Program Files\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe" /s "NIS" /m "C:\Program Files\Norton Internet Security\Engine\19.7.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
    2 TSSCoreService; "C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe" [722232 2007-08-09] (IBM)
    2 TVT Backup Protection Service; "C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe" [569344 2007-07-10] ()
    2 TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [1433600 2010-08-18] (Lenovo Group Limited)
    2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2011-08-19] (Logitech Inc.)
    3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
    4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
    2 Security Activity Dashboard Service; C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [x]
    2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
    2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
    2 SUService; c:\program files\lenovo\system update\suservice.exe [x]
    2 TVT Scheduler; "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [x]
    ========================== Drivers (Whitelisted) =============
    1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [821920 2012-06-18] (Symantec Corporation)
    1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1307010.005\ccSetx86.sys [132744 2011-11-29] (Symantec Corporation)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-05-31] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-31] (Symantec Corporation)
    1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120801.001\IDSvix86.sys [382624 2012-06-14] (Symantec Corporation)
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120801.037\NAVENG.SYS [87928 2012-05-15] (Symantec Corporation)
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120801.037\NAVEX15.SYS [1589752 2012-05-15] (Symantec Corporation)
    2 PROCDD; C:\Windows\System32\DRIVERS\PROCDD.SYS [12080 2006-11-06] (Lenovo Group Limited)
    3 SRTSP; C:\Windows\System32\Drivers\NIS\1307010.005\SRTSP.SYS [574072 2012-03-28] (Symantec Corporation)
    1 SRTSPX; C:\Windows\system32\drivers\NIS\1307010.005\SRTSPX.SYS [32888 2012-03-28] (Symantec Corporation)
    0 SymDS; C:\Windows\System32\drivers\NIS\1307010.005\SYMDS.SYS [340088 2011-07-25] (Symantec Corporation)
    0 SymEFA; C:\Windows\System32\drivers\NIS\1307010.005\SYMEFA.SYS [905336 2012-03-28] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-03-23] (Symantec Corporation)
    1 SymIRON; C:\Windows\system32\drivers\NIS\1307010.005\Ironx86.SYS [149624 2012-03-28] (Symantec Corporation)
    1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1307010.005\SYMTDIV.SYS [345208 2012-03-28] (Symantec Corporation)
    3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2009-04-10] (Microsoft Corporation)
    3 catchme; \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys [x]
    4 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 neokdss; C:\Windows\System32\Drivers\neokdss.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 PCDSRVC{3037D694-FD904ACA-06020000}_0; \??\c:\program files\pc-doctor\pcdsrvc.pkms [x]
    3 rcvpn; C:\Windows\System32\DRIVERS\rcvpn.sys [x]
    3 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]
    3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-02 14:50 - 2012-08-02 14:54 - 00000000 ___SD C:\ComboFix
    2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\MSDOS.SYS
    2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\IO.SYS
    2012-08-02 12:15 - 2012-08-02 12:53 - 00000000 ____D C:\Users\Administrator\Local Settings\Application Data\CrashDumps
    2012-08-02 12:15 - 2012-08-02 12:53 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
    2012-08-02 11:39 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-02 11:39 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-02 11:39 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-02 11:39 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-02 11:39 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-02 11:39 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-02 11:39 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-02 11:39 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-02 11:31 - 2012-08-02 11:39 - 00000000 ____D C:\Qoobox
    2012-08-02 11:31 - 2012-08-02 11:31 - 00000000 ____D C:\Windows\erdnt
    2012-08-02 11:28 - 2012-08-02 11:28 - 04722680 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
    2012-08-02 10:44 - 2012-08-02 10:44 - 00001949 ____A C:\Users\Administrator\Desktop\aswMBR.txt
    2012-08-02 10:44 - 2012-08-02 10:44 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
    2012-08-02 10:32 - 2012-08-02 10:32 - 00004377 ____A C:\Users\Administrator\Desktop\RKreport[1].txt
    2012-08-02 10:31 - 2012-08-02 10:32 - 00000000 ____D C:\Users\Administrator\Desktop\RK_Quarantine
    2012-08-02 10:29 - 2012-08-02 10:29 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Desktop\aswMBR.exe
    2012-08-02 10:28 - 2012-08-02 10:28 - 01552384 ____A C:\Users\Administrator\Desktop\RogueKiller.exe
    2012-08-02 09:39 - 2012-08-02 09:39 - 00016894 ____A C:\Users\Administrator\Desktop\Attach.txt
    2012-08-02 09:38 - 2012-08-02 09:38 - 00016105 ____A C:\Users\Administrator\Desktop\DDS.txt
    2012-08-02 09:31 - 2012-08-02 09:31 - 00607260 ___RA (Swearware) C:\Users\Administrator\Desktop\dds.scr
    2012-08-02 09:26 - 2012-08-02 09:26 - 00001179 ____A C:\Users\Administrator\Desktop\gmer.log
    2012-08-02 09:22 - 2012-08-02 09:22 - 00302592 ____A C:\Users\Administrator\Desktop\yz2jp58k.exe
    2012-08-02 08:54 - 2012-08-02 08:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-08-02 08:54 - 2012-07-03 09:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-02 08:46 - 2012-08-02 08:46 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
    2012-07-31 20:53 - 2012-07-31 20:53 - 00000000 ____D C:\FRST
    2012-07-31 13:44 - 2012-08-01 09:30 - 00000000 ____D C:\Users\Administrator\Local Settings\Application Data\NPE
    2012-07-31 13:44 - 2012-08-01 09:30 - 00000000 ____D C:\Users\Administrator\AppData\Local\NPE
    2012-07-31 13:39 - 2012-07-31 13:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FixZeroAccess
    2012-07-11 07:04 - 2012-06-13 05:20 - 02055680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 04:01 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 04:01 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-11 04:01 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-11 04:01 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 04:01 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 04:01 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    ============ 3 Months Modified Files ========================
    2012-08-02 14:55 - 2010-09-19 13:17 - 01211720 ____A C:\Windows\PFRO.log
    2012-08-02 14:44 - 2008-08-31 17:39 - 01526387 ____A C:\Windows\WindowsUpdate.log
    2012-08-02 14:44 - 2006-11-02 05:01 - 00032546 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-02 14:44 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-02 14:44 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-02 14:44 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-02 14:43 - 2012-06-21 17:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-02 14:43 - 2008-09-17 13:57 - 00042464 ____A C:\Users\All Users\nvModes.001
    2012-08-02 14:43 - 2008-09-08 14:04 - 00000416 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{7D0A9B2B-A02A-4A6B-9DF0-B9E3EEF4E5BB}.job
    2012-08-02 13:20 - 2008-08-31 19:00 - 00065946 ____A C:\Windows\System32\LenovoOobeOffers.log
    2012-08-02 13:19 - 2007-07-26 22:37 - 00025269 ____A C:\Windows\System32\PROCDB.INI
    2012-08-02 13:19 - 2007-07-26 22:37 - 00000380 ____A C:\Windows\System32\IPSCtrl.INI
    2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\MSDOS.SYS
    2012-08-02 13:18 - 2012-08-02 13:18 - 00000000 _RASH C:\IO.SYS
    2012-08-02 11:28 - 2012-08-02 11:28 - 04722680 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
    2012-08-02 10:44 - 2012-08-02 10:44 - 00001949 ____A C:\Users\Administrator\Desktop\aswMBR.txt
    2012-08-02 10:44 - 2012-08-02 10:44 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
    2012-08-02 10:32 - 2012-08-02 10:32 - 00004377 ____A C:\Users\Administrator\Desktop\RKreport[1].txt
    2012-08-02 10:29 - 2012-08-02 10:29 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Desktop\aswMBR.exe
    2012-08-02 10:28 - 2012-08-02 10:28 - 01552384 ____A C:\Users\Administrator\Desktop\RogueKiller.exe
    2012-08-02 09:39 - 2012-08-02 09:39 - 00016894 ____A C:\Users\Administrator\Desktop\Attach.txt
    2012-08-02 09:38 - 2012-08-02 09:38 - 00016105 ____A C:\Users\Administrator\Desktop\DDS.txt
    2012-08-02 09:31 - 2012-08-02 09:31 - 00607260 ___RA (Swearware) C:\Users\Administrator\Desktop\dds.scr
    2012-08-02 09:26 - 2012-08-02 09:26 - 00001179 ____A C:\Users\Administrator\Desktop\gmer.log
    2012-08-02 09:22 - 2012-08-02 09:22 - 00302592 ____A C:\Users\Administrator\Desktop\yz2jp58k.exe
    2012-08-02 08:56 - 2010-11-06 06:52 - 00000382 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
    2012-08-02 08:46 - 2012-08-02 08:46 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
    2012-07-31 17:00 - 2006-11-02 02:33 - 00847266 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-31 13:41 - 2010-11-06 06:52 - 00000528 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2012-07-26 16:01 - 2012-04-04 02:59 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-26 16:01 - 2011-05-14 03:13 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-11 10:00 - 2006-11-02 04:47 - 00414424 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 07:03 - 2006-11-02 02:23 - 00000277 ____A C:\Windows\win.ini
    2012-07-11 07:00 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-03 09:46 - 2012-08-02 08:54 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-30 07:15 - 2008-09-08 13:37 - 00008268 ____A C:\Users\phil\AppData\Local\d3d9caps.dat
    2012-06-18 07:28 - 2009-01-18 09:21 - 00019968 ____A C:\Users\phil\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-06-14 16:18 - 2008-09-17 13:57 - 00042464 ____A C:\Users\All Users\nvModes.dat
    2012-06-13 05:20 - 2012-07-11 07:04 - 02055680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 09:47 - 2012-07-11 04:01 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-11 04:01 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-11 04:01 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 07:26 - 2012-07-11 04:01 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 15:32 - 2011-11-06 13:03 - 00000926 ____A C:\Users\phil\Desktop\Dropbox.lnk
    2012-06-02 14:19 - 2012-06-18 14:49 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-18 14:49 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-18 14:49 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-18 14:49 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-18 14:49 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-18 14:49 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-18 14:49 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-18 14:48 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:12 - 2012-06-18 14:48 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 16:04 - 2012-07-11 04:01 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-11 04:01 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-19 04:36 - 2011-11-09 04:06 - 00002214 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
    2012-05-18 17:00 - 2012-05-18 17:00 - 00001736 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-14 22:37 - 2012-06-12 14:17 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-14 22:37 - 2012-06-12 14:17 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-14 22:37 - 2012-06-12 14:17 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-14 22:35 - 2012-06-12 14:17 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
    2012-05-14 22:33 - 2012-06-12 14:17 - 06007808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-14 22:33 - 2012-06-12 14:17 - 00629760 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-05-14 22:33 - 2012-06-12 14:17 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
    2012-05-14 22:33 - 2012-06-12 14:17 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-14 22:33 - 2012-06-12 14:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-05-14 22:32 - 2012-06-12 14:17 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-14 22:32 - 2012-06-12 14:17 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-05-14 22:32 - 2012-06-12 14:17 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2012-05-14 22:31 - 2012-06-12 14:17 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2012-05-14 21:01 - 2012-06-12 14:17 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-05-14 19:26 - 2012-06-12 14:17 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-14 19:25 - 2012-06-12 14:17 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2012-05-14 19:24 - 2012-06-12 14:17 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
    2012-05-14 19:23 - 2012-06-12 14:17 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

    ZeroAccess :
    C:\Windows\$NtUninstallKB38096$
    C:\Windows\$NtUninstallKB38096$\3165202553\L
    C:\Windows\$NtUninstallKB38096$\3165202553\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 22%
    Total physical RAM: 2029.69 MB
    Available physical RAM: 1565.96 MB
    Total Pagefile: 1799.16 MB
    Available Pagefile: 1629.13 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.35 MB
    ======================= Partitions =========================
    1 Drive c: (SW_Preload) (Fixed) (Total:142.76 GB) (Free:79.5 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (ServiceV002) (Fixed) (Total:6.29 GB) (Free:0.52 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: () (Removable) (Total:1.89 GB) (Free:0.09 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 1849 KB
    Disk 1 Online 1936 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 6438 MB 1024 KB
    Partition 2 Primary 143 GB 6439 MB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E ServiceV002 NTFS Partition 6438 MB Healthy Hidden
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 C SW_Preload NTFS Partition 143 GB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1936 MB 44 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 F FAT32 Removable 1936 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-08-02 13:26
    ======================= End Of Log ==========================


    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 19:19:35
    Running from F:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-07-03 03:16] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:25] - [2008-01-20 18:25] - 0279040 ____N (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\System32\services.exe
    [2009-07-03 03:16] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
    === End Of Search ===
  22. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally and see if you can run Combofix.

    Attached Files:

  23. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    Here's the Fixlog.txt. I was able to boot normally and disable Norton and then run ComboFIx, but it never produced any output.
    I checked for C:\combolog.txt but don't find any.
  24. packer68

    packer68 Newcomer, in training Topic Starter Posts: 27

    oops, Fixlog here

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 19:49:33 Run:1
    Running from F:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
    C:\Windows\$NtUninstallKB38096$ moved successfully.
    ==== End of Fixlog ====
  25. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Re-run Combofix from safe.
    Does it still warn you about a rootkit?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.