18 replies to this topic

[AK77]

Noticed "Auto Protect Results" pop-up yesterday. Ran Malwarebytes and got the following:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.10

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
UNC Support :: UNC-L3A8368 [administrator]

Protection: Disabled

7/15/2012 7:53:34 PM
mbam-log-2012-07-15 (19-53-34).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 376624
Time elapsed: 51 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.Lameshield) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dneror (Trojan.Agent) -> Data: rundll32.exe "C:\Users\UNC Support\AppData\Roaming\dneror.dll",SetLayerPalette -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|036DFF61D88C86B3C5F5687C2F3B6FDA (Trojan.Lameshield) -> Data: C:\ProgramData\036DFF61D88C86B3C5F5687C2F3B6FDA\036DFF61D88C86B3C5F5687C2F3B6FDA.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\UNC Support\AppData\Local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\UNC Support\AppData\Roaming\dneror.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\036DFF61D88C86B3C5F5687C2F3B6FDA\036DFF61D88C86B3C5F5687C2F3B6FDA.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\UNC Support\AppData\Local\Temp\mor.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\UNC Support\AppData\Local\Temp\~!#3F0E.tmp (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\UNC Support\AppData\Local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\n (RootKit.0Access) -> Delete on reboot.
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\n (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U\00000001.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\UNC Support\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

(end)





Pop-up continues - I ran Malwarebytes again this morning and got the following:


Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
UNC Support :: UNC-L3A8368 [administrator]

Protection: Enabled

7/16/2012 7:51:35 AM
mbam-log-2012-07-16 (07-51-35).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 380446
Time elapsed: 2 hour(s), 25 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U\00000001.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)



I tried a system restore, but that didn't complete/work. Would like to avoid reinstall if possible. Any help is appreciated.

Attached Files

•  DDS.txt   17.54K   4 downloads
•  Attach.txt   13.62K   5 downloads

[MrCharlie]

Welcome to the forum.

Your computer is infected with a nasty rootkit. Please read the following information first.

Quote

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• 
  
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[AK77]

Thanks for the quick response and sorry for the delay on my part. I am running a Lenovo T500 and am having difficulty figuring out how to get to the system recovery options. I can get to "advanced boot options" but there is no option for "repair your computer" and I don't see a way to get a command prompt in Lenovo's Thinkvantage rescue and recovery...any ideas?

[AK77]

The options I get under advanced boot options:

safe mode
safe mode w/ networking
safe mode with command prompt

enable boot logging
enable low-res video
last known good configuration
directory services restore mode
debugging mode
disable auto restart on system failure
disable driver signature enforcement

[MrCharlie]

OK, you're using Vista that's why, try......

safe mode with command prompt

Let me know, MrC

[AK77]

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by UNC Support at 16-07-2012 13:45:33
Running from F:\
Service Pack 2 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-07-16 17:11 - 2012-07-16 17:11 - 00001732 ____A C:\tvtpktfilter.dat
2012-07-16 13:45 - 2012-07-16 13:45 - 00000000 ____D C:\FRST
2012-07-15 19:52 - 2012-07-15 19:52 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-15 19:52 - 2012-07-15 19:52 - 00000000 ____D C:\Users\UNC Support\AppData\Roaming\Malwarebytes
2012-07-15 19:52 - 2012-07-15 19:52 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-07-15 19:52 - 2012-07-03 13:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-15 19:50 - 2012-07-15 19:50 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\UNC Support\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-15 19:29 - 2012-07-15 19:29 - 00371712 ____A C:\Users\UNC Support\AppData\Roaming\uinsro.dll
2012-07-15 19:29 - 2012-07-15 19:29 - 00000000 ____D C:\Users\UNC Support\AppData\Local\{DBC24DDC-CED4-11E1-8270-B8AC6F996F26}
2012-07-15 19:29 - 2012-07-15 19:29 - 00000000 ____D C:\Users\UNC Support\AppData\Local\{DBC21CAD-CED4-11E1-8270-B8AC6F996F26}
2012-07-13 00:00 - 2012-06-13 09:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-12 23:56 - 2012-06-02 05:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 23:56 - 2012-06-02 04:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 23:56 - 2012-06-02 04:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 23:56 - 2012-06-02 04:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 23:56 - 2012-06-02 04:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 23:56 - 2012-06-02 04:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 23:56 - 2012-06-02 04:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 23:56 - 2012-06-02 04:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 23:56 - 2012-06-02 04:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 23:56 - 2012-06-02 04:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 23:56 - 2012-06-02 04:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 23:56 - 2012-06-02 04:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 23:56 - 2012-06-02 04:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 23:56 - 2012-06-02 04:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 20:18 - 2012-04-23 12:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-07-12 20:18 - 2012-04-23 12:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-07-12 20:18 - 2012-04-23 12:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-07-12 20:17 - 2012-06-08 13:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-12 20:17 - 2012-06-05 12:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-12 20:17 - 2012-06-05 12:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-12 20:17 - 2012-06-04 11:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-12 20:17 - 2012-06-01 20:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-12 20:17 - 2012-06-01 20:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 23:16 - 2012-07-10 23:18 - 00000000 ____D C:\Program Files\iTunes
2012-07-10 23:16 - 2012-07-10 23:16 - 00000000 ____D C:\Program Files\iPod
2012-07-10 23:00 - 2012-07-10 23:07 - 77251480 ____A (Apple Inc.) C:\Users\UNC Support\Downloads\iTunesSetup.exe
2012-06-22 05:00 - 2012-06-22 05:00 - 00000000 ____D C:\Users\UNC Support\AppData\Local\Macromedia
2012-06-21 09:25 - 2012-06-02 18:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 09:25 - 2012-06-02 18:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 09:25 - 2012-06-02 18:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 09:25 - 2012-06-02 18:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 09:25 - 2012-06-02 18:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 09:25 - 2012-06-02 18:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 09:25 - 2012-06-02 18:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 09:25 - 2012-06-02 15:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 09:25 - 2012-06-02 15:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-16 13:42 - 2008-02-15 15:10 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-16 13:42 - 2006-11-02 09:01 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-16 13:42 - 2006-11-02 09:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-16 13:42 - 2006-11-02 08:48 - 00003872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-16 13:42 - 2006-11-02 08:48 - 00003872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-16 13:41 - 2012-04-18 21:31 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2389554816-3017413336-223386998-1000UA.job
2012-07-16 13:40 - 2012-03-18 17:27 - 00230720 ____A C:\Windows\System32\TPAPSLOG.LOG
2012-07-16 13:38 - 2012-03-18 18:27 - 00001024 ____A C:\Users\UNC Support\.rnd
2012-07-16 12:57 - 2012-05-09 14:19 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-16 12:51 - 2006-11-02 06:33 - 00684638 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-16 10:52 - 2012-03-18 17:01 - 02005861 ____A C:\Windows\WindowsUpdate.log
2012-07-16 10:20 - 2008-01-20 22:47 - 00017034 ____A C:\Windows\PFRO.log
2012-07-15 19:52 - 2012-07-15 19:52 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-15 19:50 - 2012-07-15 19:50 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\UNC Support\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-15 19:29 - 2012-07-15 19:29 - 00371712 ____A C:\Users\UNC Support\AppData\Roaming\uinsro.dll
2012-07-15 19:28 - 2012-05-09 14:19 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-15 19:28 - 2012-03-23 22:55 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-13 12:52 - 2006-11-02 08:47 - 00500416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-13 00:00 - 2006-11-02 06:23 - 00000219 ____A C:\Windows\win.ini
2012-07-12 23:57 - 2006-11-02 06:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-12 20:43 - 2012-04-18 21:31 - 00002083 ____A C:\Users\UNC Support\Desktop\Google Chrome.lnk
2012-07-12 20:41 - 2012-04-18 21:31 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2389554816-3017413336-223386998-1000Core.job
2012-07-10 23:07 - 2012-07-10 23:00 - 77251480 ____A (Apple Inc.) C:\Users\UNC Support\Downloads\iTunesSetup.exe
2012-07-10 18:04 - 2012-04-03 20:10 - 00000600 ____A C:\Users\UNC Support\AppData\Local\PUTTY.RND
2012-07-03 13:46 - 2012-07-15 19:52 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 23:22 - 2012-05-24 13:09 - 00005632 ____A C:\Users\UNC Support\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-20 08:36 - 2006-11-02 08:52 - 00045943 ____A C:\Windows\setupact.log
2012-06-13 18:18 - 2012-06-13 18:16 - 36127856 ____A (StarNet Communications Corp) C:\Users\UNC Support\Downloads\x-win120-80sf.exe
2012-06-13 09:40 - 2012-07-13 00:00 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 13:47 - 2012-07-12 20:17 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 12:47 - 2012-07-12 20:17 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 12:47 - 2012-07-12 20:17 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 20:11 - 2012-06-04 11:54 - 91913586 ____A C:\Users\UNC Support\lifetest.htm
2012-06-04 11:26 - 2012-07-12 20:17 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 18:19 - 2012-06-21 09:25 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 18:19 - 2012-06-21 09:25 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 18:19 - 2012-06-21 09:25 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 18:19 - 2012-06-21 09:25 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 18:19 - 2012-06-21 09:25 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 18:12 - 2012-06-21 09:25 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 18:12 - 2012-06-21 09:25 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:19 - 2012-06-21 09:25 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:12 - 2012-06-21 09:25 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 05:07 - 2012-07-12 23:56 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:43 - 2012-07-12 23:56 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:33 - 2012-07-12 23:56 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:26 - 2012-07-12 23:56 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:25 - 2012-07-12 23:56 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:25 - 2012-07-12 23:56 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:23 - 2012-07-12 23:56 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:21 - 2012-07-12 23:56 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:20 - 2012-07-12 23:56 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:19 - 2012-07-12 23:56 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 04:19 - 2012-07-12 23:56 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 04:17 - 2012-07-12 23:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 04:16 - 2012-07-12 23:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 04:14 - 2012-07-12 23:56 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:04 - 2012-07-12 20:17 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:03 - 2012-07-12 20:17 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-24 12:58 - 2012-05-24 12:58 - 00932704 ____A (DivX, LLC) C:\Users\UNC Support\Downloads\DivXInstaller.exe
2012-05-23 17:08 - 2012-05-23 17:08 - 39483256 ____A (Apple Inc.) C:\Users\UNC Support\Downloads\QuickTimeInstaller.exe
2012-05-23 16:43 - 2012-05-23 16:43 - 00232592 ____A (Microsoft Corporation) C:\Users\UNC Support\Downloads\l3codecx.exe
2012-05-21 13:42 - 2012-05-21 13:41 - 00019500 ____A C:\Users\UNC Support\Downloads\attachment.ashx
2012-05-15 23:52 - 2012-05-15 23:52 - 01498932 ____A C:\Users\UNC Support\Desktop\This Must Be the Place (Naive Melody).m4r
2012-05-15 23:52 - 2012-05-15 23:52 - 01487339 ____A C:\Users\UNC Support\Desktop\The Boss.m4r
2012-05-15 23:52 - 2012-05-15 23:52 - 01343574 ____A C:\Users\UNC Support\Desktop\Good Times.m4r
2012-05-15 23:52 - 2012-05-15 23:52 - 01271352 ____A C:\Users\UNC Support\Desktop\You Know How We Do It.m4r
2012-05-15 23:52 - 2012-05-15 23:52 - 01269890 ____A C:\Users\UNC Support\Desktop\Panama.m4r
2012-05-15 23:52 - 2012-05-15 23:52 - 00932991 ____A C:\Users\UNC Support\Desktop\Check Yo Self (remix).m4r
2012-05-15 08:04 - 2012-05-12 20:24 - 00000680 ____A C:\Users\UNC Support\AppData\Local\d3d9caps.dat
2012-05-11 13:42 - 2012-05-11 13:42 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2012-05-11 10:07 - 2012-05-14 17:21 - 04471792 ____A C:\Users\UNC Support\Desktop\SAS Output.mht
2012-05-01 10:03 - 2012-06-14 07:42 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-23 12:00 - 2012-07-12 20:18 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 12:00 - 2012-07-12 20:18 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 12:00 - 2012-07-12 20:18 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-18 20:56 - 2012-04-18 20:56 - 00094208 ____A (Apple Inc.) C:\Windows\System32\QuickTimeVR.qtx
2012-04-18 20:56 - 2012-04-18 20:56 - 00069632 ____A (Apple Inc.) C:\Windows\System32\QuickTime.qts


ZeroAccess:
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\@
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\L
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U
C:\Windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U\800000cb.@

ZeroAccess:
C:\Users\UNC Support\AppData\Local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}
C:\Users\UNC Support\AppData\Local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\@
C:\Users\UNC Support\AppData\Local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\L
C:\Users\UNC Support\AppData\Local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 2519.07 MB
Available physical RAM: 2099.69 MB
Total Pagefile: 5255.2 MB
Available Pagefile: 5022.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 1961.76 MB

======================= Partitions =========================

1 Drive c: (UNC PRELOAD) (Fixed) (Total:93.16 GB) (Free:21.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:129.95 GB) (Free:117.61 GB) NTFS
4 Drive f: (Iomega_HDD) (Fixed) (Total:465.76 GB) (Free:390.72 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 15 MB
Disk 1 Online 466 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 93 GB 32 KB
Partition 2 Primary 130 GB 93 GB
Partition 3 OEM 10 GB 223 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C UNC PRELOAD NTFS Partition 93 GB Healthy System (partition with boot components)

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 130 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 466 GB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Iomega_HDD NTFS Partition 466 GB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-16 13:41

======================= End Of Log ==========================

[MrCharlie]

OK, do you have the vista disk or recovery disk that came with the computer?

MrC

[AK77]

No I don't, unfortunately.

[MrCharlie]

On Vista that's what has to be used to get to the System Recovery Options, we'll do it this way and it should work out OK:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[AK77]

ComboFix 12-07-16.01 - UNC Support 07/16/2012 14:33:17.1.2 - x86
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2519.1212 [GMT -4:00]
Running from: c:\users\UNC Support\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\RCIMGDIR.exe.lnk
c:\windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\@
c:\windows\Installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U\800000cb.@
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy8_!Windows!winsxs!x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-16 to 2012-07-16 )))))))))))))))))))))))))))))))
.
.
2012-07-16 18:46 . 2012-07-16 18:46 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-16 17:45 . 2012-07-16 17:45 -------- d-----w- C:\FRST
2012-07-15 23:52 . 2012-07-15 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-15 23:52 . 2012-07-15 23:52 -------- d-----w- c:\programdata\Malwarebytes
2012-07-15 23:52 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-15 23:29 . 2012-07-15 23:31 -------- d-----w- c:\programdata\036DFF61D88C86B3C5F5687C2F3B6FDA
2012-07-13 04:00 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-13 00:18 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-13 00:18 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-13 00:18 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-13 00:17 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-13 00:17 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-13 00:17 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-13 00:17 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-13 00:17 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-13 00:17 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 03:16 . 2012-07-11 03:16 -------- d-----w- c:\program files\iPod
2012-07-11 03:16 . 2012-07-11 03:18 -------- d-----w- c:\program files\iTunes
2012-06-21 13:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 13:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 13:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 13:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 13:25 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 13:25 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 13:25 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 13:25 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 13:25 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 23:28 . 2012-05-09 18:19 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-15 23:28 . 2012-03-24 02:55 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 14:03 . 2012-06-14 11:42 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-05-31 23:34 . 2012-03-25 15:24 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"Spotify Web Helper"="c:\users\UNC Support\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-14 932528]
"uinsro"="c:\users\UNC Support\AppData\Roaming\uinsro.dll" [2012-07-15 371712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"TpShocks"="TpShocks.exe" [2008-06-06 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-21 820520]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-06-06 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-08-12 16384]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-07-28 632096]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2008-07-28 214576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-12 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-12 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-12 145944]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-31 60192]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-26 992816]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-14 3073336]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-08-05 135568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2012-3-18 50688]
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2012-3-24 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictWelcomeCenter"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2008-05-29 21:12 367128 ----a-w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-03-13 13:05 1116920 ----a-w- c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\5U875.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 23:29]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2389554816-3017413336-223386998-1000Core.job
- c:\users\UNC Support\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-19 01:31]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2389554816-3017413336-223386998-1000UA.job
- c:\users\UNC Support\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-19 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.unc.edu
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 14:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4040)
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\AtService.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-16 14:57:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-16 18:57
.
Pre-Run: 20,465,192,960 bytes free
Post-Run: 21,314,617,344 bytes free
.
- - End Of File - - 8149E78D4C1BA77B98A0C57647F1257C

[MrCharlie]

Please run another scan with RogueKiller and post the new log, MrC

[AK77]

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: UNC Support [Admin rights]
Mode: Scan -- Date: 07/16/2012 15:14:24

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : uinsro ("C:\Windows\System32\rundll32.exe" "C:\Users\UNC Support\AppData\Roaming\uinsro.dll",GetListeneriv) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2389554816-3017413336-223386998-1000[...]\Run : uinsro ("C:\Windows\System32\rundll32.exe" "C:\Users\UNC Support\AppData\Roaming\uinsro.dll",GetListeneriv) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\unc support\appdata\local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\unc support\appdata\local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\unc support\appdata\local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\L --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x8209E5C3 -> HOOKED (Unknown @ 0x8EB9E590)
SSDT[14] : NtAlertThread @ 0x82017255 -> HOOKED (Unknown @ 0x8EB9E650)
SSDT[18] : NtAllocateVirtualMemory @ 0x820534FB -> HOOKED (Unknown @ 0x8EB9E1A8)
SSDT[54] : NtConnectPort @ 0x81FD8B36 -> HOOKED (Unknown @ 0x90F8CBC8)
SSDT[67] : NtCreateMutant @ 0x8202B812 -> HOOKED (Unknown @ 0x90F80920)
SSDT[78] : NtCreateThread @ 0x8209CBE0 -> HOOKED (Unknown @ 0x8EB9E2E8)
SSDT[147] : NtFreeVirtualMemory @ 0x81E8FF1D -> HOOKED (Unknown @ 0x90F80E40)
SSDT[156] : NtImpersonateAnonymousToken @ 0x81FC5F12 -> HOOKED (Unknown @ 0x90F809E0)
SSDT[158] : NtImpersonateThread @ 0x81FDB54F -> HOOKED (Unknown @ 0x8EB9E4D0)
SSDT[177] : NtMapViewOfSection @ 0x8201B89A -> HOOKED (Unknown @ 0x90F80D60)
SSDT[184] : NtOpenEvent @ 0x82004DCF -> HOOKED (Unknown @ 0x90F80860)
SSDT[195] : NtOpenProcessToken @ 0x8200CA2E -> HOOKED (Unknown @ 0x90F8F748)
SSDT[202] : NtOpenThreadToken @ 0x820272AD -> HOOKED (Unknown @ 0x90F80360)
SSDT[282] : NtResumeThread @ 0x82026B4A -> HOOKED (Unknown @ 0x8EA4D328)
SSDT[289] : NtSetContextThread @ 0x8209E06F -> HOOKED (Unknown @ 0x90F802A0)
SSDT[305] : NtSetInformationProcess @ 0x8201F8C8 -> HOOKED (Unknown @ 0x90F80420)
SSDT[306] : NtSetInformationThread @ 0x820042AD -> HOOKED (Unknown @ 0x90F801E0)
SSDT[330] : NtSuspendProcess @ 0x8209E4FF -> HOOKED (Unknown @ 0x90F807A0)
SSDT[331] : NtSuspendThread @ 0x81FA592B -> HOOKED (Unknown @ 0x8EB9E758)
SSDT[334] : NtTerminateProcess @ 0x81FFC143 -> HOOKED (Unknown @ 0x90F8EB28)
SSDT[335] : NtTerminateThread @ 0x82027534 -> HOOKED (Unknown @ 0x90F80160)
SSDT[348] : NtUnmapViewOfSection @ 0x8201BB5D -> HOOKED (Unknown @ 0x90F80CA0)
SSDT[358] : NtWriteVirtualMemory @ 0x8201892D -> HOOKED (Unknown @ 0x8EB9E0D8)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS543225L9SA00 +++++
--- User ---
[MBR] 2e56edb4c9b72c8a56960c2a5bf3473c
[BSP] e93b82b06c1c63458f1940e061e12640 : Lenovo tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95393 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 195365520 | Size: 133067 Mo
2 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 467888400 | Size: 9996 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST950032 5AS USB Device +++++
--- User ---
[MBR] 84243cbf335a8d7a42aee796ea27198d
[BSP] fa9dc8a99aca2360186c5c3a5e2edadf : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[MrCharlie]

Run RogueKiller again and click Scan
When the scan completes > Click the Registry tab
Put a check next to these and uncheck the rest
Now click Delete under Options on the right hand column:

Quote

¤¤¤ Registry Entries: 5 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : uinsro ("C:\Windows\System32\rundll32.exe" "C:\Users\UNC Support\AppData\Roaming\uinsro.dll",GetListeneriv) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2389554816-3017413336-223386998-1000[...]\Run : uinsro ("C:\Windows\System32\rundll32.exe" "C:\Users\UNC Support\AppData\Roaming\uinsro.dll",GetListeneriv) -> FOUND

Now click on the Files tab
Put a check next to these > uncheck the rest
Now click Delete under Options on the right hand column:

Quote

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\unc support\appdata\local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\unc support\appdata\local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\unc support\appdata\local\{23b5c499-59eb-f0a4-4904-c279cda9dafd}\L --> FOUND

Reboot and rescan with RogueKiller and post the new log. MrC

[AK77]

I deleted the registry entries but was not able to delete the files - under the files tab there are no boxes to check/uncheck. When I run the mouse over the delete button it says that it will delete checked registry entries, but does not say anything about deleting the files. I ran scan again to make sure, but was still unable to delete the files - registries were removed. Rebooted and running scan now. I will post the log shortly.

[AK77]

Apparently the files were removed from deleting the registry entries (?) since the files from the first report were not under the files tab after the reboot and rescan.

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: UNC Support [Admin rights]
Mode: Scan -- Date: 07/16/2012 15:41:48

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x820D75C3 -> HOOKED (Unknown @ 0x8F1FB368)
SSDT[14] : NtAlertThread @ 0x82050255 -> HOOKED (Unknown @ 0x8F1FB448)
SSDT[18] : NtAllocateVirtualMemory @ 0x8208C4FB -> HOOKED (Unknown @ 0x8F1F5530)
SSDT[54] : NtConnectPort @ 0x82011B36 -> HOOKED (Unknown @ 0x8F149968)
SSDT[67] : NtCreateMutant @ 0x82064812 -> HOOKED (Unknown @ 0x92434490)
SSDT[78] : NtCreateThread @ 0x820D5BE0 -> HOOKED (Unknown @ 0x8F1EB450)
SSDT[147] : NtFreeVirtualMemory @ 0x81EC8F1D -> HOOKED (Unknown @ 0x8F1F53A0)
SSDT[156] : NtImpersonateAnonymousToken @ 0x81FFEF12 -> HOOKED (Unknown @ 0x92434610)
SSDT[158] : NtImpersonateThread @ 0x8201454F -> HOOKED (Unknown @ 0x8F1FB288)
SSDT[177] : NtMapViewOfSection @ 0x8205489A -> HOOKED (Unknown @ 0x8F1D6850)
SSDT[184] : NtOpenEvent @ 0x8203DDCF -> HOOKED (Unknown @ 0x92434270)
SSDT[195] : NtOpenProcessToken @ 0x82045A2E -> HOOKED (Unknown @ 0x92435388)
SSDT[202] : NtOpenThreadToken @ 0x820602AD -> HOOKED (Unknown @ 0x8F1D6610)
SSDT[282] : NtResumeThread @ 0x8205FB4A -> HOOKED (Unknown @ 0x8F1ED0F0)
SSDT[289] : NtSetContextThread @ 0x820D706F -> HOOKED (Unknown @ 0x8F1CA2E0)
SSDT[305] : NtSetInformationProcess @ 0x820588C8 -> HOOKED (Unknown @ 0x8F1D66D0)
SSDT[306] : NtSetInformationThread @ 0x8203D2AD -> HOOKED (Unknown @ 0x8F1CA220)
SSDT[330] : NtSuspendProcess @ 0x820D74FF -> HOOKED (Unknown @ 0x92434190)
SSDT[331] : NtSuspendThread @ 0x81FDE92B -> HOOKED (Unknown @ 0x8F1CA060)
SSDT[334] : NtTerminateProcess @ 0x82035143 -> HOOKED (Unknown @ 0x8F1F61A8)
SSDT[335] : NtTerminateThread @ 0x82060534 -> HOOKED (Unknown @ 0x8F1CA140)
SSDT[348] : NtUnmapViewOfSection @ 0x82054B5D -> HOOKED (Unknown @ 0x8F1D6790)
SSDT[358] : NtWriteVirtualMemory @ 0x8205192D -> HOOKED (Unknown @ 0x8F1F5460)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS543225L9SA00 +++++
--- User ---
[MBR] 2e56edb4c9b72c8a56960c2a5bf3473c
[BSP] e93b82b06c1c63458f1940e061e12640 : Lenovo tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95393 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 195365520 | Size: 133067 Mo
2 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 467888400 | Size: 9996 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[6].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt

[MrCharlie]

You did something right because it's clean..

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[AK77]

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.16.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
UNC Support :: UNC-L3A8368 [administrator]

Protection: Disabled

7/16/2012 3:49:30 PM
mbam-log-2012-07-16 (15-49-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231152
Time elapsed: 9 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Everything appears to be back to normal.

[MrCharlie]

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!