1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot Save Microsoft Documents

Discussion in 'Virus & Other Malware Removal' started by Mikecurran7, Jan 2, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    Hi,

    I got a virus I think a while back and it seems to have done something to my pc. I cannot save Microsoft office Documents down.

    I think I managed to delete the virus however I think it done something to the Registry which might be causing the problem.

    I haver run a HiHack This Log and it is posted below. I appreciuate any help.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 14:01:29, on 02/01/2013
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v9.00 (9.00.8112.16450)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\eSMART\Register.exe
    C:\Program Files\DYMO\DYMO Label Software\DLSService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\GTPicThis\GTPicThis.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\USERS\mcurran\Desktop\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [ASMReg] C:\Program Files\eSMART\Register.exe
    O4 - HKLM\..\Run: [DLSService] "C:\Program Files\DYMO\DYMO Label Software\DLSService.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
    O4 - HKCU\..\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup
    O4 - HKCU\..\Run: [TtvIrurc] D:\USERS\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
    O4 - HKCU\..\Run: [Beautiful Christmas Tree] D:\USERS\mcurran\AppData\Local\temp\wz8ab2\BeautifulChristmasTree.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex (User 'Default user')
    O4 - Startup: Picture This.lnk = ?
    O4 - Global Startup: TdmNotify.lnk = C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gti.int
    O17 - HKLM\Software\..\Telephony: DomainName = gti.int
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gti.int
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gti.int
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: @%SystemRoot%\system32\stlang.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
    O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    --
    End of file - 7378 bytes


    Thanks,

    M
     
  2. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Hi Mikecurran7, please run the following scan and post the logs.

    If Office has been damaged it may need to be reinstalled to correct the problem, but we shall see how it goes. Make sure you have all your important data backed up before starting.

    1. Download Malwarebytes Anti-Rootkit from this link mbar
    2. Unzip the File to a convenient location. (Recommend the Desktop)
    3. Open the folder where the contents were unzipped to run mbar.exe

    [​IMG]

    4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    6. The following image opens, select Next.

    [​IMG]

    7. The following image opens, select Update

    [​IMG]

    8. When the Update completes, select Next

    [​IMG]

    9. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

    [​IMG]

    11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

    [​IMG]

    12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

    [​IMG]

    13. Select "Exit" to close down.
    14. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown

    [​IMG]
     
  3. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    I don't think it a problem with Microsoft Office. I can open and use all the office programs, I can send them on e-mail however I cannot save them down from emails.

    The MBAR Log:

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org
    Database version: v2013.01.02.10
    Windows 7 x86 NTFS
    Internet Explorer 9.0.8112.16421
    mcurran :: 4QLKZ3J [administrator]
    02/01/2013 22:40:34
    mbar-log-2013-01-02 (22-40-34).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 28503
    Time elapsed: 14 minute(s), 35 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 3
    C:\Windows\$NtUninstallKB6481$\400035465\L (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\$NtUninstallKB6481$\400035465\U (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\$NtUninstallKB6481$\400035465 (Backdoor.0Access) -> Delete on reboot.
    Files Detected: 3
    C:\Windows\$NtUninstallKB6481$\400035465\L\[email protected] (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\$NtUninstallKB6481$\400035465\L\xadqgnnk (Backdoor.0Access) -> Delete on reboot.
    (end)


    System Log

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7600 Windows 7 x86
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 3707678720, free: 2542555136
    ------------ Kernel report ------------
    01/02/2013 22:23:24
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\ACPI.sys
    \SystemRoot\system32\DRIVERS\WMILIB.SYS
    \SystemRoot\system32\DRIVERS\msisadrv.sys
    \SystemRoot\system32\DRIVERS\pci.sys
    \SystemRoot\system32\DRIVERS\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\DRIVERS\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\DRIVERS\pcmcia.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\DRIVERS\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\vmstorfl.sys
    \SystemRoot\system32\DRIVERS\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\mfetdik.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd32.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\e1y6232.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNs32.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\1394ohci.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\Apfiltr.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\stwrt.sys
    \SystemRoot\system32\DRIVERS\portcls.sys
    \SystemRoot\system32\DRIVERS\drmk.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\Drivers\cvusbdrv.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\WinUSB.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\DRIVERS\scfilter.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\drivers\mfebopk.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\ws2_32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\imm32.dll
    \Windows\System32\user32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\wininet.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\nsi.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\usp10.dll
    \Windows\System32\sechost.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\lpk.dll
    \Windows\System32\msctf.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff884ec030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff865e1028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2013.01.02.10
    Downloaded database version: v2012.12.27.02
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff884ec030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff884ecd10, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff884ec030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff865e1028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffff82420c70, 0xffffffff884ec030, 0xffffffff86062ac8
    Lower DeviceData: 0xffffffffadf65a60, 0xffffffff865e1028, 0xffffffff8603a410
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 20075ED7
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 125829120
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 125831168 Numsec = 107970560
    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 233801728 Numsec = 614400
    Partition file system is NTFS
    Partition is bootable
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 120034123776 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-234421648-234441648)...
    Done!
    Performing system, memory and registry scan...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: D:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\[email protected] --> [Backdoor.0Access]
    Read File: File "C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde" is compressed (flags = 1)
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\xadqgnnk --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\U --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465 --> [Backdoor.0Access]
    Done!
    Scan finished
    =======================================



    Thanks,

    M
     
  4. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    You have a ZeroAccess Rootkit infection, please run Mbar again as follows:


    1. Download Malwarebytes Anti-Rootkit from this link Mbar
    2. Unzip the File to a convenient location. (Recommend the Desktop)
    3. Open the folder where the contents were unzipped to run mbar.exe

    [​IMG]

    4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    6. The following image opens, select Next.

    [​IMG]

    7. The following image opens, select Update.

    [​IMG]

    8. When the update completes select Next.

    [​IMG]

    9. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

    [​IMG]

    11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
    12. If no threats were found you will see the following image, Select Exit:

    [​IMG]

    13. Verify that your system is now running normally, making sure that the following items are functional:

    • Internet access
    • Windows Update
    • Windows Firewall

    14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

    [​IMG]

    15. The following Window will open, Select "Y" from your Keyboard, tap Enter.

    [​IMG]

    16. The fix will be applied, select any key to Exit.

    [​IMG]

    15. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown

    [​IMG]
     
  5. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    I have run those two scans however i cannot seem to open, save or save as any office documents down to my harddrive from Microsoft Outlook or Gmail.

    System Log:

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7600 Windows 7 x86
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 3707678720, free: 2542555136
    ------------ Kernel report ------------
    01/02/2013 22:23:24
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\ACPI.sys
    \SystemRoot\system32\DRIVERS\WMILIB.SYS
    \SystemRoot\system32\DRIVERS\msisadrv.sys
    \SystemRoot\system32\DRIVERS\pci.sys
    \SystemRoot\system32\DRIVERS\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\DRIVERS\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\DRIVERS\pcmcia.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\DRIVERS\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\vmstorfl.sys
    \SystemRoot\system32\DRIVERS\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\mfetdik.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd32.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\e1y6232.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNs32.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\1394ohci.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\Apfiltr.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\stwrt.sys
    \SystemRoot\system32\DRIVERS\portcls.sys
    \SystemRoot\system32\DRIVERS\drmk.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\Drivers\cvusbdrv.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\WinUSB.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\DRIVERS\scfilter.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\drivers\mfebopk.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\ws2_32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\imm32.dll
    \Windows\System32\user32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\wininet.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\nsi.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\usp10.dll
    \Windows\System32\sechost.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\lpk.dll
    \Windows\System32\msctf.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff884ec030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff865e1028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2013.01.02.10
    Downloaded database version: v2012.12.27.02
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff884ec030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff884ecd10, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff884ec030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff865e1028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffff82420c70, 0xffffffff884ec030, 0xffffffff86062ac8
    Lower DeviceData: 0xffffffffadf65a60, 0xffffffff865e1028, 0xffffffff8603a410
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 20075ED7
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 125829120
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 125831168 Numsec = 107970560
    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 233801728 Numsec = 614400
    Partition file system is NTFS
    Partition is bootable
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 120034123776 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-234421648-234441648)...
    Done!
    Performing system, memory and registry scan...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: D:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\[email protected] --> [Backdoor.0Access]
    Read File: File "C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde" is compressed (flags = 1)
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\xadqgnnk --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\U --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465 --> [Backdoor.0Access]
    Done!
    Scan finished
    =======================================

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7600 Windows 7 x86
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 3707678720, free: 2899832832
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7600 Windows 7 x86
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 3707678720, free: 2544656384
    ------------ Kernel report ------------
    01/03/2013 01:43:09
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\ACPI.sys
    \SystemRoot\system32\DRIVERS\WMILIB.SYS
    \SystemRoot\system32\DRIVERS\msisadrv.sys
    \SystemRoot\system32\DRIVERS\pci.sys
    \SystemRoot\system32\DRIVERS\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\DRIVERS\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\DRIVERS\pcmcia.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\DRIVERS\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\vmstorfl.sys
    \SystemRoot\system32\DRIVERS\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\mfetdik.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd32.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\e1y6232.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNs32.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\1394ohci.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\Apfiltr.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\stwrt.sys
    \SystemRoot\system32\DRIVERS\portcls.sys
    \SystemRoot\system32\DRIVERS\drmk.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\cvusbdrv.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\WinUSB.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\DRIVERS\scfilter.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\drivers\mfebopk.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\imagehlp.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\usp10.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\wininet.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\msctf.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\imm32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\lpk.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\ole32.dll
    \Windows\System32\sechost.dll
    \Windows\System32\user32.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\shell32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR2
    Upper Device Object: 0xffffffff8af07660
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000081\
    Lower Device Object: 0xffffffff85ffe1d8
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff884ec030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff865e7028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff884ec030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff884ecc68, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff884ec030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff865e7028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffffbc971b80, 0xffffffff884ec030, 0xffffffff86411ac8
    Lower DeviceData: 0xffffffffbc0de2e0, 0xffffffff865e7028, 0xffffffff8641ea98
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 20075ED7
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 125829120
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 125831168 Numsec = 107970560
    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 233801728 Numsec = 614400
    Partition file system is NTFS
    Partition is bootable
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 120034123776 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-234421648-234441648)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff8af07660, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff85f64298, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff8af07660, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff85ffe1d8, DeviceName: \Device\00000081\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Upper DeviceData: 0xffffffffbdad99c8, 0xffffffff8af07660, 0xffffffff86424ac8
    Lower DeviceData: 0xffffffffbc3ff9a0, 0xffffffff85ffe1d8, 0xffffffff8641ebd8
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 28F3073A
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 976773105
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 500107862016 bytes
    Sector size: 512 bytes
    Done!
    Performing system, memory and registry scan...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: D:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\[email protected] --> [Backdoor.0Access]
    Read File: File "C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde" is compressed (flags = 1)
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L\xadqgnnk --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\L --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465\U --> [Backdoor.0Access]
    Infected: C:\Windows\$NtUninstallKB6481$\400035465 --> [Backdoor.0Access]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: D:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal successful. No system shutdown is required.
    =======================================

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7600 Windows 7 x86
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 3707678720, free: 2955001856
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7600 Windows 7 x86
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 3707678720, free: 2500816896
    ------------ Kernel report ------------
    01/03/2013 02:53:56
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\ACPI.sys
    \SystemRoot\system32\DRIVERS\WMILIB.SYS
    \SystemRoot\system32\DRIVERS\msisadrv.sys
    \SystemRoot\system32\DRIVERS\pci.sys
    \SystemRoot\system32\DRIVERS\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\DRIVERS\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\DRIVERS\pcmcia.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\DRIVERS\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\vmstorfl.sys
    \SystemRoot\system32\DRIVERS\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\mfetdik.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd32.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\e1y6232.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNs32.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\1394ohci.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\Apfiltr.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\stwrt.sys
    \SystemRoot\system32\DRIVERS\portcls.sys
    \SystemRoot\system32\DRIVERS\drmk.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\cvusbdrv.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\WinUSB.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\DRIVERS\scfilter.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\drivers\mfebopk.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\drivers\spsys.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\lpk.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\imm32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\msctf.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\user32.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\psapi.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\sechost.dll
    \Windows\System32\ole32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\wininet.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\usp10.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\devobj.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff884ed030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff865e1028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff884ed030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff884edc68, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff884ed030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff865e1028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffffb48b9540, 0xffffffff884ed030, 0xffffffff863e6798
    Lower DeviceData: 0xffffffffb9017d30, 0xffffffff865e1028, 0xffffffff863a0908
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 20075ED7
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 125829120
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 125831168 Numsec = 107970560
    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 233801728 Numsec = 614400
    Partition file system is NTFS
    Partition is bootable
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 120034123776 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-234421648-234441648)...
    Done!
    Performing system, memory and registry scan...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: D:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Scan finished
    =======================================



    MBAR Log:

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org
    Database version: v2013.01.02.10
    Windows 7 x86 NTFS
    Internet Explorer 9.0.8112.16421
    mcurran :: 4QLKZ3J [administrator]
    03/01/2013 03:11:24
    mbar-log-2013-01-03 (03-11-24).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 28500
    Time elapsed: 17 minute(s), 19 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)


    There seems to be no malware found.
     
  6. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    That's what we like to see, we now need to run another tool to check for any left overs. Please follow that with the System File Checker. I've noted your problem with saving Office Documents, as I said earlier if Office is damaged it may need to be reinstalled, we will see if the File Checker finds anything related.

    I can see from the Windows version listed that no Service Pack has been installed, please check that Windows Update is running, you will find it in the Control Panel.

    STEP 1
    NOTE: If you have already used Combofix please delete the icon from your desktop.

    • Please download DeFogger and save it to your desktop.
    • Once downloaded, double-click on the DeFogger icon to start the tool.
    • The application window will appear.
    • You should now click on the Disable button to disable your CD Emulation drivers.
    • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
    • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.



    STEP 2
    Please download ComboFix [​IMG] from one of the locations below and save it to your Desktop. <-Important!!!


    Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix

    Vista/Windows 7 users can skip the Recovery Console instructions and use the Windows DVD to boot into the Vista Recovery Environment or Windows 7 System Recovery Options if something goes awry. If you do not have a Windows 7 DVD then please create a Windows 7 Repair Disc. XP users need to install the Recovery Console first.

    • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click this link to see a list of such programs and how to disable them.
    • If ComboFix detects an older version of itself, you will be asked to update the program.
    • ComboFix will begin by showing a Disclaimer. Read it and click I Agree if you want to continue.
    • Follow the prompts and click on Yes to continue scanning for malware.
    • If using Windows 7 or Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
    • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
    • Be sure to re-enable your anti-virus and other security programs.

    -- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
    -- ComboFix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
    -- ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


    If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier. Those instructions only apply to XP, for Vista and Windows 7 go here: Internet connection repair

    NOTE: if you see a message like this when you attempt to open anything after the reboot "Illegal Operation attempted on a registry key that has been marked for deletion" please reboot the system again and the warning should not return.

    ===================================================================


    • Windows 7 System File Checker
    • Click on Start and type cmd in the search box. Right click on cmd in the popup menu and select Run as Administrator.
    • Another box will open, at the Command Prompt, type sfc /scannow and press Enter. (Note the gap between the c and the /)
    • Let the check run to completion. DO NOT reboot the PC or close the cmd window.
    • Copy & Paste the following command at the Command Prompt and press Enter:

    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\sfcdetails.txt

    • This will place a file on your desktop called sfcdetails.txt which contains the results of the scan.
    • Zip up the file and attach it to your next post.
     
  7. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    Combo Scan:

    ComboFix 13-01-03.05 - mcurran 03/01/2013 17:52:11.5.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.353.1033.18.3536.2357 [GMT 0:00]
    Running from: d:\users\mcurran\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\roboot.exe
    d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-03 to 2013-01-03 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-03 17:58 . 2013-01-03 18:01 -------- d-----w- d:\users\mcurran\AppData\Local\temp
    2013-01-03 17:58 . 2013-01-03 17:58 -------- d-----w- d:\users\Public\AppData\Local\temp
    2013-01-03 17:58 . 2013-01-03 17:58 -------- d-----w- d:\users\Default\AppData\Local\temp
    2013-01-03 17:58 . 2013-01-03 17:58 -------- d-----w- d:\users\Administrator\AppData\Local\temp
    2013-01-03 03:12 . 2013-01-03 03:12 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD3EDDBF-94CF-46F4-BDED-3258C2EF08EE}\offreg.dll
    2013-01-03 03:03 . 2013-01-03 03:11 -------- d-----w- c:\program files\Magical Jelly Bean
    2013-01-03 03:03 . 2013-01-03 03:03 -------- d-----w- d:\users\mcurran\AppData\Local\Programs
    2013-01-02 14:03 . 2013-01-02 14:03 -------- d-----w- d:\users\mcurran\AppData\Local\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-13 19:29 . 2012-10-20 17:20 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-12-13 19:29 . 2012-02-16 20:38 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-11-21 01:25 . 2011-06-29 13:37 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-10-16 22:20 . 2012-10-16 22:20 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-10-16 22:20 . 2012-10-16 22:20 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-10-16 22:20 . 2012-10-16 22:20 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-10-16 22:20 . 2012-10-16 22:20 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-10-16 22:20 . 2012-10-16 22:20 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-10-16 22:20 . 2012-10-16 22:20 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-10-16 22:20 . 2012-10-16 22:20 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-10-16 22:20 . 2012-10-16 22:20 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-10-16 22:20 . 2012-10-16 22:20 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-10-16 22:20 . 2012-10-16 22:20 367104 ----a-w- c:\windows\system32\html.iec
    2012-10-16 22:20 . 2012-10-16 22:20 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-10-16 22:20 . 2012-10-16 22:20 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-10-16 22:20 . 2012-10-16 22:20 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-10-16 22:20 . 2012-10-16 22:20 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-10-16 22:20 . 2012-10-16 22:20 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-10-16 22:20 . 2012-10-16 22:20 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-10-16 22:20 . 2012-10-16 22:20 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-10-16 22:20 . 2012-10-16 22:20 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2012-10-16 22:20 . 2012-10-16 22:20 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-10-16 22:20 . 2012-10-16 22:20 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-10-16 22:20 . 2012-10-16 22:20 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-10-16 22:18 . 2012-10-16 22:18 283648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2012-10-16 22:18 . 2012-10-16 22:18 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
    2012-10-16 22:18 . 2012-10-16 22:18 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
    2012-10-16 22:18 . 2012-10-16 22:18 801792 ----a-w- c:\windows\system32\FntCache.dll
    2012-10-16 22:18 . 2012-10-16 22:18 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
    2012-10-16 22:18 . 2012-10-16 22:18 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2012-10-16 22:18 . 2012-10-16 22:18 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2012-10-16 22:18 . 2012-10-16 22:18 3181568 ----a-w- c:\windows\system32\mf.dll
    2012-10-16 22:18 . 2012-10-16 22:18 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2012-10-16 22:18 . 2012-10-16 22:18 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
    2012-10-16 22:18 . 2012-10-16 22:18 107520 ----a-w- c:\windows\system32\cdd.dll
    2012-10-12 05:56 . 2012-11-05 20:58 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD3EDDBF-94CF-46F4-BDED-3258C2EF08EE}\mpengine.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2010-01-27 1885944]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2010-08-17 95616]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141848]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 151064]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-07-26 495708]
    "ASMReg"="c:\program files\eSMART\Register.exe" [2011-07-29 65536]
    "DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2010-01-27 55808]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "NCInstallQueue"="netman.dll" [2009-07-14 280576]
    .
    d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Picture This.lnk - d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{1FC6CB91-C46E-4878-A086-13DD6CCF79EE}\Icon1FC6CB913.exe [2011-6-30 12288]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-8-13 132456]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1352148485-155271270-1313727497-2865\Scripts\Logon\0\0]
    "Script"=\\gti.int\SysVol\gti.int\scripts\sig.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
    R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
    S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [x]
    S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [x]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [x]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
    S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-03 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-20 19:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.ie/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
    WebBrowser-{7473B6BD-4691-4744-A82B-7854EB3D70B6} - (no file)
    HKCU-Run-TtvIrurc - d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
    HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
    SafeBoot-12981907.sys
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(576)
    c:\windows\system32\wvauth.DLL
    c:\program files\Wave Systems Corp\Common\CryptoManager.dll
    c:\windows\system32\tcg15.dll
    c:\windows\system32\Tsp1.dll
    c:\windows\system32\wclient14.dll
    .
    - - - - - - - > 'Explorer.exe'(452)
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
    c:\windows\system32\conhost.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2013-01-03 18:06:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-01-03 18:06
    .
    Pre-Run: 38,899,539,968 bytes free
    Post-Run: 38,605,934,592 bytes free
    .
    - - End Of File - - 452AC2BFFFDC7286AD0778E2C486A73F
     

    Attached Files:

  8. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    The System File Checker found no problems.

    You didn't answer this:

    I can see from the Windows version listed that no Service Pack has been installed, please check that Windows Update is running, you will find it in the Control Panel.

    Please download Farbar Service Scanner and run it on the computer with the issue.

    • Put a check mark in all the boxes.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  9. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    Microsoft Update:

    It is a work computer and is managed by the Network Admin. I have not connected to the network for over a year. I will be connecting tomorrow so I assume this will sort it.

    Scan Log:

    Farbar Service Scanner Version: 05-01-2013
    Ran by mcurran (administrator) on 06-01-2013 at 21:41:20
    Running from "D:\USERS\mcurran\Desktop"
    Windows 7 Professional (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2012-07-29 00:35] - [2012-03-30 10:29] - 1287024 ____A (Microsoft Corporation) 55E9965552741F3850CB22CBBA9671ED
    C:\Windows\system32\dnsrslvr.dll
    [2011-06-29 13:36] - [2011-03-03 05:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9
    C:\Windows\system32\mpssvc.dll
    [2009-07-13 23:53] - [2009-07-14 01:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E
    C:\Windows\system32\bfe.dll
    [2009-07-13 23:54] - [2009-07-14 01:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll
    [2009-07-13 23:23] - [2009-07-14 01:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446
    C:\Windows\system32\vssvc.exe
    [2009-07-13 23:24] - [2009-07-14 01:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2009-07-13 23:30] - [2009-07-14 01:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\ipnathlp.dll => MD5 is legit
    C:\Windows\system32\iphlpsvc.dll
    [2009-07-13 23:54] - [2009-07-14 01:15] - 0497152 ____A (Microsoft Corporation) 477397B432A256A50EE7E4339EB9EA14
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****

    Thanks,

    M
     
  10. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    If you had told me this earlier: It is a work computer and is managed by the Network Admin I would not have been able to help you for the following reasons. This site does not give assistance for work computers.

    Since you say this a work computer have you contacted and advised your Domain Administrator, Business Manager, or IT Department?

    In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures unless the IT staff requests our assistance.

    A business/government IT Department generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods.

    During the malware disinfection process there may be changes made to the computer which can involve uninstalling programs, deleting various files and folders, altering settings and removing system policies. There may be restrictions and modifications deliberately installed on business computers that could be damaged or altered by any actions we take. Since we have no way of knowing for sure if these are actually needed for daily operations, malware issues in these cases should be handled by your IT Departments in order to avoid any undesirable results. Further, the malware you are dealing with may have infected the network and the IT Department needs to be advised right away so they can take the appropriate disinfection measures.

    Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. Many helpers are not familiar with Servers and most of the tools we use are restricted to non-commercial use by their creators. We do not have the staff or resources to deal with numerous client machines or the complexities of network disinfection. We are not equipped to involve ourselves in any legal issues that may arise due to loss of business, financial, confidential information or loss of revenue as a result of malware infection or the disinfection process. In some instances the only option may be to reformat and reinstall the operating system which could result in loss of all data.


    ===========================================================================
    Please follow these instructions to correctly remove Combofix. Any remaining issues you have will need to be dealt with by your companies Administrator/IT department.


    To re-enable your CD Emulation drivers if you disabled them, double click DeFogger.exe to run the tool again.


    • The application window will appear.
    • Click the Re-enable button to re-enable your CD Emulation drivers.
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine...click OK.

    To uninstall ComboFix, press the WINKEY + R keys on your keyboard or click on Start [​IMG]and type Run into the search box and hit Enter.
    In the Run box type: ComboFix /Uninstall (Be sure to leave a space before the forward slash).

    [​IMG]


    • Click on OK.
    • If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
    • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.
    • When it has finished you will see a dialog box stating that "ComboFix has been uninstalled".
    • After that, you can delete the ComboFix.exe program from your computer (Desktop).

    Next

    • Download OTC by OldTimer and save it to your desktop.
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose Run as Administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    -- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
    -- Any leftover folders/files related to ComboFix or other tools which OTC did not remove can be deleted manually (right-click on it and choose delete).



    Please post back when this is complete and let me know if you have had any problems.

    You should advise the Administrator or IT department that this PC had a ZeroAccess infection as it could have allowed the author of the Malware to steal information from the PC. Even though you have not connected this PC to the Network it must have been connected to the Internet to have become infected and as such it should have updated to SP1. As there is always a small risk that the PC is still compromised I would advise you not to connect it to the Network without the Administrator or IT department being aware of it as it could infect the entire Network.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Cannot Save Microsoft
  1. KendraDit
    Replies:
    0
    Views:
    649
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1083372

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice