Nasty infection...please help

**iohelp** · 2012-06-12, 15:05

Hi,
I would like to thank for your help and assistance in advance...
Whatever has infected our computers has manged to spread to every single computer we own- it seems that as soon as a drive is formatted and Windows reinstalled it returns. It seems to affect system files and thus does not get recognized by most AV applications. My partner and I are suspecting this might be one of the kernel rootkits/ backdoors- whatever it is! We have tried reformatting hard drives to zeros, clearing CMOS, updating BIOS, deleting and updating MBR, reinstalling different OS's (Linux, Win) and it does not appear to help- we suspect that the virus stores itself in the bad sector files of the drive. Our network activity is crazy as soon as it is connected, it appears the computers gain a life of their own- being able to open/close applications, websites, enable/disable apps...both I an my partner work within the IT sectors and neither of us has come across something this nasty that we have not been able to remove...we have tried all the tools that seem to be available- resorting now to trying to find out how to completely clean drives manually- overwriting the bad sectors, we are also suspecting it is the APT's affecting us...but since we have never had to dig this deep it has been very hard to learn so much at once- thus why resorting to the exports appears to be such a brilliant idea!

Sorry for the long intro- hope it does not scare anyone off and please help...

Below are the results of the DDS scan:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Cain at 23:02:05 on 2012-06-12
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1526.794 [GMT 10:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
mWinlogon: Userinit=userinit.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: Interfaces\{722AFB9E-660A-40D8-A243-6E5DB630BA11} : NameServer = 10.0.0.10
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cain\AppData\Roaming\Mozilla\Firefox\Profiles\lzp9ylmb.default\
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-12 113120]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
.
=============== Created Last 30 ================
.
2012-06-12 12:31:16 -------- d-----w- C:\ProgramData\RegRun
2012-06-12 12:18:13 -------- d-----w- C:\Users\Cain\AppData\Local\ElevatedDiagnostics
2012-06-12 12:17:45 -------- d-----w- C:\Users\Cain\AppData\Local\Diagnostics
2012-06-12 12:16:22 37600 ----a-w- C:\Windows\System32\Partizan.exe
2012-06-12 12:15:59 -------- d-----w- C:\Program Files (x86)\Greatis
2012-06-12 12:14:15 2 --shatr- C:\Windows\winstart.bat
2012-06-12 12:13:23 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-06-10 03:17:15 -------- d-----w- C:\Windows\Panther
.
==================== Find3M ====================
.
.
============= FINISH: 23:02:26.53 ===============

Once again- thank you in advance...... Any help is greatly appreciated

**torreattack** · 2012-06-21, 17:33

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Safer-Networking forum and wait for help.

Failure to post replies within 3 days will result in this thread being closed.

Hi iohelp and welcome to Safer-Networking

My name is torreattack, and I will be helping you with your malware problems.

I'm a Security Team trainee here, and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Read:
How to back up or transfer your data on a Windows-based computer
Backup your data - Vista
Backup your data - windows 7

Please observe these rules while we work:

Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
Remember, absence of symptoms does not mean the infection is all gone.
Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.

If you can do these things, everything should go smoothly.

If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
If you're using Vista or Windows7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) where the conditions for receiving help here are explained.

I am currently reviewing your log and will return, as soon as possible, with additional instructions.

By the way, while waiting,

Have you back up your registry with Erunt?
note:You can find the instruction to perform the tasks here.

Thank you for your patience.
torreattack

**iohelp** · 2012-06-21, 18:02

Thank you for your reply- awaiting your further instructions.

**torreattack** · 2012-06-22, 10:41

Hi iohelp :

1. Please tell me, is this computer used for business or connected to a business network?
If no, please continue... otherwise <STOP> ... post back and let me know.
Note: Many of these type systems may have specific modifications made..which could be removed or damaged by the tools we use.
These altered systems may also hinder our tools, possibly reducing their effectiveness in removing the malware.

2. No Anti-virus Software Installed!
Looking over your log ... there is NO evidence of anti-virus software installed.. This puts you at serious risk.
Anti-virus software will help detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.

To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors.

Microsoft Security Essentials ** - New, from Microsoft, with email scanning, easy to install, easy to use.
** Your PC must run genuine Windows to install Microsoft Security Essentials.
Antivir PersonalEdition Classic- Superior detection, the "free" version has no email scan.
avast! Free Antivirus - Excellent detection, the freeware version includes email scanning.
Note: remember to Uncheck any extra software downloads you may be offered (optional)

Installing a new AV product.

Download the new Anti-virus product to your computer.
Install the new AV product... following installation instructions.
Check for updates to the new AV product, if not done during install setup.
Run a full scan of your computer.

It is strongly recommended that you run only one antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

3. Checklist
Please post:

Answer about Business Use computer
Antivirus scanning result
New DDS log
An update on your problems

note: These logs can be lengthy, please post in several replies if needed. Please ensure you post COMPLETE log. Please do not upload the logs as an attachment.

Thanks,
torreattack

**torreattack** · 2012-06-25, 00:17

Hi iohelp

3 Day Response Rule
It has been more than 2 days since my last post to you.

Do you still need help with this problem?
Do you need more time?
Are you having problems understanding or following my instructions?

thanks,
torreattack

**iohelp** · 2012-06-25, 02:40

Hi,
I still require your help.
I will post further logs when I get home from work.

**iohelp** · 2012-06-25, 02:51

Hi,
Just to let you know- it is not used for business use- it is a personal laptop. I haven't installed anti-virus software on the laptop - only because this issue is kernel based and normally does not get detected by AV software. However- I will install it when I get home and post the new logs for you.

Thank you for the help so far.
Iwona

**iohelp** · 2012-06-25, 12:12

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Cain at 20:07:32 on 2012-06-25
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1526.794 [GMT 10:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\vds.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 211.31.138.11 211.29.132.12
TCP: Interfaces\{722AFB9E-660A-40D8-A243-6E5DB630BA11} : NameServer = 10.0.0.10
TCP: Interfaces\{722AFB9E-660A-40D8-A243-6E5DB630BA11} : DhcpNameServer = 208.67.222.222 208.67.220.220 211.31.138.11 211.29.132.12
BHO-X64: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
TB-X64: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cain\AppData\Roaming\Mozilla\Firefox\Profiles\lzp9ylmb.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10401&locale=en_AU&apn_uid=a2abc1d7-7cfb-4199-9e35-12f9d645d978&apn_ptnrs=^ABZ&apn_sauid=28081A30-A1E8-470C-B581-2A2B039DCAA2&apn_dtid=^YYYYYY^YY^AU&&q=
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-6-25 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-6-25 110032]
R2 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe [2012-6-25 465360]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-12 113120]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
.
=============== Created Last 30 ================
.
2012-06-25 07:01:15 -------- d-----w- C:\Users\Cain\AppData\Roaming\Avira
2012-06-25 02:27:46 -------- d-----w- C:\Program Files (x86)\Ask.com
2012-06-25 02:27:21 98848 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-06-25 02:27:21 27760 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2012-06-25 02:27:20 -------- d-----w- C:\ProgramData\Avira
2012-06-25 02:27:20 -------- d-----w- C:\Program Files (x86)\Avira
2012-06-25 02:26:27 -------- d-sh--w- C:\Windows\Installer
2012-06-12 12:31:16 -------- d-----w- C:\ProgramData\RegRun
2012-06-12 12:18:13 -------- d-----w- C:\Users\Cain\AppData\Local\ElevatedDiagnostics
2012-06-12 12:17:45 -------- d-----w- C:\Users\Cain\AppData\Local\Diagnostics
2012-06-12 12:16:22 37600 ----a-w- C:\Windows\System32\Partizan.exe
2012-06-12 12:15:59 -------- d-----w- C:\Program Files (x86)\Greatis
2012-06-12 12:14:15 2 --shatr- C:\Windows\winstart.bat
2012-06-12 12:13:23 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-06-10 03:17:15 -------- d-----w- C:\Windows\Panther
.
==================== Find3M ====================
.
.
============= FINISH: 20:08:15.07 ===============

**torreattack** · 2012-06-25, 18:10

Hi iohelp :

Let's dig deeper.

1. RogueKiller

Please download RogueKiller by Tigzy and save it to your desktop.
Allow the download if prompted by your security software and please close all your programs.
Right click on RogueKiller.exe and select " Run as administrator " to run it.
If it does not run, please try a few times.
Wait for PreScan to finish, then click on Scan.
Once completed, a log called RKreport[1].txt will be created on the desktop. It can also be accessed via the Report button.
Please copy and paste the contents of that log in your next reply.

2. TDSSKiller
Please download TDSSKiller.exe and save it to your Desktop.

Right click on TDSSKiller.exe and select "Run As Administrator" to run it. If prompted by UAC, please allow it.
When the TDSSKiller finish loading, click on Change parameters.
Tick the Detect TDLFS file system and click ok.
Click on Start Scan, the scan will run.
When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
Now click on Report to open the log file created by TDSSKiller in your root directory C:\
To find the log go to Start > Computer > C:
Post the contents of that log in your next reply please.
DO NOT TRY TO FIX ANYTHING AT THIS POINT

note:If TDSSKiller still fail to run, try to rename it to other name like agdwm.exe and see whether it can run.

3. OTL
Please download OTL ... by Old Timer . Save it to your Desktop.

Right click on OTL.exe and select "Run As Administrator" to run it. If prompted by UAC, please allow it.
Under Output, ensure that Minimal Output is selected.
Click the Scan All Users checkbox.
Leave the remaining selections to the default settings.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTL.txt <-- Will be opened, maximized
- Extras.txt <-- Will be minimized on task bar.
Please post the contents of both OTL.txt and Extras.txt files in your next reply.

4. Checklist
Please post:

RKreport[x].txt
TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt
OTL.txt and Extra.txt
An update on your problems

note: These logs can be lengthy, please post in several replies if needed. Please ensure you post COMPLETE log.

Thanks,
torreattack

**iohelp** · 2012-06-26, 10:14

Hello,

Below are the requested reports- and thank you.

Rogue Killer:

RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Cain [Admin rights]
Mode: Scan -- Date: 06/26/2012 18:10:44

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 7 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{722AFB9E-660A-40D8-A243-6E5DB630BA11} : NameServer (10.0.0.10) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{722AFB9E-660A-40D8-A243-6E5DB630BA11} : NameServer (10.0.0.10) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS541616J9SA00 ATA Device +++++
--- User ---
[MBR] 9145fdef47f377753a4727f622c046cb
[BSP] f6ab15cb03965ce103355cb4cad85e6c : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

Thread: Nasty infection...please help

Thread Tools

Display

Nasty infection...please help

Posting Permissions