No idea what to do guys, please help. Am unable to do anything security related to laptop. No firewall, windows update, etc. MS security is running and picking up trojans from time to time. Spybot scan is clean.

Thanks,


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.9.2
Run by stowell at 16:16:49 on 2012-12-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3033.2015 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\windows\System32\IgrsSvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\PROGRA~1\Jetico\BCWipe\BCResident.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\stowell\AppData\Local\Akamai\netsession_win.exe
C:\Users\stowell\AppData\Local\Akamai\netsession_win.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe
C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://lenovo.live.com/
uProxyOverride = <local>
uURLSearchHooks: {ece24dcf-8548-4655-b392-47a388721482} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [Akamai NetSession Interface] "c:\users\stowell\appdata\local\akamai\netsession_win.exe"
uRun: [DriverMax] "c:\program files\innovative solutions\drivermax\drivermax.exe" -agent
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\drivermax.exe" -RESTART
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [BCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\iastoriconlaunch.exe "c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe" 60
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\users\stowell\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download with GetRight - h:\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Open with GetRight Browser - h:\getright\GRbrowse.htm
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{58336019-1C59-4B38-A2B3-73BC57FC76B1} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{58336019-1C59-4B38-A2B3-73BC57FC76B1}\16474777966696 : DHCPNameServer = 192.168.4.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{58336019-1C59-4B38-A2B3-73BC57FC76B1}\2456C6B696E6F574B2D494D4F4F575962756C6563737F5545364331324 : DHCPNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\stowell\appdata\roaming\mozilla\firefox\profiles\23yva7os.default\
FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=5403b8f13b14b199a6226dc54227eeb0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\stowell\appdata\local\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\users\stowell\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\stowell\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2010-4-6 20104]
R0 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys [2012-11-28 532536]
R0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys [2012-11-28 25656]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 fsh;fsh;c:\windows\system32\drivers\fsh.sys [2009-7-23 39360]
R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-12-10 54800]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2012-11-28 14904]
R2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\system32\igrssvcs.exe -k igrssvcs --> c:\windows\system32\IgrsSvcs.exe -k IgrsSvcs [?]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-12-10 21520]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2012-12-2 384824]
R3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2009-12-10 11792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Bridge0;Bridge0;c:\windows\system32\drivers\wdbridge.sys [2009-12-10 63240]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2010-4-6 25864]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-2-5 80184]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2010-4-6 23048]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2010-7-12 28672]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-17 22856]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\system32\igrssvcs.exe -k igrssvcs --> c:\windows\system32\IgrsSvcs.exe -k IgrsSvcs [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-2-5 181432]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-7 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-24 1343400]
S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-21 81704]
S4 AzBusFixService;User-mode service for AzBusFix;c:\windows\system32\AzBusMon.exe [2009-12-10 60928]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2009-7-23 91496]
S4 BCWipeSvc;BCWipe service;c:\program files\jetico\bcwipe\BCWipeSvc.exe [2009-12-24 95544]
S4 IGRS;IGRS;c:\program files\lenovo\readycomm\common\IGRS.exe [2009-7-14 38152]
S4 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\lenovo\readycomm\AppSvc.exe [2009-12-10 414984]
S4 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\lenovo\readycomm\ConnSvc.exe [2009-12-10 472328]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-17 399432]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-17 676936]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-12-02 14:52:25 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-12-02 14:48:08 -------- d-----w- c:\program files\SystemRequirementsLab
2012-12-02 14:21:39 384824 ----a-w- c:\windows\system32\drivers\b57nd60x.sys
2012-12-02 05:08:58 91448 ----a-w- c:\windows\system32\bcmwlcoi.dll
2012-12-02 05:08:58 5193792 ----a-w- c:\windows\system32\drivers\BCMWL6.SYS
2012-12-02 05:08:57 4247552 ----a-w- c:\windows\system32\bcmihvsrv.dll
2012-12-02 05:08:57 3645440 ----a-w- c:\windows\system32\bcmihvui.dll
2012-12-02 04:35:07 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{30177fa0-07f6-4c57-a0f9-09c0b10b194b}\mpengine.dll
2012-12-02 04:19:30 81920 ----a-w- c:\windows\system32\igfxCoIn_v2555.dll
2012-12-02 04:19:29 208896 ----a-w- c:\windows\system32\iglhsip32.dll
2012-12-02 04:19:29 147456 ----a-w- c:\windows\system32\iglhcp32.dll
2012-12-02 04:12:05 -------- d-----w- c:\users\stowell\appdata\local\Innovative Solutions
2012-12-02 04:11:58 -------- d-----w- c:\program files\Innovative Solutions
2012-12-01 16:14:18 -------- d-----w- c:\users\stowell\appdata\local\PC_Drivers_Headquarters
2012-12-01 16:11:50 25726352 ----a-w- c:\users\stowell\IN2VDO12WW5.exe
2012-12-01 16:11:42 -------- d-----w- c:\programdata\APN
2012-12-01 16:11:38 13336344 ----a-w- c:\users\stowell\IN1CAM45WW5.exe
2012-12-01 16:10:34 81223080 ----a-w- c:\users\stowell\IN3VDO09WW5.exe
2012-12-01 16:10:15 32274456 ----a-w- c:\users\stowell\IN1THP01WW5.exe
2012-12-01 16:09:28 68258480 ----a-w- c:\users\stowell\IN3ETN13WW5.exe
2012-12-01 16:09:14 20606896 ----a-w- c:\users\stowell\IN2WLN12WW5.exe
2012-12-01 16:09:12 2539040 ----a-w- c:\users\stowell\IN1WLN32WW5.exe
2012-12-01 16:09:09 3133720 ----a-w- c:\users\stowell\IN1WLN18WW6.exe
2012-12-01 16:08:49 22650240 ----a-w- c:\users\stowell\IN1SRM11WW5.exe
2012-12-01 16:08:11 68258480 ----a-w- c:\users\stowell\IN3ETN05WW6.exe
2012-12-01 16:08:03 7546680 ----a-w- c:\users\stowell\IN1EGC08WW5.exe
2012-12-01 16:07:58 8058464 ----a-w- c:\users\stowell\IN1EGC06WW6.exe
2012-12-01 16:07:55 1254512 ----a-w- c:\users\stowell\IN4CAR04WW5.exe
2012-12-01 16:06:40 139285752 ----a-w- c:\users\stowell\IN7AUD09WW5.exe
2012-12-01 16:06:33 6201344 ----a-w- c:\users\stowell\IN4MDM02WW5.exe
2012-12-01 16:05:39 -------- d-----w- c:\users\stowell\appdata\local\Akamai
2012-12-01 15:58:29 -------- d-----w- c:\users\stowell\appdata\roaming\driveridentifier
2012-12-01 14:09:37 -------- d-----w- c:\program files\VS Revo Group
2012-12-01 13:56:04 -------- d-----w- c:\program files\SmartFTP Client
2012-12-01 13:55:30 -------- d-----w- c:\program files\SmartFTP Client 4.1 Setup Files
2012-12-01 01:07:13 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-29 03:18:47 -------- d-----w- c:\users\stowell\appdata\roaming\Intel Corporation
2012-11-29 03:16:48 -------- d-----w- c:\program files\common files\Intel Corporation
2012-11-29 03:10:56 532536 ----a-w- c:\windows\system32\drivers\iaStorA.sys
2012-11-29 03:10:56 25656 ----a-w- c:\windows\system32\drivers\iaStorF.sys
2012-11-29 00:03:50 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-28 23:51:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-28 23:51:34 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-26 23:08:13 -------- d-----w- C:\fdabe3326e36645841fb4675ac59
2012-11-06 07:20:52 92624 ----a-w- c:\windows\system32\mfcm110u.dll
.
==================== Find3M ====================
.
2012-11-28 23:51:10 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-24 17:00:10 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-24 17:00:10 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-06 07:20:52 92616 ----a-w- c:\windows\system32\mfcm110.dll
2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ATA_____ rev.0009 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0x88B714B1]<<
c:\windows\system32\drivers\iaStorF.sys Intel Corporation Intel Rapid Storage Technology Filter driver
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x88b7893c]; MOV EAX, [0x88b78ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82E7C55A] -> \Device\Harddisk0\DR0[0x887AD030]
3 CLASSPNP[0x8C18159E] -> ntkrnlpa!IofCallDriver[0x82E7C55A] -> [0x887AC520]
5 iaStorF[0x8C3F5138] -> ntkrnlpa!IofCallDriver[0x82E7C55A] -> \0000006b[0x876D4900]
\Driver\iaStorA[0x88CD0968] -> IRP_MJ_CREATE -> 0x88B714B1
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000006b -> \??\SCSI#Disk&Ven_ATA&Prod_FUJITSU_MHZ2160B#4&b214002&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:20:22.91 ===============


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-02 16:39:23
-----------------------------
16:39:23.577 OS Version: Windows 6.1.7601 Service Pack 1
16:39:23.577 Number of processors: 2 586 0x170A
16:39:23.579 ComputerName: LENOVO UserName:
16:39:24.401 Initialize success
16:39:33.892 AVAST engine defs: 12120100
16:39:42.801 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
16:39:42.804 Disk 0 Vendor: ATA_____ 0009 Size: 152627MB BusType: 11
16:39:42.806 Device \Device\0000006b -> \??\SCSI#Disk&Ven_ATA&Prod_FUJITSU_MHZ2160B#4&b214002&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:39:42.810 Disk 0 MBR read error 0
16:39:42.813 Disk 0 MBR scan
16:39:42.820 Disk 0 unknown MBR code
16:39:42.824 MBR BIOS signature not found 0
16:39:42.828 Disk 0 scanning sectors +281638912
16:39:42.894 Disk 0 scanning C:\windows\system32\drivers
16:40:03.231 Service scanning
16:40:24.616 Service MpKsl8b4028dd c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{30177FA0-07F6-4C57-A0F9-09C0B10B194B}\MpKsl8b4028dd.sys **LOCKED** 32
16:40:44.352 Service sptd C:\windows\System32\Drivers\sptd.sys **LOCKED** 32
16:40:56.760 Modules scanning
16:41:06.921 Disk 0 trace - called modules:
16:41:06.935 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0x88b714b1]<<
16:41:06.941 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x887ad030]
16:41:06.948 3 CLASSPNP.SYS[8c18159e] -> nt!IofCallDriver -> [0x887ac520]
16:41:06.954 5 iaStorF.sys[8c3f5138] -> nt!IofCallDriver -> \0000006b[0x876d4900]
16:41:06.961 \Driver\iaStorA[0x88cd0968] -> IRP_MJ_CREATE -> 0x88b714b1
16:41:07.672 AVAST engine scan C:\windows
16:41:11.177 AVAST engine scan C:\windows\system32
16:47:38.374 AVAST engine scan C:\windows\system32\drivers
16:48:02.351 AVAST engine scan C:\Users\stowell
17:09:45.187 AVAST engine scan C:\ProgramData
17:12:49.860 Scan finished successfully
17:18:06.369 Disk 0 MBR has been saved successfully to "C:\Users\stowell\Desktop\MBR.dat"
17:18:06.385 The log file has been saved successfully to "C:\Users\stowell\Desktop\aswMBR.txt"

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

I am getting a blue screen when running combofix. I disabled MS security essentials as instructed, however, combofix detected that symantec end point protection was still running. I am unable to turn off symantec and see no apparent instance of it in task manager. Unable to find any evidence of Symantec anywhere on the PC. I had symantec installed prior to switching to the microsoft security essentials. Also, windows update seems to working again, but updates aren't installing correctly.

Thanks

Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue.
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

text too long to post, see attached.


Thanks

Hi,

Please run TDSSKiller again. This time, select cure to Pihar related finding and skip to sptd finding. Post back the report.

See attached

Thanks

Please try to run ComboFix now and post back its log + fresh dds logs.

I ran combo fix overnight (14 hours) and found the PC in the same state. Re started machine, am now attempting to run cf again. Its been running for three hours and has not completed any of the steps past the blue console screen. Please advise.

Thanks

Hi,

Please try to run it in safe mode.

Hi, combofix has been in the same state for 4.5 hours running in safe mode. I'll leave it running until I hear back.


Thanks

Please post fresh dds logs.

This thread has been closed due to inactivity. As it has been three days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include DDS and aswMBR logs with a link to your previous thread.

Applies only to the original poster, anyone else with similar problems please start your own topic.