ComboFix found and fixed ZeroAccess rootkit. I'd still appreciate any help offered in cleaning up the remaining loose ends I haven't spotted. ComboFix 11-12-06.01 - Pete 12/06/2011 22:09:38.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2681 [GMT -5:00] Running from: c:\documents and settings\Pete\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk c:\windows\$NtUninstallKB2649$ c:\windows\$NtUninstallKB2649$\2517789265 c:\windows\$NtUninstallKB2649$\3699496664\@ c:\windows\$NtUninstallKB2649$\3699496664\bckfg.tmp c:\windows\$NtUninstallKB2649$\3699496664\cfg.ini c:\windows\$NtUninstallKB2649$\3699496664\Desktop.ini c:\windows\$NtUninstallKB2649$\3699496664\keywords c:\windows\$NtUninstallKB2649$\3699496664\kwrd.dll c:\windows\$NtUninstallKB2649$\3699496664\L\akygdmgo c:\windows\$NtUninstallKB2649$\3699496664\lsflt7.ver c:\windows\$NtUninstallKB2649$\3699496664\U\00000001.@ c:\windows\$NtUninstallKB2649$\3699496664\U\00000002.@ c:\windows\$NtUninstallKB2649$\3699496664\U\00000004.@ c:\windows\$NtUninstallKB2649$\3699496664\U\80000000.@ c:\windows\$NtUninstallKB2649$\3699496664\U\80000004.@ c:\windows\$NtUninstallKB2649$\3699496664\U\80000032.@ c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini c:\windows\tsoc.log D:\autorun.inf E:\Autorun.inf H:\autorun.inf . Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 ))))))))))))))))))))))))))))))) . . 2011-12-06 03:41 . 2011-12-06 03:41 -------- d-----w- c:\documents and settings\Pete\Application Data\SUPERAntiSpyware.com 2011-12-06 03:41 . 2011-12-06 05:04 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-12-06 03:41 . 2011-12-06 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-12-06 02:17 . 2011-12-06 02:17 -------- d-----w- c:\program files\Common Files\Java 2011-12-05 20:10 . 2011-12-05 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-12-05 20:10 . 2011-12-05 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-12-05 19:48 . 2011-12-05 19:48 -------- d-----w- c:\documents and settings\Pete\Application Data\Malwarebytes 2011-12-05 19:48 . 2011-12-05 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-12-05 19:48 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-05 19:48 . 2011-12-05 19:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-06 01:09 . 2011-05-25 03:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-10 14:22 . 2009-09-11 01:45 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-10-03 10:06 . 2011-07-24 04:18 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-10-03 07:37 . 2009-11-15 14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-09-28 07:06 . 2001-08-18 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41 . 2001-08-18 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41 . 2001-08-18 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-12 23:18 . 2009-09-26 01:40 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2003-08-21 06:00 . 2010-03-03 04:41 28672 ----a-w- c:\program files\PureText.exe 2000-06-15 11:28 . 2010-03-03 04:41 561152 ----a-w- c:\program files\converter.exe 2011-11-11 01:37 . 2011-03-23 02:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136] "F.lux"="c:\documents and settings\Pete\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656] "Steam"="c:\program files\Steam\Steam.exe" [2011-09-20 1242448] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864] "RTHDCPL"="RTHDCPL.EXE" [2009-08-04 18702336] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "WinSys2"="c:\windows\system32\winsys2.exe" [2009-05-18 208896] "nwiz"="nwiz.exe" [2009-05-01 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272] "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-08-25 139264] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296] "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1311312] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704] . c:\documents and settings\Pete\Start Menu\Programs\Startup\ DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2009-9-16 192512] EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-8-8 977408] PureText.lnk - c:\program files\PureText.exe [2010-3-2 28672] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-3-8 221247] UltraMon.lnk - c:\windows\Installer\{83CCCBDC-3A56-4F3B-89DF-69386C3B7D62}\IcoUltraMon.ico [2010-1-19 29310] WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2011-1-31 83456] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 . [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= d:\backgroundimages\Dual monitor\Yin_and_Yang_by_FalconNL.jpg FriendlyName= . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-07-15 18:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1580818891-725345543-1003\Scripts\Logoff\0\0] "Script"=SyncToy-Run All.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1580818891-725345543-1004\Scripts\Logoff\0\0] "Script"=SyncToy-Run All.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1580818891-725345543-1005\Scripts\Logoff\0\0] "Script"=SyncToy-Run All.bat . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\WinTV\\WinTV7\\WinTV7.exe"= "c:\\Program Files\\WinTV\\Extend\\WinTVExtender.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 . R0 ssfs0bbd;ssfs0bbd;c:\windows\system32\drivers\ssfs0bbd.sys [12/17/2009 9:54 PM 28936] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/25/2009 8:40 PM 216400] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/25/2009 8:40 PM 243152] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 1:44 PM 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 1:44 PM 308136] R2 Hauppauge WinTV Extender;Hauppauge WinTV Extender;c:\progra~1\WinTV\Extend\WINTVE~1.EXE [1/31/2011 10:49 PM 67584] R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [1/31/2011 10:49 PM 602624] R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [11/12/2009 8:59 PM 132392] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/18/2010 10:14 PM 10448] R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 2:11 AM 17184] R3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [9/16/2009 9:03 PM 28160] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/17/2011 10:25 AM 136176] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/16/2009 8:10 PM 1684736] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/9/2010 9:27 PM 18560] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/17/2011 10:25 AM 136176] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 AM 4639136] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30906580-7637-43C1-89A2-F045E24B1DA3}] 2009-05-27 21:09 77824 ----a-w- c:\program files\SNL Financial\SNLxl\InstallXLAddinRegKey.dll . Contents of the 'Scheduled Tasks' folder . 2011-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 15:24] . 2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 15:24] . 2011-12-07 c:\windows\Tasks\SyncToyCmd.job - c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 06:58] . 2011-12-07 c:\windows\Tasks\SyncToy_MegDocs.job - c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 06:58] . 2011-12-07 c:\windows\Tasks\SyncToy_PeteDocs.job - c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 06:58] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = *.local IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204 Trusted Zone: com.tw\asia.msi Trusted Zone: com.tw\global.msi Trusted Zone: com.tw\www.msi TCP: Interfaces\{711513A9-9B90-433E-8DF8-C9D9864604C8}: NameServer = 8.8.8.8,68.94.157.1 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\bb961jkg.default\ FF - user.js: network.protocol-handler.warn-external.dnupdate - false . . ------- File Associations ------- . .txt=UltraEdit.txt . - - - - ORPHANS REMOVED - - - - . Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-06 22:23 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(608) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll . - - - - - - - > 'explorer.exe'(7452) c:\windows\system32\WININET.dll c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\program files\UltraMon\RTSUltraMonHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe c:\progra~1\WinTV\TVServer\CAPTUR~3.EXE c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\program files\UltraMon\UltraMon.exe c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE c:\program files\UltraMon\UltraMonTaskbar.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\MSI\DualCoreCenter\DualCoreCenter.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-12-06 22:29:30 - machine was rebooted ComboFix-quarantined-files.txt 2011-12-07 03:29 . Pre-Run: 94,148,349,952 bytes free Post-Run: 106,013,437,952 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn . - - End Of File - - 9417F7E1B61E127473E1BF85D385390A