bootbox

Meant to say 'real time protection' in the last line of the last reply

Done, new RogueKiller log: RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Safe mode User: Rob [Admin rights] Mode: Scan -- Date: 08/06/2012 22:31:04 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800JD-75LSA0 ATA Device +++++ --- User --- [MBR] dfae7f413a547f9b8b44d83a94fbfeb7 [bSP] 581ba3f537daad75d47438f4f5d214a3 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76190 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ***If this is clean, please let me know how I should handle my currently unplugged internal SATA drives. Should I just shut down and plug them back in or are the files on them at risk since the drives were attached when the machine was infected? Should I deep scan the drives in safe mode? If so, what program should I use? What real time scan do you suggest I run? Even if it's not free, I'll buy it tonight if this is clean now.

MBAM log: Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.06.11 Windows 7 Service Pack 1 x64 NTFS (Safe Mode) Internet Explorer 8.0.7601.17514 Rob :: CLAMPS [administrator] 8/6/2012 10:08:08 PM mbam-log-2012-08-06 (22-08-08).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 209261 Time elapsed: 1 minute(s), 49 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) New RogueKiller Log: RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Safe mode User: Rob [Admin rights] Mode: Scan -- Date: 08/06/2012 22:12:21 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 6 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800JD-75LSA0 ATA Device +++++ --- User --- [MBR] dfae7f413a547f9b8b44d83a94fbfeb7 [bSP] 581ba3f537daad75d47438f4f5d214a3 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76190 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt

Excellent, here is my log from that scenario: ComboFix 12-08-05.02 - Rob 08/06/2012 21:52:37.1.2 - x64 MINIMAL Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1490 [GMT -5:00] Running from: c:\users\Rob\Desktop\ComboFix.exe SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Rob\AppData\Roaming\inst.exe c:\users\Rob\AppData\Roaming\vso_ts_preview.xml c:\windows\assembly\GAC_32\Desktop.ini c:\windows\assembly\GAC_64\Desktop.ini c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L\00000004.@ c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L\201d3dde c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U\00000004.@ c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U\80000000.@ c:\windows\Installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U\80000064.@ . Infected copy of c:\windows\system32\services.exe was found and disinfected Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe . . ((((((((((((((((((((((((( Files Created from 2012-07-07 to 2012-08-07 ))))))))))))))))))))))))))))))) . . 2012-08-07 02:57 . 2012-08-07 02:57 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-08-07 02:57 . 2012-08-07 02:57 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-07 02:08 . 2012-08-07 02:14 -------- d-----w- c:\users\Rob\AppData\Roaming\ImgBurn 2012-08-07 01:59 . 2012-08-07 01:59 -------- d-----w- c:\program files (x86)\ImgBurn 2012-08-06 00:56 . 2012-08-06 05:34 -------- d-----w- c:\users\Rob\.explorer.cache 2012-08-06 00:56 . 2012-08-06 05:33 -------- d-----w- c:\users\Rob\.explorer.local 2012-08-05 06:47 . 2012-08-05 06:47 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-07-27 04:36 . 2011-12-07 17:32 216064 ----a-w- c:\windows\SysWow64\lagarith.dll 2012-07-27 04:36 . 2011-06-24 14:44 243200 ----a-w- c:\windows\SysWow64\xvidvfw.dll 2012-07-27 04:36 . 2011-06-24 14:28 650752 ----a-w- c:\windows\SysWow64\xvidcore.dll 2012-07-27 04:36 . 2012-06-09 17:21 178688 ----a-w- c:\windows\SysWow64\unrar.dll 2012-07-27 04:36 . 2011-12-21 17:14 151552 ----a-w- c:\windows\SysWow64\ac3acm.acm 2012-07-27 04:36 . 2012-07-20 18:00 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll 2012-07-27 04:36 . 2012-07-27 04:36 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack 2012-07-27 04:29 . 2012-05-26 17:36 204800 ----a-w- c:\windows\system32\unrar64.dll 2012-07-27 04:29 . 2012-07-27 04:29 -------- d-----w- c:\program files\MPC-HC 2012-07-22 10:14 . 2004-08-04 05:56 438272 ----a-w- C:\shimgvw.dll 2012-07-17 02:44 . 2012-07-17 02:45 -------- d-----w- C:\ODIN3_v1.85 2012-07-09 07:02 . 2012-07-09 07:02 -------- d-----w- c:\program files\SAMSUNG 2012-07-09 07:01 . 2012-07-09 07:01 -------- d-----w- c:\programdata\Samsung . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-05 06:52 . 2012-03-30 01:32 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-08-05 06:52 . 2011-12-06 06:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-03 18:46 . 2012-05-06 15:16 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-11 12:34 . 2012-05-11 12:34 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys 2012-05-11 12:34 . 2012-05-11 12:34 99384 ----a-w- c:\windows\system32\drivers\ssudbus.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2011-12-06 394616] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-10-26 74752] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-07-03 1085000] . c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ AltTabMouse.exe [2011-12-13 217819] SABnzbd.lnk - c:\program files (x86)\SABnzbd\SABnzbd.exe [2011-12-3 349696] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Subsonic.lnk - c:\program files (x86)\Subsonic\subsonic-agent.exe [2011-12-6 206336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer4"=wdmaud.drv . R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120] R2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864] R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-07-07 174184] R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-12-11 82816] R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2011-08-11 694376] R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616] S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416] . . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\ehkn62x6.default\ FF - prefs.js: browser.search.selectedEngine - Firefox Add-ons FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-3045573708-3644854199-1101737973-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*°*"#] @Class="Shell" @Allowed: (Read) (RestrictedCode) . [HKEY_USERS\S-1-5-21-3045573708-3644854199-1101737973-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*°*"#\OpenWithList] @Class="Shell" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-08-06 22:02:13 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-07 03:02 . Pre-Run: 49,998,921,728 bytes free Post-Run: 49,737,318,400 bytes free . - - End Of File - - 45C8159F89E1F22DE423AE6765FC89B2

Just to verify, is it ok that I am running combofix in safemode with no networking or command prompt, while disconnected from the internet (USB wifi adapter unplugged)

PS I just sent a donation with this thread URL as the reference. I know I can be wordy and I'm freaking out and I appreciate what you're doing here.

I'm just not sure if there are infected files on my non-system internal drives (I disconnected them right away when I shut down after realizing I was infected earlier today and haven't reconnected then since) Here is my RougeKiller log from just the system drive: RogueKiller V7.6.5 [08/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Safe mode User: Rob [Admin rights] Mode: Scan -- Date: 08/06/2012 21:26:41 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 7 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Rob\AppData\Local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\n.) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\rob\appdata\local\{13b6d4e5-cbf9-15c3-1462-4837292b6d69}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND [susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800JD-75LSA0 ATA Device +++++ --- User --- [MBR] dfae7f413a547f9b8b44d83a94fbfeb7 [bSP] 581ba3f537daad75d47438f4f5d214a3 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76190 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt

Thank you so much for your patience, should I reconnect my internal SATA drives or just have the system drive connected for this scan?

I'm honestly afraid to run that at this point, I'm pretty convinced it's not retail now, it would explain a lot. Is that it? Can we not proceed without this step? If so, quick question, I basically plan to go buy win7 tomorrow after work and just format/reinstall - What should I do about my storage drives? I have two other hard drives inside my box that are currently disconnected, they are full of non-system files, can I just plug them back in after I reinstall win7? Is there some way to do a quarantined scan on them to make sure there are no infected files present, waiting to infect my fresh install?

That's odd, I don't have that option at all. Someone built this computer for me ages ago, I wonder if they didn't use a 'real' copy of Win 7

The options in my Advanced Boot Options are: safe mode safe mode with networking safe mode with command prompt enable boot logging enable low-resolution video last known good configuration (advanced) directory services restore mode debugging mode disable automatic restart on system failure disable driver signature enforcement start windows normally

There is no 'Repair Your Computer' option when I use F8 to get to the Advanced Boot Options and I don't have a Windows 7 disc. Is there some other term for 'Repair Your Computer' in the Avanced Boot Options of a Windows 7 machine?

Hi I'm posting this from my non-infected laptop. My desktop is rebooted to safemode without networking or command prompt after malwarebytes has failed to remove BCMiner, Rootkit.0 and lameshield earlier today. I have unplugged all peripherals from the infected box (including my usb wifi adapter) and also I've disconnected all but my OS drive, as the other drives are full of music, video, install files, drivers etc and I'm not sure when to connect those drives again. Please let me know along the way if these drives need to be plugged in while scans run or if they need to be plugged back in only after the system is cleaned etc, I'm not sure what to do here. I have a USB thumbdrive I hope to use to transfer files and logs back and forth between my non-infected laptop and the infected desktop in question. I have attached the requested logs and greatly appreciate any help here, I'm freaking out DDS.txt Attach.txt