pithblitz

Deleted. Everything looks great and running well! Thank you so much for all your help! mbam-log-2012-10-10 (14-06-19).txt

Alright, things are starting to look a lot better.... here's the combfix log. ComboFix.txt

Okay, here ya go on the reports.... TDSSKiller.2.8.10.0_10.10.2012_09.50.22_log.txt TDSSKiller.2.8.10.0_10.10.2012_11.47.42_log.txt

So not with "Loaded Modules'? Did I do something incorrect?

And the long one.... TDSSKiller.2.8.10.0_10.10.2012_09.27.46_log.txt

Logs for TDSSKiller.... 09:24:29.0400 4736 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24 09:24:29.0739 4736 ============================================================ 09:24:29.0739 4736 Current date / time: 2012/10/10 09:24:29.0739 09:24:29.0740 4736 SystemInfo: 09:24:29.0740 4736 09:24:29.0740 4736 OS Version: 6.1.7600 ServicePack: 0.0 09:24:29.0740 4736 Product type: Workstation 09:24:29.0740 4736 ComputerName: TONYA-PC 09:24:29.0740 4736 UserName: Tonya 09:24:29.0740 4736 Windows directory: C:\Windows 09:24:29.0740 4736 System windows directory: C:\Windows 09:24:29.0740 4736 Running under WOW64 09:24:29.0740 4736 Processor architecture: Intel x64 09:24:29.0740 4736 Number of processors: 4 09:24:29.0740 4736 Page size: 0x1000 09:24:29.0740 4736 Boot type: Normal boot 09:24:29.0740 4736 ============================================================ 09:24:30.0624 4736 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040 09:24:30.0627 4736 ============================================================ 09:24:30.0627 4736 \Device\Harddisk0\DR0: 09:24:30.0627 4736 MBR partitions: 09:24:30.0627 4736 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x178000 09:24:30.0627 4736 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x18C000, BlocksNum 0x252A2000 09:24:30.0627 4736 ============================================================ 09:24:30.0679 4736 C: <-> \Device\Harddisk0\DR0\Partition2 09:24:30.0680 4736 ============================================================ 09:24:30.0680 4736 Initialize success 09:24:30.0680 4736 ============================================================ 09:25:14.0188 4076 Deinitialize success

RogueKiller V8.1.1 [10/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : Tonya [Admin rights] Mode : Scan -- Date : 10/10/2012 09:21:02 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 9 ¤¤¤ [TASK][sUSP PATH] ActiveMail Updater.job : C:\ProgramData\ActivePath\ActiveMail\UpdateClient.exe -> FOUND [TASK][sUSP PATH] ActiveMail Updater : C:\ProgramData\ActivePath\ActiveMail\UpdateClient.exe -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : Root.MBR ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST500DM002-1BD142 +++++ --- User --- [MBR] 2817f99e6ec153aa50fed9ebc04c2f3e [bSP] 60158a29590d5da23c848f7134a7a314 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 Mo User != LL1 ... KO! --- LL1 --- [MBR] 4cff60cb4cd9935fa23adec339d0cf66 [bSP] 60158a29590d5da23c848f7134a7a314 : Windows 7 MBR Code Partition table: 2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 Mo User != LL2 ... KO! --- LL2 --- [MBR] 4cff60cb4cd9935fa23adec339d0cf66 [bSP] 60158a29590d5da23c848f7134a7a314 : Windows 7 MBR Code Partition table: 2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 Mo Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt SORRY! forgot to run as admin! this is it....

Here ya go! RogueKiller V8.1.1 [10/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : Tonya [Admin rights] Mode : Scan -- Date : 10/10/2012 09:17:10 ¤¤¤ Bad processes : 1 ¤¤¤ [sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 9 ¤¤¤ [TASK][sUSP PATH] ActiveMail Updater.job : C:\ProgramData\ActivePath\ActiveMail\UpdateClient.exe -> FOUND [TASK][sUSP PATH] ActiveMail Updater : C:\ProgramData\ActivePath\ActiveMail\UpdateClient.exe -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : Root.MBR ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST500DM002-1BD142 +++++ --- User --- [MBR] 2817f99e6ec153aa50fed9ebc04c2f3e [bSP] 60158a29590d5da23c848f7134a7a314 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 Mo User != LL1 ... KO! --- LL1 --- [MBR] 4cff60cb4cd9935fa23adec339d0cf66 [bSP] 60158a29590d5da23c848f7134a7a314 : Windows 7 MBR Code Partition table: 2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 Mo User != LL2 ... KO! --- LL2 --- [MBR] 4cff60cb4cd9935fa23adec339d0cf66 [bSP] 60158a29590d5da23c848f7134a7a314 : Windows 7 MBR Code Partition table: 2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 Mo Finished : << RKreport[1].txt >> RKreport[1].txt

Unfortunately I became infected with Alureon.A, or at least that's what MSE says. It seems to have created an unallocated space of 170GB on the back end of the drive and a hidden partition on the front side of 43MB. I'm familiar on the whole using of GParted to unhide the space, but when I go to remove the malware, reboot the system and MSE is still saying its infected. So I decided to come to the pro's for guidance... Thank you! Attach.txt DDS.txt