BleepingComputer.com: Backdoor.Win32.ZAccess.dg

Clicked on an image file which took me to a site which pushed malware to my PC, yesterday, Sunday, 9/4/11
Older HP Pavillion desktop, running XP Media Center 2002 SP 3.
Have SAV Corporate Edition (version unknown) but I did note my virus definitions were current as of 9/3/11 on Saturday.

Saga
Attempting to close IE window (IE 8), got a fake Windows message - your computer is infected. I went to Task Manager, ended the IE and Message programs and immediately shut the PC down.
On reboot, the malware got more assertive displaying fake Windows Firewall messages about blocking certain applications. I tried to run Symantec, but as it got started it quickly was closed and then I've been unable to run it - in safe mode, safe mode w/networking or regular mode.
I turned off System Restore at that point.
I was able to run Spybot and it found - something it labelled Security Center.Firewall Bypass which it claimed to have deleted. However, on every reboot and scan it comes back - along with Win32.AVkillsvc.e
I located, downloaded and tried Norton Power Eraser - it would not start.
I located, downloaded and tried Kapersky Virus Removal Tool - it ran and keeps finding a corrupt file - ...\GAC_MSIL\Desktop.ini - which it attempts to fix, then says it will delete on reboot - it comes back and it says its associated with Backdoor.Win32.ZAccess.dg
I located, downloaded and ran Symantecs separate SupportTool.exe which starts runs a bit then hangs up at somepoint while the fake firewall messages start popping up. the Tool does have Symantec Power Eraser as an option, but it keeps insisting I've chosen a rootkit scan option, even though I've not checked the option so it forces a reboot and thus does nothing except force yet another reboot.
IE works - sort of - if I use it to browse most sites it works - but if I try to go to any anti virus/security site it redirects elsewhere. ClickNet.
Chrome - which I'd never used - works but I'm getting adware now, least of my issues. I seem to be able to get to most sites.

I can try to run the couple files - I saw one earlier forum on similar ZAccess.dg, but after the initial submission, there was no response to the bleeping computer autobot reachout .

Suggesions welcome - trying not to pay Symantec $100 to fix something I think thier AV should have caught in the 1st place.

Thank you anyone!

This post has been edited by Budapest: 05 September 2011 - 05:29 PM
Reason for edit: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest

Welcome aboard

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

In process of getting files run/posted.

Additional facts -
process named 4142946648:2812677897.exe shows up in Task Manager - can't end it, change priorities, etc.
The process below it - Isass.exe just looks suspiciously named - also can't delete this one.

On boot I get message that 'ordinal 1009' can't be found and that the virus definitions are missing....

More to come with files.

Go on.....

Security Check results - both in safe mode and regular- netsh.exe - Entry Point Not Found - The procedure entry point MigrateWinsockConfiguration could not be located in the dynamic link library MSWSOCK.dll.

this may relate to one of the messages i'm getting on start up - regarding ordinal 1109......which references that same dll file.

Moving to second file.....however, this just popped up........
File name - checkup.txt


Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Spybot - Search & Destroy 1.5.2.20
Spybot - Search & Destroy
Java 2 Runtime Environment Standard Edition v1.3.1_02
Adobe Flash Player
Adobe Reader 9.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Symantec AntiVirus DefWatch.exe
Norton AntiVirus navapsvc.exe
``````````End of Log````````````

Now getting messages nslookup.exe - The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll.

This post has been edited by bullfrog65: 05 September 2011 - 06:26 PM

MiniToolBox results


MiniToolBox by Farbar
Ran by JBM_1 (administrator) on 05-09-2011 at 19:22:19
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: proxy.verizon.com:80
========================= Hosts content: =================================
144.70.99.20 ftwixos sapfwp02 144.70.99.8 saftw1sp0 144.70.99.10 saftw2sp0 144.70.99.12 saftw3sp0 144.70.99.27 saftw4sp0 144.70.99.28 saftw5sp0 144.70.99.13 saftw6sp0 144.70.99.68 saftw7sp0 144.70.99.94 saftwadm 144.70.99.21 saftwccs 144.70.99.230 saftwemc1 144.70.99.1 saftwi01 144.70.99.2 saftwi02 144.70.99.3 saftwi03 144.70.99.4 saftwi04 144.70.99.5 saftwi05 144.70.99.6 saftwi06 144.70.99.7 saftwi07 144.70.99.14 saftwi08 144.70.99.15 saftwi09 144.70.99.16 saftwi10 144.70.99.17 saftwi11 144.70.99.18 saftwi12 144.70.99.19 saftwi13 144.70.99.22 saftwi14 144.70.99.23 saftwi15 144.70.99.24 saftwi16 144.70.99.25 saftwi17 144.70.99.30 saftwi30 144.70.99.32 saftwi32 144.70.99.33 saftwi33 144.70.99.34 saftwi34 144.70.99.35 saftwi35 144.70.99.36 saftwi36 144.70.99.40 saftwi40 144.70.99.41 saftwi41 144.70.99.42 saftwi42 144.70.99.43 saftwi43 144.70.99.44 saftwi44 144.70.99.45 saftwi45 144.70.99.46 saftwi46 144.70.99.47 saftwi47 144.70.99.48 saftwi48 138.83.131.36 saftwi50 144.70.99.51 saftwi51 138.83.131.38 saftwi52 144.70.99.53 saftwi53 144.70.99.55 saftwi55 144.70.99.60 saftwi60 144.70.99.61 saftwi61 144.70.99.62 saftwi62 144.70.99.63 saftwi63 138.83.138.43 saftwi66 138.83.138.44 saftwi67 138.83.138.45 saftwi69 138.83.138.46 saftwi70 138.83.138.49 saftwi73 138.83.138.50 saftwi74 138.83.138.51 saftwi75 138.83.138.52 saftwi76 138.83.138.54 saftwi79 uatldap1 138.83.138.55 saftwi80 uatldap2 138.83.138.56 saftwi81 uatlogin1 138.83.138.57 saftwi82 uatlogin2 138.83.131.30 saftwi86 138.83.131.31 saftwi87 138.83.131.32 saftwi88 144.70.99.50 saftwm50 144.70.99.52 saftwm52 144.70.99.66 saftwm66 144.70.99.67 saftwm67 144.70.99.69 saftwm69 144.70.99.70 saftwm70 144.70.99.73 saftwm73 144.70.99.74 saftwm74 144.70.99.75 saftwm75 144.70.99.76 saftwm76 144.70.99.79 saftwm79 144.70.99.80 saftwm80 144.70.99.81 saftwm81 144.70.99.82 saftwm82 144.70.99.86 saftwm86 144.70.99.87 saftwm87 144.70.99.88 saftwm88 144.70.99.120 saftwsf1 144.70.99.107 saftwsf1-sc0 144.70.99.108 saftwsf1-sc1 144.70.99.121 saftwsf2 144.70.99.109 saftwsf2-sc0 144.70.99.110 saftwsf2-sc1 144.70.99.122 saftwsf3 144.70.99.111 saftwsf3-sc0 144.70.99.112 saftwsf3-sc1 144.70.99.119 saftwsf4 144.70.99.113 saftwsf4-sc0 144.70.99.114 saftwsf4-sc1 144.70.99.124 saftwsf5 144.70.99.117 saftwsun 144.70.99.115 saftwterm 144.70.99.229 safwd01 138.83.138.90 safwdf01 144.70.99.159 safwdf01m 138.83.138.89 safwdp01 113.134.218.14 safwdu01 144.70.99.231 safwdu01d 144.70.99.130 safwdu01m 113.134.218.20 safwdu02 144.70.99.232 safwdu02d 144.70.99.140 safwdu02m 138.83.138.98 safwepd1 144.70.99.151 safwepd1d 138.83.138.91 safwepd2 144.70.99.152 safwepd2d 138.83.138.92 safwepd3 144.70.99.153 safwepd3d 138.83.138.93 safwepd4 144.70.99.154 safwepd4d 138.83.138.94 safwepd5 144.70.99.155 safwepd5d 138.83.138.95 safwepd6 144.70.99.156 safwepd6d 138.83.138.96 safwepd7 144.70.99.157 safwepd7d 138.83.138.97 safwepd8 144.70.99.158 safwepd8d 138.83.138.121 safwepl1 prdldap1 144.70.99.160 safwepl1d 138.83.138.123 safwepl2 prdldap2 144.70.99.161 safwepl2d 138.83.138.125 safwepl3 prdldap3 144.70.99.162 safwepl3d 138.83.138.127 safwepl4 prdldap4 144.70.99.163 safwepl4d 138.83.138.109 safwepw1 prdlogin1 144.70.99.164 safwepw1d 138.83.138.112 safwepw2 prdlogin2 144.70.99.165 safwepw2d 138.83.138.115 safwepw3 prdlogin3 144.70.99.166 safwepw3d 138.83.138.118 safwepw4 prdlogin4 144.70.99.167 safwepw4d 113.134.218.10 safweu01 144.70.99.131 safweu01d 113.134.218.11 safweu02 144.70.99.132 safweu02d 113.134.218.12 safweu03 144.70.99.133 safweu03d 113.134.218.16 safweu03b 113.134.218.13 safweu04 144.70.99.134 safweu04d 113.134.218.15 safweu05 144.70.99.135 safweu05d 113.134.218.17 safweu06 144.70.99.136 safweu06d 113.134.218.18 safweu07 144.70.99.137 safweu07d 113.134.218.19 safweu08 144.70.99.138 safweu08d 113.134.218.21 safweu09 144.70.99.139 safweu09d 144.70.99.242 safwnas1 144.70.99.240 safwnas1m 144.70.99.243 safwnas2 144.70.99.241 safwnas2m 144.70.99.96 stkftw02 144.70.99.97 stkftw03 136.151.210.5 satpa1sp0 136.151.210.6 satpa1sp1 136.151.210.9 satpa2sp0 136.151.210.10 satpa2sp1 136.151.210.38 satpa3sp0 136.151.210.39 satpa3sp1 136.151.210.11 satpai01 136.151.210.12 satpai02 136.151.210.22 satpai03 136.151.210.14 satpai04 136.151.210.15 satpai05 136.151.210.16 satpai06 136.151.210.7 satpai12 136.151.210.8 satpai13 136.151.210.17 satpai14 136.151.210.18 satpai15 136.151.210.19 satpai16 136.151.210.20 satpai17 136.151.210.21 satpai18 136.151.210.30 satpai30 136.151.210.31 satpai31 136.151.210.32 satpai32 136.151.210.33 satpai33 136.151.210.34 satpai34 136.151.210.35 satpai35 136.151.210.36 satpai36 138.83.76.63 satpai40 138.83.76.64 satpai41 136.151.210.40 satpaadm 136.151.210.43 stktpa01 136.151.210.44 stktpa02 139.49.193.99 estixos 139.49.193.98 irvixos oswald sapirp01 139.49.193.80 sairv1sp0 139.49.193.82 sairv2sp0 139.49.193.94 sairvcmpq 139.49.193.101 sairvi01 139.49.193.102 sairvi02 139.49.193.103 sairvi03 139.49.193.104 sairvi04 139.49.193.105 sairvi05 139.49.193.106 sairvi06 139.49.193.107 sairvi07 139.49.193.108 sairvi08 139.49.193.109 sairvi09 139.49.193.110 sairvi10 139.49.193.111 sairvi11 139.49.193.112 sairvi12 139.49.193.113 sairvi13 139.49.193.114 sairvi14 139.49.193.115 sairvi15 139.49.193.116 sairvi16 139.49.193.117 sairvi17 139.49.193.118 sairvi18 139.49.193.119 sairvi19 139.49.193.85 sairvnas1 139.49.193.83 sairvnas1m 139.49.193.86 sairvnas2 139.49.193.84 sairvnas2m 139.49.193.88 sairvnasweb 139.49.193.95 sairvtest 139.49.193.97 stkirv01



127.0.0.1 LOCALHOST
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com

There are 8062 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.


Windows IP Configuration



Host Name . . . . . . . . . . . . : PCHUB

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : verizon.com

bellatlantic.com

nynex.com

gte.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-0C-6E-67-3E-13

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

71.252.0.12

Lease Obtained. . . . . . . . . . : Monday, September 05, 2011 7:05:53 PM

Lease Expires . . . . . . . . . . : Tuesday, September 06, 2011 7:05:53 PM



Ethernet adapter {02C25E39-04C6-4C6A-AEA2-E735176717F3}:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Packet Scheduler Miniport

Physical Address. . . . . . . . . : 44-45-53-54-42-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

Default Gateway . . . . . . . . . :



Pinging google.com [74.125.115.147] with 32 bytes of data:



Reply from 74.125.115.147: bytes=32 time=17ms TTL=252

Request timed out.



Ping statistics for 74.125.115.147:

Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 17ms, Average = 17ms



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=4ms TTL=54

Reply from 67.195.160.76: bytes=32 time=4ms TTL=54



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 4ms, Maximum = 4ms, Average = 4ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 6e 67 3e 13 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
0x3 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 20
192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 20
224.0.0.0 240.0.0.0 192.168.1.5 192.168.1.5 20
255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1
255.255.255.255 255.255.255.255 192.168.1.5 3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

Malwarebytes' Anti-malware
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Same message I get when trying to run Symantec or Kaspersky. Pretty sure the virus has crippled the ability to run these.

Download and run exeHelper.

• Please download exeHelper from Raktor to your desktop.
  
• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• A log file named log.txt will be created in the directory where you ran exeHelper.com
  
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Try MBAM again.

If still no go proceed with GMER.

exhelperlog.txt

exeHelper by Raktor
Build 20100414
Run at 20:17:09 on 09/05/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Same MBAM message

Sorry haven't said this earlier - THANK YOU for any and all help and guidance!!

You're welcome

Go ahead with GMER.

GMER still running - going for over 3 hours now - its moving through files; not stalled out or hung up......11 45 PM - will post final results in AM.

Thanks again

No problem

GMER finished? - the GMER window was closed and I couldn't get it to run again. Couldn't find an output file
Rebooted, same issues/virus.
Reran exhelper (same results) - re-downloaded GMER from site and starting new execution .......hope it finishes before have to go to work.....

Thanks again.

Started GMER just before 6 AM - it just ended at 11 24 AM - 5 1/2 hours later.
It ended and then just it closed instantly, before I could click Save. Is there a log file somewhere? I searched but there were only a couple files that updated since 6AM - one was the Malbytes file shown below.
While it was running I did get a Malbytes popup that it blocked internet traffic out to 193.105.135.219 - so even though I can't get the exe to launch by clicking the shortcut or the filename - it appears to be working.

01:45:06 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
01:45:09 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
01:45:15 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
02:40:15 JBM_1 MESSAGE Scheduled update executed successfully
02:40:15 JBM_1 MESSAGE IP Protection stopped
02:40:25 JBM_1 MESSAGE Database updated successfully
02:40:32 JBM_1 MESSAGE IP Protection started successfully
03:04:43 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
03:04:46 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
03:04:52 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
05:38:15 JBM_1 MESSAGE Protection started successfully
05:38:25 JBM_1 MESSAGE IP Protection started successfully
10:55:15 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
10:55:18 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)
10:55:24 JBM_1 IP-BLOCK 193.105.135.219 (Type: outgoing)


I still can't get any AV program to open up to run a scan.

Let's start with resetting your "hosts" file.

Please, go here: http://support.microsoft.com/kb/972034#FixItForMeAlways and click on "Fix it" button to reset your "hosts" file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
  
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  
• Copy the content of the following box into the main textfield:
  

  :dir
  C:\WINDOWS\SYSTEM32\DRIVERS\ETC
  

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Then....

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".