TechSpot

[A] Advertisement audio playing in background, possible rootkit

Inactive
By rubiksgeek
Feb 29, 2012
  1. Hello!

    About 3 days ago, advertisements started playing in the background randomly. This can happen when I'm not even touching the computer.

    Windows 7 is dual booted from my MacBook Pro. My windows partition is used for Skype and programs I run for school.

    GMER Log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-28 22:39:34
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545016B9SA02 rev.PBBAC60Q
    Running: kb9ottbu.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pwlorpob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A935D9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB8092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text dfsc.sys 90028000 245 Bytes [00, 00, 00, 00, 00, 00, 8B, ...]
    .text dfsc.sys 900280F6 89 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...]
    .text dfsc.sys 90028150 125 Bytes [75, 08, FF, 15, A4, C1, 02, ...]
    .text dfsc.sys 900281CE 77 Bytes [6A, 01, EB, 19, 83, C0, D0, ...]
    .text dfsc.sys 9002821C 41 Bytes [8B, 4D, F8, 8B, 35, F0, B1, ...]
    .text ...
    ? C:\Windows\System32\Drivers\dfsc.sys suspicious PE modification

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtProtectVirtualMemory 77BC5000 5 Bytes JMP 005E000A
    .text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtWriteVirtualMemory 77BC5B80 5 Bytes JMP 005F000A
    .text C:\Windows\system32\svchost.exe[820] ntdll.dll!KiUserExceptionDispatcher 77BC60E8 5 Bytes JMP 005D000A
    ? C:\Windows\system32\svchost.exe[820] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[932] USER32.dll!TrackPopupMenu 761A4B3B 5 Bytes JMP 66A6AF78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtCreateProcess 77BC4780 5 Bytes JMP 002C000A
    .text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtCreateProcessEx 77BC4790 5 Bytes JMP 002D000A
    .text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtCreateUserProcess 77BC4860 5 Bytes JMP 005C000A
    .text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtProtectVirtualMemory 77BC5000 5 Bytes JMP 001E000A
    .text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtWriteVirtualMemory 77BC5B80 5 Bytes JMP 001F000A
    .text C:\Windows\System32\ping.exe[1320] ntdll.dll!KiUserExceptionDispatcher 77BC60E8 5 Bytes JMP 001D000A
    .text C:\Windows\System32\ping.exe[1320] USER32.dll!GetCursorPos 7617C198 5 Bytes JMP 0063000A
    .text C:\Windows\System32\ping.exe[1320] USER32.dll!GetForegroundWindow 7618565D 5 Bytes JMP 0065000A
    .text C:\Windows\System32\ping.exe[1320] USER32.dll!WindowFromPoint 761A6D0C 5 Bytes JMP 0064000A
    .text C:\Windows\System32\ping.exe[1320] ole32.dll!CoCreateInstance 7771590C 5 Bytes JMP 0062000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!LdrLoadDll 77BDF425 5 Bytes JMP 000A13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 83EC8B55
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 458D74EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 15FF50F8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] [00ECF014] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 01FC7531
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 458DF875
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 15FF508C
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] [00ECF004] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 458D086A
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 458D50F8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 15FF508C
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] [00ECF000] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 508C458D
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] F00815FF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 458B00EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] E84533E4
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 33EC4533
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] C3C9F045
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 8BEC8B55
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] EC833040
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 57565314
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] D98B388B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] EB04708D
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 46B70F20
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 30448D1A
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] F0F0681C
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 4F5000EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 00DCAFE8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 85595900
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 811374C0
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 00011CC6
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [75FF8500] C:\Windows\system32\SETUPAPI.dll (Windows Setup API/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 5FC033DC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] C2C95B5E
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 468B0008
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] F4458908
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] 8B0C468B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 45890473
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] [74F685F0] C:\Windows\system32\PROPSYS.dll (Microsoft Property System/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] D8BB8D77
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 57000000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] ED015068
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 8D426A00
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 4E50FC45
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] F0E015FF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] C08500EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 458D537C
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 046A50EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 50F8458D
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] [75FF096A] C:\Windows\system32\SETUPAPI.dll (Windows Setup API/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] DC15FFFC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 8500ECF0
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B317CC0
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 452BF845
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] F0453BF4
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 006A2673
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] FFFC75FF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] ECF0D415
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 7CC08500
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 0C4D8B17
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 1F8B018B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 8908558B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 5F8BC21C
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] C25C8904
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 01894004
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FFFC75FF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] ECF0D815
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 40C78300
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 8F75F685
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] E940C033
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] FFFFFF67
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 51EC8B55
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 0173A051
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 565300ED
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C0BE0F57
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 7D89FF33
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] DC2AE8F8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] DC8B0000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 45C7F633
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 001000FC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] FC458B00
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 0F73F83B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 11E8C72B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 8B0000DC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 2BC38BF4
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 8DF88BC6
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 5750FC45
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] FF056A56
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] ECF0D015
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 00043D00
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] D574C000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 047DC085
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] 60EBC033
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] F003C033
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 468D016A
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] 18685038
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] FF00ECF1
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] ECF0CC15
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] [75C08400] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 85068B08
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EBE375C0
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 68006A3C
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 00040000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] F07415FF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] F88B00EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 2974FF85
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FF016A57
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 15FF4476
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [00ECF020] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 127CC085
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 8B0C75FF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 0875FFCE
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 81E8C78B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 89FFFFFE
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF57F845
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] ECF02415
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] F8458B00
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 5FEC658D
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] C2C95B5E
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 8B550008
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 3CEC81EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 56000002
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] E856F08B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] 0000DB36
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 00803D59
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 870F0000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 000000AC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 0F2E3E80
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 0000A384
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 858D5600
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFFFDC8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] ECF12068
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 15FF5000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] [00ECF02C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FDC8858D
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 2E6AFFFF
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] DB06E850
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] C4830000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 74C08514
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 66C9337B
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] C0830889
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] F1906802
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] E85000EC
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 0000DAF2
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] C0855959
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 858D6275
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] FFFFFDC8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] CC758D50
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] 000DFFE8
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 19685000
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] 8D000200
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] FF50FC45
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] ECF03815
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 7CC08500
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] EC458D3F
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 50106A50
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 2868026A
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] FF00ECF2
    IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] F633FC75

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\BTHUSB \Device\00000074 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\BTHUSB \Device\00000076 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) 90011000-90027000 (90112 bytes)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002608d835bd
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002608d835bd (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB36107$\3266436414 0 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036 0 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\@ 2048 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\bckfg.tmp 856 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\cfg.ini 377 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\keywords 18 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\kwrd.dll 223744 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\L 0 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\L\xadqgnnk 78336 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\lsflt7.ver 5176 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\oemid 186 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U 0 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U\00000001.@ 2048 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U\80000000.@ 66560 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\U\80000032.@ 73216 bytes
    File C:\Windows\$NtUninstallKB36107$\664251036\version 842 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C6FD1004-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C6FD1005-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C6FD1006-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D72458D4-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D72458D5-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D72458D6-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E746E6B4-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E746E6B5-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E746E6B6-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE5B8FE4-628C-11E1-A025-002608D835BD}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34A05EZ3\errorPageStrings[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\80N60RJN\ErrorPageTemplate[1] 2168 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8PG8Q4L7\tools[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T8Y5WIVR\httpErrorPagesScripts[1] 8601 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T8Y5WIVR\favcenter[1] 3366 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VY8W1WDM\errorPageStrings[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VY8W1WDM\dnserror[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EBE9JRQ2\dnserror[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHSFCM3J\down[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAZJO355\ErrorPageTemplate[1] 2168 bytes

    ---- EOF - GMER 1.0.15 ----

    .
     
  2. rubiksgeek

    rubiksgeek TS Rookie Topic Starter

    Continued


    DDS Log:

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_30
    Run by Admin at 22:40:40 on 2012-02-28
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2791.1506 [GMT -6:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\AppleOSSMgr.exe
    C:\Windows\system32\AppleTimeSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Boot Camp\Bootcamp.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIqw3KV.com
    C:\Windows\system32\EQIqw3KV.com
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = 0.0.0.0:80
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Apple_KbdMgr] c:\program files\boot camp\Bootcamp.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    LSP: mswsock.dll
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: Interfaces\{27AED930-1ECB-4127-AC3E-D108DF72203E} : NameServer = 4.2.2.1,4.2.2.2
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\i85qh3sm.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
    ============= SERVICES / DRIVERS ===============
    .
    R0 AppleHFS;AppleHFS;c:\windows\system32\drivers\AppleHFS.sys [2009-7-22 48000]
    R0 AppleMNT;AppleMNT;c:\windows\system32\drivers\AppleMNT.sys [2009-7-22 5120]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-7-22 136496]
    R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2009-7-22 99632]
    R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-7-22 5760]
    R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-7-22 8576]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-27 652360]
    R3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-12-9 10496]
    R3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-12-9 29440]
    R3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\drivers\CS420x86.sys [2009-12-9 9728]
    R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-12-9 16512]
    R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-12-9 23552]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-8 20464]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2009-12-30 17792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-12 1343400]
    .
    =============== Created Last 30 ================
    .
    2012-02-29 02:38:26 100864 ----a-w- C:\pwlorpob.sys
    2012-02-27 19:40:25 -------- d-----w- c:\users\admin\appdata\local\ElevatedDiagnostics
    2012-02-27 19:17:11 -------- d-----w- c:\program files\ESET
    2012-02-27 04:08:02 83968 ----a-w- c:\windows\system32\EQIqw3KV.com
    2012-02-27 03:28:47 162664 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10140.bin
    2012-02-27 03:19:23 83968 ----a-w- c:\windows\system32\EQIqw3KV.com_
    2012-02-11 05:43:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-11 05:32:05 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-02-11 05:32:05 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-02-11 05:32:05 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-02-11 05:32:05 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-02-11 05:32:05 1037312 ----a-w- c:\windows\system32\lsasrv.dll
    2012-02-11 05:32:04 99840 ----a-w- c:\windows\system32\sspicli.dll
    2012-02-11 05:32:04 314368 ----a-w- c:\windows\system32\webio.dll
    2012-02-11 05:32:04 22528 ----a-w- c:\windows\system32\lsass.exe
    2012-02-11 05:32:04 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-02-11 05:32:04 15360 ----a-w- c:\windows\system32\sspisrv.dll
    .
    ==================== Find3M ====================
    .
    2012-01-14 03:48:30 2340864 ----a-w- c:\windows\system32\win32k.sys
    2012-01-04 09:03:07 442880 ----a-w- c:\windows\system32\ntshrui.dll
    2012-01-03 05:44:24 478208 ----a-w- c:\windows\system32\timedate.cpl
    2011-12-16 08:02:26 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-12-16 07:59:17 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2011-12-16 07:58:33 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-16 06:49:33 386048 ----a-w- c:\windows\system32\html.iec
    2011-12-16 06:15:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-06 14:02:29 222080 ------w- c:\windows\system32\MpSigStub.exe

    ============= FINISH: 22:41:12.16 ===============

    Malwarebytes Log:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.26.07

    Windows 7 x86 NTFS
    Internet Explorer 8.0.7600.16385
    Admin :: ADMIN-PC [administrator]

    Protection: Enabled

    2/28/2012 10:42:37 PM
    mbam-log-2012-02-28 (22-42-37).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 169077
    Time elapsed: 5 minute(s), 25 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Windows\System32\hidbatt.dll (RootKit.0Access.H) -> Delete on reboot.

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 10
    C:\Windows\System32\hidbatt.dll (RootKit.0Access.H) -> Delete on reboot.
    C:\Windows\System32\cpqvcagent.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\DcLps.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\imapiservice.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\MtxDma0.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\oracleorahome92tnslistener.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\ptilink.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\rimvserport.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\s116nd5.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\NWUSBModem.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

    (end)

    Thank you!
     
  3. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================================

    I still need Attach.txt part of DDS.

    Then....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ================================================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  4. rubiksgeek

    rubiksgeek TS Rookie Topic Starter

    Hello!

    Here is my attach.txt file:


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume3
    Install Date: 12/9/2009 4:54:31 PM
    System Uptime: 2/29/2012 6:26:02 PM (0 hours ago)
    .
    Motherboard: Apple Inc. | | Mac-F2268AC8
    Processor: Intel(R) Core(TM)2 Duo CPU P7550 @ 2.26GHz | U2E1 | 791/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 21 GiB total, 3.318 GiB free.
    D: is CDROM ()
    E: is FIXED (HFS) - 128 GiB total, 42.401 GiB free.
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: USB Video Device
    Device ID: USB\VID_05AC&PID_8507&MI_00\6&13E6359&0&0000
    Manufacturer: Microsoft
    Name: Built-in iSight
    PNP Device ID: USB\VID_05AC&PID_8507&MI_00\6&13E6359&0&0000
    Service: usbvideo
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AV Voice Changer Software DIAMOND 7.0
    Bonjour
    Boot Camp Services
    ESET Online Scanner v3
    Java Auto Updater
    Java(TM) 6 Update 30
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 4 Client Profile
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.6.27)
    NVIDIA Drivers
    QuickTime
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Skype Click to Call
    Skype™ 5.5
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Windows Driver Package - Apple Inc. (applebt) Bluetooth (01/19/2009 2.1.2.1)
    Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (01/11/2008 3.4.3.18)
    Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1)
    Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0)
    Windows Driver Package - Apple Inc. Apple Display (01/23/2009 3.0.0.0)
    Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0)
    Windows Driver Package - Apple Inc. Apple Keyboard (03/05/2009 3.0.0.0)
    Windows Driver Package - Apple Inc. Apple Multitouch (03/25/2009 2.1.2.112)
    Windows Driver Package - Apple Inc. Apple Multitouch Mouse (03/25/2009 2.1.2.112)
    Windows Driver Package - Apple Inc. Apple ODD (01/17/2008 2.0.2.2)
    Windows Driver Package - Apple Inc. Apple Trackpad (03/05/2009 3.0.0.0)
    Windows Driver Package - Apple Inc. Apple Trackpad Enabler (02/19/2009 3.0.0.0)
    Windows Driver Package - Apple Inc. System (08/22/2008 2.1.1.1)
    Windows Driver Package - Atheros Communications Inc. (athr) Net (09/18/2008 7.6.1.122)
    Windows Driver Package - Atheros Communications Inc. Net (09/18/2008 7.6.1.122)
    Windows Driver Package - Broadcom (BCM43XX) Net (10/22/2008 5.10.38.26)
    Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA (04/29/2009 6.6001.1.8)
    Windows Driver Package - Intel (e1express) Net (02/06/2008 9.12.17.0)
    Windows Driver Package - Intel (E1G60) Net (01/08/2008 8.3.9.0)
    Windows Driver Package - Intel (e1kexpress) Net (07/22/2008 10.3.45.0)
    Windows Driver Package - Intel (e1qexpress) Net (08/05/2008 10.3.49.0)
    Windows Driver Package - Intel (e1yexpress) Net (07/16/2008 9.52.10.0)
    Windows Driver Package - Intel Net (02/06/2008 9.12.18.0)
    Windows Driver Package - Intel Net (06/13/2008 9.52.9.0)
    Windows Driver Package - Intel Net (07/22/2008 10.3.45.0)
    Windows Driver Package - Intel Net (08/05/2008 10.3.49.0)
    Windows Driver Package - Intel Net (11/07/2007 8.10.1.0)
    Windows Driver Package - Intel System (07/20/2007 1.2.76.0)
    Windows Driver Package - Marvell (yukonwlh) Net (03/23/2007 10.12.7.3)
    Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0)
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/1/2012 12:01:38 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0x9061f000, 0x00000000, 0x861cf7f0, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 030112-33805-01.
    3/1/2012 12:01:21 AM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
    2/29/2012 6:28:24 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    2/29/2012 6:26:39 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    2/29/2012 6:26:34 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    2/29/2012 6:26:25 PM, Error: Service Control Manager [7023] - The CDRPDACC service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Zpaction service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Zebrmdfl service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Z800bus service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Winproxy service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Tmtdi service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The RushTopDevice service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Prism_a02 service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Pgpserv service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Nsausvc service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Lusbaudio service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Lanusb service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Idisw2km service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Dvd-ram_service service terminated with the following error: The system cannot find the file specified.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Clmtomcatstartersvc service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Cachemgr service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:23 PM, Error: Service Control Manager [7023] - The Tvtpktfilter service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:23 PM, Error: Service Control Manager [7023] - The SaiClass service terminated with the following error: The specified module could not be found.
    2/29/2012 6:26:23 PM, Error: Service Control Manager [7023] - The Nsengine service terminated with the following error: The specified module could not be found.
    2/29/2012 4:56:31 PM, Error: Service Control Manager [7023] - The Idisw2km service terminated with the following error: The specified procedure could not be found.
    2/29/2012 4:42:53 PM, Error: Service Control Manager [7023] - The SaiClass service terminated with the following error: The specified procedure could not be found.
    2/29/2012 4:33:08 PM, Error: Service Control Manager [7023] - The Lanusb service terminated with the following error: The specified procedure could not be found.
    2/29/2012 4:15:22 PM, Error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: The specified procedure could not be found.
    2/29/2012 4:10:26 PM, Error: Service Control Manager [7023] - The Tmtdi service terminated with the following error: The specified procedure could not be found.
    2/29/2012 3:29:32 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007f (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 022912-33368-01.
    2/28/2012 10:56:48 PM, Error: Service Control Manager [7023] - The RushTopDevice service terminated with the following error: The specified procedure could not be found.
    2/28/2012 10:55:49 PM, Error: Service Control Manager [7023] - The Clmtomcatstartersvc service terminated with the following error: The specified procedure could not be found.
    2/27/2012 9:50:10 AM, Error: Service Control Manager [7023] - The Zebrmdfl service terminated with the following error: The specified procedure could not be found.
    2/27/2012 9:49:22 AM, Error: Service Control Manager [7023] - The CDRPDACC service terminated with the following error: The specified procedure could not be found.
    2/27/2012 12:56:23 AM, Error: Service Control Manager [7023] - The Nsengine service terminated with the following error: The specified procedure could not be found.
    2/27/2012 12:40:57 AM, Error: Service Control Manager [7023] - The Cachemgr service terminated with the following error: The specified procedure could not be found.
    2/27/2012 12:40:01 AM, Error: Service Control Manager [7023] - The Winproxy service terminated with the following error: The specified procedure could not be found.
    2/27/2012 12:30:47 AM, Error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
    2/27/2012 10:25:47 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    2/27/2012 10:25:36 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21
    2/27/2012 10:25:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    2/27/2012 10:25:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    2/27/2012 10:25:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/27/2012 10:25:26 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    2/27/2012 10:25:19 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    2/27/2012 10:20:11 AM, Error: Service Control Manager [7023] - The Lusbaudio service terminated with the following error: The specified procedure could not be found.
    2/27/2012 10:05:17 AM, Error: Service Control Manager [7023] - The Nsausvc service terminated with the following error: The specified procedure could not be found.
    2/27/2012 1:43:19 AM, Error: Service Control Manager [7023] - The Pgpserv service terminated with the following error: The specified procedure could not be found.
    2/27/2012 1:41:13 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2/27/2012 1:39:23 PM, Error: Service Control Manager [7023] - The Windows Audio Endpoint Builder service terminated with the following error: The RPC server is unavailable.
    2/27/2012 1:39:23 PM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Multimedia Class Scheduler service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2/27/2012 1:39:23 PM, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2/27/2012 1:28:53 AM, Error: Service Control Manager [7023] - The Tvtpktfilter service terminated with the following error: The specified procedure could not be found.
    2/27/2012 1:11:00 AM, Error: Service Control Manager [7023] - The Zpaction service terminated with the following error: The specified procedure could not be found.
    2/27/2012 1:07:44 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
    2/23/2012 2:16:08 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    .
    ==== End Of File ===========================

    And here is the BKreport

    RogueKiller V7.2.1 [02/29/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User: Admin [Admin rights]
    Mode: Scan -- Date: 02/29/2012 18:38:16

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 4 ¤¤¤
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (0.0.0.0:80) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS545016B9SA02 ATA Device +++++
    --- User ---
    [MBR] 7b658aaaf2d6b56aa35117b2456545e2
    [BSP] 4fd3684c7d869df09ef237342a75e7b8 : Windows 7 MBR Code
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo
    1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 130944 Mo
    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 268847104 | Size: 21354 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  5. rubiksgeek

    rubiksgeek TS Rookie Topic Starter

    And here is aswMBR

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-29 18:06:46
    -----------------------------
    18:06:46.949 OS Version: Windows 6.1.7600
    18:06:46.949 Number of processors: 2 586 0x170A
    18:06:46.952 ComputerName: ADMIN-PC UserName: Admin
    18:07:20.716 Initialize success
    18:08:02.977 AVAST engine defs: 12022901
    18:08:39.560 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    18:08:39.565 Disk 0 Vendor: Hitachi_HTS545016B9SA02 PBBAC60Q Size: 152627MB BusType: 3
    18:08:39.634 Disk 0 MBR read successfully
    18:08:39.637 Disk 0 MBR scan
    18:08:39.641 Disk 0 Windows 7 default MBR code
    18:08:39.645 Disk 0 Partition 1 00 EE GPT 200 MB offset 1
    18:08:39.684 Disk 0 Partition 2 00 AF HFS / HFS+ 130944 MB offset 409640
    18:08:39.742 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 21354 MB offset 268847104
    18:08:39.760 Disk 0 scanning sectors +312580096
    18:08:39.874 Disk 0 scanning C:\Windows\system32\drivers
    18:08:50.795 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Aluroot [Rtk]
    18:09:07.098 Disk 0 trace - called modules:
    18:09:07.146 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86226f10]<<
    18:09:07.152 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85faca58]
    18:09:07.160 3 CLASSPNP.SYS[8a79459e] -> nt!IofCallDriver -> [0x86200dd0]
    18:09:07.167 \Driver\00001240[0x861f51d0] -> IRP_MJ_CREATE -> 0x86226f10
    18:09:09.185 AVAST engine scan C:\Windows
    18:09:11.096 AVAST engine scan C:\Windows\system32
    18:09:48.446 File: C:\Windows\system32\EQIqw3KV.com **INFECTED** Win32:IRCBot-EMN [Trj]
    18:09:48.510 File: C:\Windows\system32\EQIqw3KV.com_ **INFECTED** Win32:IRCBot-EMN [Trj]
    18:12:59.518 AVAST engine scan C:\Windows\system32\drivers
    18:13:05.197 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Aluroot [Rtk]
    18:13:17.726 AVAST engine scan C:\Users\Admin
    18:16:04.157 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\MBR.dat"
    18:16:04.170 The log file has been saved successfully to "C:\Users\Admin\Desktop\aswMBR.txt"
     
  6. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  7. rubiksgeek

    rubiksgeek TS Rookie Topic Starter

    The scan came up clean

    20:15:44.0189 0908 TDSS rootkit removing tool 2.7.17.0 Feb 29 2012 14:02:24
    20:15:45.0000 0908 ============================================================
    20:15:45.0000 0908 Current date / time: 2012/02/29 20:15:45.0000
    20:15:45.0000 0908 SystemInfo:
    20:15:45.0000 0908
    20:15:45.0000 0908 OS Version: 6.1.7600 ServicePack: 0.0
    20:15:45.0000 0908 Product type: Workstation
    20:15:45.0000 0908 ComputerName: ADMIN-PC
    20:15:45.0000 0908 UserName: Admin
    20:15:45.0000 0908 Windows directory: C:\Windows
    20:15:45.0000 0908 System windows directory: C:\Windows
    20:15:45.0000 0908 Processor architecture: Intel x86
    20:15:45.0000 0908 Number of processors: 2
    20:15:45.0000 0908 Page size: 0x1000
    20:15:45.0000 0908 Boot type: Normal boot
    20:15:45.0000 0908 ============================================================
    20:15:46.0373 0908 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    20:15:46.0389 0908 \Device\Harddisk0\DR0:
    20:15:46.0389 0908 GPT used
    20:15:46.0389 0908 \Device\Harddisk0\DR0\Partition0: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {000060FC-3C9C-0000-1E70-000026560000}, Name: EFI system partition, StartLBA 0x28, BlocksNum 0x64000
    20:15:46.0389 0908 \Device\Harddisk0\DR0\Partition1: GPT, TypeGUID: {48465300-0000-11AA-AA11-00306543ECAC}, UniqueGUID: {00006758-5B13-0000-5F76-0000B03B0000}, Name: Customer, StartLBA 0x64028, BlocksNum 0xFFC0000
    20:15:46.0389 0908 \Device\Harddisk0\DR0\Partition2: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {D284DC21-567F-4769-9D7E-36480FC1030C}, Name: BOOTCAMP, StartLBA 0x10064800, BlocksNum 0x29B5000
    20:15:46.0389 0908 Initialize success
    20:15:46.0389 0908 ============================================================
    20:15:48.0931 2332 ============================================================
    20:15:48.0931 2332 Scan started
    20:15:48.0931 2332 Mode: Manual;
    20:15:48.0931 2332 ============================================================
    20:15:49.0665 2332 1394ohci - ok
    20:15:49.0727 2332 ACPI - ok
    20:15:49.0743 2332 AcpiPmi - ok
    20:15:49.0805 2332 adp94xx - ok
    20:15:49.0805 2332 adpahci - ok
    20:15:49.0821 2332 adpu320 - ok
    20:15:49.0852 2332 AFD - ok
    20:15:49.0852 2332 agp440 - ok
    20:15:49.0867 2332 aic78xx - ok
    20:15:49.0883 2332 aliide - ok
    20:15:49.0945 2332 amdagp - ok
    20:15:49.0945 2332 amdide - ok
    20:15:49.0961 2332 AmdK8 - ok
    20:15:49.0977 2332 AmdPPM - ok
    20:15:49.0992 2332 amdsata - ok
    20:15:49.0992 2332 amdsbs - ok
    20:15:50.0008 2332 amdxata - ok
    20:15:50.0023 2332 AppID - ok
    20:15:50.0055 2332 AppleHFS - ok
    20:15:50.0070 2332 AppleMNT - ok
    20:15:50.0070 2332 applemtm - ok
    20:15:50.0086 2332 applemtp - ok
    20:15:50.0133 2332 arc - ok
    20:15:50.0148 2332 arcsas - ok
    20:15:50.0164 2332 AsyncMac - ok
    20:15:50.0164 2332 atapi - ok
    20:15:50.0179 2332 b06bdrv - ok
    20:15:50.0179 2332 b57nd60x - ok
    20:15:50.0195 2332 BCM43XX - ok
    20:15:50.0195 2332 Beep - ok
    20:15:50.0195 2332 blbdrive - ok
    20:15:50.0273 2332 bowser - ok
    20:15:50.0273 2332 BrFiltLo - ok
    20:15:50.0273 2332 BrFiltUp - ok
    20:15:50.0289 2332 Brserid - ok
    20:15:50.0289 2332 BrSerWdm - ok
    20:15:50.0289 2332 BrUsbMdm - ok
    20:15:50.0289 2332 BrUsbSer - ok
    20:15:50.0304 2332 BthEnum - ok
    20:15:50.0320 2332 BTHMODEM - ok
    20:15:50.0320 2332 BthPan - ok
    20:15:50.0335 2332 BTHPORT - ok
    20:15:50.0367 2332 BTHUSB - ok
    20:15:50.0382 2332 cdfs - ok
    20:15:50.0398 2332 cdrom - ok
    20:15:50.0413 2332 circlass - ok
    20:15:50.0429 2332 CirrusFilter - ok
    20:15:50.0445 2332 CLFS - ok
    20:15:50.0460 2332 CmBatt - ok
    20:15:50.0460 2332 cmdide - ok
    20:15:50.0460 2332 CNG - ok
    20:15:50.0476 2332 Compbatt - ok
    20:15:50.0491 2332 CompositeBus - ok
    20:15:50.0507 2332 crcdisk - ok
    20:15:50.0538 2332 CSC - ok
    20:15:50.0538 2332 DfsC - ok
    20:15:50.0554 2332 discache - ok
    20:15:50.0554 2332 Disk - ok
    20:15:50.0569 2332 drmkaud - ok
    20:15:50.0585 2332 DXGKrnl - ok
    20:15:50.0585 2332 ebdrv - ok
    20:15:50.0616 2332 elxstor - ok
    20:15:50.0616 2332 ErrDev - ok
    20:15:50.0632 2332 exfat - ok
    20:15:50.0632 2332 fastfat - ok
    20:15:50.0647 2332 fdc - ok
    20:15:50.0663 2332 FileInfo - ok
    20:15:50.0663 2332 Filetrace - ok
    20:15:50.0663 2332 flpydisk - ok
    20:15:50.0679 2332 FltMgr - ok
    20:15:50.0694 2332 FsDepends - ok
    20:15:50.0710 2332 Fs_Rec - ok
    20:15:50.0710 2332 fvevol - ok
    20:15:50.0710 2332 gagp30kx - ok
    20:15:50.0710 2332 hcw85cir - ok
    20:15:50.0725 2332 HdAudAddService - ok
    20:15:50.0725 2332 HDAudBus - ok
    20:15:50.0725 2332 HidBatt - ok
    20:15:50.0741 2332 HidBth - ok
    20:15:50.0741 2332 HidIr - ok
    20:15:50.0741 2332 HidUsb - ok
    20:15:50.0757 2332 HpSAMD - ok
    20:15:50.0772 2332 HTTP - ok
    20:15:50.0772 2332 hwpolicy - ok
    20:15:50.0803 2332 i8042prt - ok
    20:15:50.0803 2332 iaStorV - ok
    20:15:50.0819 2332 iirsp - ok
    20:15:50.0850 2332 intelide - ok
    20:15:50.0866 2332 intelppm - ok
    20:15:50.0866 2332 IpFilterDriver - ok
    20:15:50.0881 2332 IPMIDRV - ok
    20:15:50.0881 2332 IPNAT - ok
    20:15:50.0881 2332 IRENUM - ok
    20:15:50.0897 2332 IRRemoteFlt - ok
    20:15:50.0897 2332 isapnp - ok
    20:15:50.0897 2332 iScsiPrt - ok
    20:15:50.0928 2332 kbdclass - ok
    20:15:50.0944 2332 kbdhid - ok
    20:15:50.0944 2332 KeyAgent - ok
    20:15:50.0944 2332 KeyMagic - ok
    20:15:50.0944 2332 KSecDD - ok
    20:15:50.0959 2332 KSecPkg - ok
    20:15:50.0975 2332 lltdio - ok
    20:15:50.0991 2332 LSI_FC - ok
    20:15:50.0991 2332 LSI_SAS - ok
    20:15:50.0991 2332 LSI_SAS2 - ok
    20:15:51.0006 2332 LSI_SCSI - ok
    20:15:51.0022 2332 luafv - ok
    20:15:51.0022 2332 MacHALDriver - ok
    20:15:51.0022 2332 MBAMProtector - ok
    20:15:51.0037 2332 megasas - ok
    20:15:51.0037 2332 MegaSR - ok
    20:15:51.0053 2332 Modem - ok
    20:15:51.0053 2332 monitor - ok
    20:15:51.0053 2332 mouclass - ok
    20:15:51.0053 2332 mouhid - ok
    20:15:51.0069 2332 mountmgr - ok
    20:15:51.0069 2332 mpio - ok
    20:15:51.0069 2332 mpsdrv - ok
    20:15:51.0084 2332 MRxDAV - ok
    20:15:51.0084 2332 mrxsmb - ok
    20:15:51.0100 2332 mrxsmb10 - ok
    20:15:51.0100 2332 mrxsmb20 - ok
    20:15:51.0100 2332 msahci - ok
    20:15:51.0100 2332 msdsm - ok
    20:15:51.0115 2332 Msfs - ok
    20:15:51.0131 2332 mshidkmdf - ok
    20:15:51.0131 2332 msisadrv - ok
    20:15:51.0131 2332 MSKSSRV - ok
    20:15:51.0147 2332 MSPCLOCK - ok
    20:15:51.0162 2332 MSPQM - ok
    20:15:51.0162 2332 MsRPC - ok
    20:15:51.0162 2332 mssmbios - ok
    20:15:51.0162 2332 MSTEE - ok
    20:15:51.0178 2332 MTConfig - ok
    20:15:51.0178 2332 Mup - ok
    20:15:51.0178 2332 NativeWifiP - ok
    20:15:51.0209 2332 NDIS - ok
    20:15:51.0225 2332 NdisCap - ok
    20:15:51.0256 2332 NdisTapi - ok
    20:15:51.0256 2332 Ndisuio - ok
    20:15:51.0256 2332 NdisWan - ok
    20:15:51.0256 2332 NDProxy - ok
    20:15:51.0271 2332 NetBIOS - ok
    20:15:51.0271 2332 NetBT - ok
    20:15:51.0287 2332 nfrd960 - ok
    20:15:51.0303 2332 Npfs - ok
    20:15:51.0303 2332 nsiproxy - ok
    20:15:51.0318 2332 Ntfs - ok
    20:15:51.0318 2332 Null - ok
    20:15:51.0318 2332 NVENETFD - ok
    20:15:51.0334 2332 nvlddmkm - ok
    20:15:51.0334 2332 nvraid - ok
    20:15:51.0334 2332 nvsmu - ok
    20:15:51.0349 2332 nvstor - ok
    20:15:51.0365 2332 nv_agp - ok
    20:15:51.0381 2332 ohci1394 - ok
    20:15:51.0381 2332 Parport - ok
    20:15:51.0396 2332 partmgr - ok
    20:15:51.0396 2332 Parvdm - ok
    20:15:51.0396 2332 pci - ok
    20:15:51.0396 2332 pciide - ok
    20:15:51.0412 2332 pcmcia - ok
    20:15:51.0412 2332 pcw - ok
    20:15:51.0412 2332 PEAUTH - ok
    20:15:51.0443 2332 PptpMiniport - ok
    20:15:51.0459 2332 Processor - ok
    20:15:51.0490 2332 Psched - ok
    20:15:51.0505 2332 ql2300 - ok
    20:15:51.0521 2332 ql40xx - ok
    20:15:51.0537 2332 QWAVEdrv - ok
    20:15:51.0537 2332 RasAcd - ok
    20:15:51.0537 2332 RasAgileVpn - ok
    20:15:51.0537 2332 Rasl2tp - ok
    20:15:51.0568 2332 RasPppoe - ok
    20:15:51.0568 2332 RasSstp - ok
    20:15:51.0568 2332 rdbss - ok
    20:15:51.0568 2332 rdpbus - ok
    20:15:51.0583 2332 RDPCDD - ok
    20:15:51.0583 2332 RDPDR - ok
    20:15:51.0583 2332 RDPENCDD - ok
    20:15:51.0599 2332 RDPREFMP - ok
    20:15:51.0599 2332 RDPWD - ok
    20:15:51.0599 2332 rdyboost - ok
    20:15:51.0615 2332 RFCOMM - ok
    20:15:51.0646 2332 rspndr - ok
    20:15:51.0646 2332 s3cap - ok
    20:15:51.0661 2332 sbp2port - ok
    20:15:51.0677 2332 scfilter - ok
    20:15:51.0724 2332 secdrv - ok
    20:15:51.0739 2332 Serenum - ok
    20:15:51.0739 2332 Serial - ok
    20:15:51.0755 2332 sermouse - ok
    20:15:51.0755 2332 sffdisk - ok
    20:15:51.0771 2332 sffp_mmc - ok
    20:15:51.0771 2332 sffp_sd - ok
    20:15:51.0771 2332 sfloppy - ok
    20:15:51.0786 2332 sisagp - ok
    20:15:51.0817 2332 SiSRaid2 - ok
    20:15:51.0817 2332 SiSRaid4 - ok
    20:15:51.0833 2332 Smb - ok
    20:15:51.0849 2332 spldr - ok
    20:15:51.0864 2332 srv - ok
    20:15:51.0864 2332 srv2 - ok
    20:15:51.0864 2332 srvnet - ok
    20:15:51.0864 2332 stexstor - ok
    20:15:51.0880 2332 storflt - ok
    20:15:51.0895 2332 storvsc - ok
    20:15:51.0927 2332 swenum - ok
    20:15:51.0989 2332 Tcpip - ok
    20:15:52.0005 2332 TCPIP6 - ok
    20:15:52.0020 2332 tcpipreg - ok
    20:15:52.0020 2332 TDPIPE - ok
    20:15:52.0020 2332 TDTCP - ok
    20:15:52.0036 2332 tdx - ok
    20:15:52.0036 2332 TermDD - ok
    20:15:52.0067 2332 tssecsrv - ok
    20:15:52.0083 2332 tunnel - ok
    20:15:52.0083 2332 uagp35 - ok
    20:15:52.0083 2332 udfs - ok
    20:15:52.0114 2332 uliagpkx - ok
    20:15:52.0114 2332 umbus - ok
    20:15:52.0114 2332 UmPass - ok
    20:15:52.0145 2332 usbaudio - ok
    20:15:52.0161 2332 usbccgp - ok
    20:15:52.0161 2332 usbcir - ok
    20:15:52.0161 2332 usbehci - ok
    20:15:52.0176 2332 usbhub - ok
    20:15:52.0176 2332 usbohci - ok
    20:15:52.0192 2332 USBPNPA - ok
    20:15:52.0192 2332 usbprint - ok
    20:15:52.0192 2332 USBSTOR - ok
    20:15:52.0207 2332 usbuhci - ok
    20:15:52.0207 2332 usbvideo - ok
    20:15:52.0223 2332 VCSVADHWSer - ok
    20:15:52.0223 2332 vdrvroot - ok
    20:15:52.0223 2332 vga - ok
    20:15:52.0239 2332 VgaSave - ok
    20:15:52.0239 2332 vhdmp - ok
    20:15:52.0239 2332 viaagp - ok
    20:15:52.0239 2332 ViaC7 - ok
    20:15:52.0254 2332 viaide - ok
    20:15:52.0254 2332 vmbus - ok
    20:15:52.0254 2332 VMBusHID - ok
    20:15:52.0270 2332 volmgr - ok
    20:15:52.0270 2332 volmgrx - ok
    20:15:52.0270 2332 volsnap - ok
    20:15:52.0285 2332 vsmraid - ok
    20:15:52.0301 2332 vwifibus - ok
    20:15:52.0301 2332 vwififlt - ok
    20:15:52.0317 2332 WacomPen - ok
    20:15:52.0317 2332 WANARP - ok
    20:15:52.0317 2332 Wanarpv6 - ok
    20:15:52.0332 2332 Wd - ok
    20:15:52.0332 2332 Wdf01000 - ok
    20:15:52.0363 2332 WfpLwf - ok
    20:15:52.0363 2332 WIMMount - ok
    20:15:52.0395 2332 WmiAcpi - ok
    20:15:52.0410 2332 ws2ifsl - ok
    20:15:52.0426 2332 WudfPf - ok
    20:15:52.0426 2332 WUDFRd - ok
    20:15:52.0488 2332 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
    20:15:52.0535 2332 \Device\Harddisk0\DR0 - ok
    20:15:52.0535 2332 Boot (0x1200) (285fe25c7a0ed4fe0df8fc357d7a4c0f) \Device\Harddisk0\DR0\Partition0
    20:15:52.0535 2332 \Device\Harddisk0\DR0\Partition0 - ok
    20:15:52.0566 2332 Boot (0x1200) (0dee4092476dd6e930de0f40dba12def) \Device\Harddisk0\DR0\Partition1
    20:15:52.0566 2332 \Device\Harddisk0\DR0\Partition1 - ok
    20:15:52.0566 2332 Boot (0x1200) (006bc836c67f0c5ed9abf746ebc85c3b) \Device\Harddisk0\DR0\Partition2
    20:15:52.0582 2332 \Device\Harddisk0\DR0\Partition2 - ok
    20:15:52.0582 2332 ============================================================
    20:15:52.0582 2332 Scan finished
    20:15:52.0582 2332 ============================================================
    20:15:52.0582 2508 Detected object count: 0
    20:15:52.0582 2508 Actual detected object count: 0
     
  8. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. rubiksgeek

    rubiksgeek TS Rookie Topic Starter

    Hello Broni! First, I want to say thank you for taking the time to help me with this issue.

    I'm not sure Combofix is necessarily not working. I double click on it, a box with a black background and green lettering comes up, it goes through a list then closes. I wait a bit and when nothing happens, I click on it again and it does the same thing, but this time it says it cannot install a file and asks if I would like to Ignore, Abort or Skip.

    Before I destroy my computer, I'd like to know your thoughts. Thank you. :)
     
  10. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Re-run Combofix from safe mode and be more patient.
     
  11. rubiksgeek

    rubiksgeek TS Rookie Topic Starter

    ComboFix 12-03-01.02 - Admin 03/07/2012 19:32:56.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2791.2212 [GMT -6:00]
    Running from: c:\users\Admin\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\mafwboot.dll
    c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-01 00:25 . 2012-02-27 03:20 83968 ----a-w- c:\programdata\GkCuTbve.exe
    2012-02-29 02:38 . 2012-02-29 02:38 100864 ----a-w- C:\pwlorpob.sys
    2012-02-27 19:40 . 2012-02-27 19:40 -------- d-----w- c:\users\Admin\AppData\Local\ElevatedDiagnostics
    2012-02-27 19:17 . 2012-02-27 19:17 -------- d-----w- c:\program files\ESET
    2012-02-27 03:28 . 2012-02-27 03:28 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
    2012-02-11 05:43 . 2012-03-08 01:35 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-11 05:32 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-02-11 05:32 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-02-11 05:32 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-02-11 05:32 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-02-11 05:32 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
    2012-02-11 05:32 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
    2012-02-11 05:32 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
    2012-02-11 05:32 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
    2012-02-11 05:32 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-02-11 05:32 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 21:24 . 2011-12-09 05:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-16 13752864]
    "Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2009-07-22 431408]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe" [2011-11-16 247968]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-12 1343400]
    S0 AppleHFS;AppleHFS; [x]
    S0 AppleMNT;AppleMNT; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-07-22 136496]
    S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2009-07-22 99632]
    S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-07-22 5760]
    S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-07-22 8576]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [2009-07-22 10496]
    S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [2009-07-22 29440]
    S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x86.sys [2009-07-22 9728]
    S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2009-07-22 16512]
    S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2009-07-22 23552]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-10 17792]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    symevent
    cd20xrnt
    vpcusb
    mrpostman
    sprtsvc_smartagent
    s616obex
    w810mdm
    agrsrvce
    qbposdbextservices
    mwsarcpkt
    dac960nt
    odysseyIM3
    issvc
    SeaPort
    w300bus
    AVCamUSB20
    SPCtl
    aeaudio
    VC6SecS
    alim1541
    imountsrv
    rkhdrv31
    dlaifs_m
    filechecker
    L8042mou
    usbatapi2000
    sysenforce
    ceepwrsvc
    aha154x
    Shockprf
    cmdmon
    dns4meclient
    U3sHlpDr
    syslogd
    StreamDispatcher
    symc8xx
    XAudio
    AlteraByteBlaster
    ACDaemon
    proxyserverservice
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = 0.0.0.0:80
    LSP: mswsock.dll
    TCP: Interfaces\{27AED930-1ECB-4127-AC3E-D108DF72203E}: NameServer = 4.2.2.1,4.2.2.2
    FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i85qh3sm.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,77,bb,16,f3,1b,21,4b,93,c7,e1,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,77,bb,16,f3,1b,21,4b,93,c7,e1,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(500)
    c:\windows\system32\mswsock.dll
    mswsock.dll 74f00000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-03-07 19:40:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-08 01:40
    .
    Pre-Run: 2,554,912,768 bytes free
    Post-Run: 3,278,012,416 bytes free
    .
    - - End Of File - - 3A30DF83201D23F39BE9C0A14345FE25
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Your Combofix version is outdated.
    Delete your Combofix file, download fresh one and re-run it.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.