Inactive [A] Advertisement audio playing in background, possible rootkit

Status
Not open for further replies.
R

rubiksgeek

Posts: 7   +0
Hello!

About 3 days ago, advertisements started playing in the background randomly. This can happen when I'm not even touching the computer.

Windows 7 is dual booted from my MacBook Pro. My windows partition is used for Skype and programs I run for school.

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-28 22:39:34
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545016B9SA02 rev.PBBAC60Q
Running: kb9ottbu.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pwlorpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A935D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB8092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text dfsc.sys 90028000 245 Bytes [00, 00, 00, 00, 00, 00, 8B, ...]
.text dfsc.sys 900280F6 89 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...]
.text dfsc.sys 90028150 125 Bytes [75, 08, FF, 15, A4, C1, 02, ...]
.text dfsc.sys 900281CE 77 Bytes [6A, 01, EB, 19, 83, C0, D0, ...]
.text dfsc.sys 9002821C 41 Bytes [8B, 4D, F8, 8B, 35, F0, B1, ...]
.text ...
? C:\Windows\System32\Drivers\dfsc.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtProtectVirtualMemory 77BC5000 5 Bytes JMP 005E000A
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtWriteVirtualMemory 77BC5B80 5 Bytes JMP 005F000A
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!KiUserExceptionDispatcher 77BC60E8 5 Bytes JMP 005D000A
? C:\Windows\system32\svchost.exe[820] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[932] USER32.dll!TrackPopupMenu 761A4B3B 5 Bytes JMP 66A6AF78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtCreateProcess 77BC4780 5 Bytes JMP 002C000A
.text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtCreateProcessEx 77BC4790 5 Bytes JMP 002D000A
.text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtCreateUserProcess 77BC4860 5 Bytes JMP 005C000A
.text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtProtectVirtualMemory 77BC5000 5 Bytes JMP 001E000A
.text C:\Windows\System32\ping.exe[1320] ntdll.dll!NtWriteVirtualMemory 77BC5B80 5 Bytes JMP 001F000A
.text C:\Windows\System32\ping.exe[1320] ntdll.dll!KiUserExceptionDispatcher 77BC60E8 5 Bytes JMP 001D000A
.text C:\Windows\System32\ping.exe[1320] USER32.dll!GetCursorPos 7617C198 5 Bytes JMP 0063000A
.text C:\Windows\System32\ping.exe[1320] USER32.dll!GetForegroundWindow 7618565D 5 Bytes JMP 0065000A
.text C:\Windows\System32\ping.exe[1320] USER32.dll!WindowFromPoint 761A6D0C 5 Bytes JMP 0064000A
.text C:\Windows\System32\ping.exe[1320] ole32.dll!CoCreateInstance 7771590C 5 Bytes JMP 0062000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!LdrLoadDll 77BDF425 5 Bytes JMP 000A13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 83EC8B55
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 458D74EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 15FF50F8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] [00ECF014] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 01FC7531
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 458DF875
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 15FF508C
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] [00ECF004] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 458D086A
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 458D50F8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 15FF508C
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] [00ECF000] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 508C458D
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] F00815FF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 458B00EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] E84533E4
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 33EC4533
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] C3C9F045
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 8BEC8B55
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] EC833040
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 57565314
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] D98B388B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] EB04708D
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 46B70F20
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 30448D1A
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] F0F0681C
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 4F5000EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 00DCAFE8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 85595900
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 811374C0
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 00011CC6
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [75FF8500] C:\Windows\system32\SETUPAPI.dll (Windows Setup API/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 5FC033DC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] C2C95B5E
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 468B0008
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] F4458908
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] 8B0C468B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 45890473
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] [74F685F0] C:\Windows\system32\PROPSYS.dll (Microsoft Property System/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] D8BB8D77
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 57000000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] ED015068
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 8D426A00
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 4E50FC45
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] F0E015FF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] C08500EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 458D537C
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 046A50EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 50F8458D
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] [75FF096A] C:\Windows\system32\SETUPAPI.dll (Windows Setup API/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] DC15FFFC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 8500ECF0
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B317CC0
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 452BF845
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] F0453BF4
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 006A2673
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] FFFC75FF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] ECF0D415
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 7CC08500
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 0C4D8B17
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 1F8B018B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 8908558B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 5F8BC21C
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] C25C8904
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 01894004
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FFFC75FF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] ECF0D815
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 40C78300
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 8F75F685
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] E940C033
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] FFFFFF67
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 51EC8B55
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 0173A051
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 565300ED
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C0BE0F57
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 7D89FF33
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] DC2AE8F8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] DC8B0000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 45C7F633
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 001000FC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] FC458B00
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 0F73F83B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 11E8C72B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 8B0000DC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 2BC38BF4
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 8DF88BC6
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 5750FC45
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] FF056A56
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] ECF0D015
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 00043D00
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] D574C000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 047DC085
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] 60EBC033
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] F003C033
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 468D016A
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] 18685038
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] FF00ECF1
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] ECF0CC15
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] [75C08400] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 85068B08
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EBE375C0
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 68006A3C
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 00040000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] F07415FF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] F88B00EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 2974FF85
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FF016A57
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 15FF4476
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [00ECF020] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 127CC085
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 8B0C75FF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 0875FFCE
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 81E8C78B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 89FFFFFE
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF57F845
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] ECF02415
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] F8458B00
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 5FEC658D
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] C2C95B5E
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 8B550008
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 3CEC81EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 56000002
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] E856F08B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] 0000DB36
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 00803D59
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 870F0000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 000000AC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 0F2E3E80
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 0000A384
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 858D5600
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFFFDC8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] ECF12068
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 15FF5000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] [00ECF02C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FDC8858D
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 2E6AFFFF
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] DB06E850
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] C4830000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 74C08514
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 66C9337B
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] C0830889
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] F1906802
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] E85000EC
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 0000DAF2
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] C0855959
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 858D6275
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] FFFFFDC8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] CC758D50
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] 000DFFE8
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 19685000
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] 8D000200
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] FF50FC45
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] ECF03815
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 7CC08500
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] EC458D3F
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 50106A50
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 2868026A
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] FF00ECF2
IAT C:\Windows\system32\svchost.exe[820] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] F633FC75

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000074 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000076 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 90011000-90027000 (90112 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002608d835bd
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002608d835bd (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB36107$\3266436414 0 bytes
File C:\Windows\$NtUninstallKB36107$\664251036 0 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\@ 2048 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\bckfg.tmp 856 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\cfg.ini 377 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\keywords 18 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\L 0 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\L\xadqgnnk 78336 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\oemid 186 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U 0 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U\80000000.@ 66560 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\U\80000032.@ 73216 bytes
File C:\Windows\$NtUninstallKB36107$\664251036\version 842 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C6FD1004-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C6FD1005-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C6FD1006-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D72458D4-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D72458D5-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D72458D6-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E746E6B4-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E746E6B5-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E746E6B6-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE5B8FE4-628C-11E1-A025-002608D835BD}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34A05EZ3\errorPageStrings[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\80N60RJN\ErrorPageTemplate[1] 2168 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8PG8Q4L7\tools[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T8Y5WIVR\httpErrorPagesScripts[1] 8601 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T8Y5WIVR\favcenter[1] 3366 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VY8W1WDM\errorPageStrings[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VY8W1WDM\dnserror[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EBE9JRQ2\dnserror[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHSFCM3J\down[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LAZJO355\ErrorPageTemplate[1] 2168 bytes

---- EOF - GMER 1.0.15 ----

.
 
Continued


DDS Log:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_30
Run by Admin at 22:40:40 on 2012-02-28
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2791.1506 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIqw3KV.com
C:\Windows\system32\EQIqw3KV.com
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apple_KbdMgr] c:\program files\boot camp\Bootcamp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{27AED930-1ECB-4127-AC3E-D108DF72203E} : NameServer = 4.2.2.1,4.2.2.2
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\i85qh3sm.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;c:\windows\system32\drivers\AppleHFS.sys [2009-7-22 48000]
R0 AppleMNT;AppleMNT;c:\windows\system32\drivers\AppleMNT.sys [2009-7-22 5120]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-7-22 136496]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2009-7-22 99632]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-7-22 5760]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-7-22 8576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-27 652360]
R3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-12-9 10496]
R3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-12-9 29440]
R3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\drivers\CS420x86.sys [2009-12-9 9728]
R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-12-9 16512]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-12-9 23552]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-8 20464]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2009-12-30 17792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-12 1343400]
.
=============== Created Last 30 ================
.
2012-02-29 02:38:26 100864 ----a-w- C:\pwlorpob.sys
2012-02-27 19:40:25 -------- d-----w- c:\users\admin\appdata\local\ElevatedDiagnostics
2012-02-27 19:17:11 -------- d-----w- c:\program files\ESET
2012-02-27 04:08:02 83968 ----a-w- c:\windows\system32\EQIqw3KV.com
2012-02-27 03:28:47 162664 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10140.bin
2012-02-27 03:19:23 83968 ----a-w- c:\windows\system32\EQIqw3KV.com_
2012-02-11 05:43:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-11 05:32:05 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-11 05:32:05 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-02-11 05:32:05 224768 ----a-w- c:\windows\system32\schannel.dll
2012-02-11 05:32:05 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-02-11 05:32:05 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-11 05:32:04 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-02-11 05:32:04 314368 ----a-w- c:\windows\system32\webio.dll
2012-02-11 05:32:04 22528 ----a-w- c:\windows\system32\lsass.exe
2012-02-11 05:32:04 22016 ----a-w- c:\windows\system32\secur32.dll
2012-02-11 05:32:04 15360 ----a-w- c:\windows\system32\sspisrv.dll
.
==================== Find3M ====================
.
2012-01-14 03:48:30 2340864 ----a-w- c:\windows\system32\win32k.sys
2012-01-04 09:03:07 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-03 05:44:24 478208 ----a-w- c:\windows\system32\timedate.cpl
2011-12-16 08:02:26 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 07:59:17 690688 ----a-w- c:\windows\system32\msvcrt.dll
2011-12-16 07:58:33 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 06:49:33 386048 ----a-w- c:\windows\system32\html.iec
2011-12-16 06:15:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 14:02:29 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 22:41:12.16 ===============

Malwarebytes Log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.26.07

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Admin :: ADMIN-PC [administrator]

Protection: Enabled

2/28/2012 10:42:37 PM
mbam-log-2012-02-28 (22-42-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 169077
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\hidbatt.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Windows\System32\hidbatt.dll (RootKit.0Access.H) -> Delete on reboot.
C:\Windows\System32\cpqvcagent.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\DcLps.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\imapiservice.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\MtxDma0.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\oracleorahome92tnslistener.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ptilink.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\rimvserport.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\s116nd5.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\NWUSBModem.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

(end)

Thank you!
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=================================================================

I still need Attach.txt part of DDS.

Then....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

================================================================

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Click on SCAN.
    [/b]
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
 
Hello!

Here is my attach.txt file:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume3
Install Date: 12/9/2009 4:54:31 PM
System Uptime: 2/29/2012 6:26:02 PM (0 hours ago)
.
Motherboard: Apple Inc. | | Mac-F2268AC8
Processor: Intel(R) Core(TM)2 Duo CPU P7550 @ 2.26GHz | U2E1 | 791/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 21 GiB total, 3.318 GiB free.
D: is CDROM ()
E: is FIXED (HFS) - 128 GiB total, 42.401 GiB free.
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: USB Video Device
Device ID: USB\VID_05AC&PID_8507&MI_00\6&13E6359&0&0000
Manufacturer: Microsoft
Name: Built-in iSight
PNP Device ID: USB\VID_05AC&PID_8507&MI_00\6&13E6359&0&0000
Service: usbvideo
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AV Voice Changer Software DIAMOND 7.0
Bonjour
Boot Camp Services
ESET Online Scanner v3
Java Auto Updater
Java(TM) 6 Update 30
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 4 Client Profile
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.27)
NVIDIA Drivers
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Skype Click to Call
Skype™ 5.5
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Windows Driver Package - Apple Inc. (applebt) Bluetooth (01/19/2009 2.1.2.1)
Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (01/11/2008 3.4.3.18)
Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1)
Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0)
Windows Driver Package - Apple Inc. Apple Display (01/23/2009 3.0.0.0)
Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0)
Windows Driver Package - Apple Inc. Apple Keyboard (03/05/2009 3.0.0.0)
Windows Driver Package - Apple Inc. Apple Multitouch (03/25/2009 2.1.2.112)
Windows Driver Package - Apple Inc. Apple Multitouch Mouse (03/25/2009 2.1.2.112)
Windows Driver Package - Apple Inc. Apple ODD (01/17/2008 2.0.2.2)
Windows Driver Package - Apple Inc. Apple Trackpad (03/05/2009 3.0.0.0)
Windows Driver Package - Apple Inc. Apple Trackpad Enabler (02/19/2009 3.0.0.0)
Windows Driver Package - Apple Inc. System (08/22/2008 2.1.1.1)
Windows Driver Package - Atheros Communications Inc. (athr) Net (09/18/2008 7.6.1.122)
Windows Driver Package - Atheros Communications Inc. Net (09/18/2008 7.6.1.122)
Windows Driver Package - Broadcom (BCM43XX) Net (10/22/2008 5.10.38.26)
Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA (04/29/2009 6.6001.1.8)
Windows Driver Package - Intel (e1express) Net (02/06/2008 9.12.17.0)
Windows Driver Package - Intel (E1G60) Net (01/08/2008 8.3.9.0)
Windows Driver Package - Intel (e1kexpress) Net (07/22/2008 10.3.45.0)
Windows Driver Package - Intel (e1qexpress) Net (08/05/2008 10.3.49.0)
Windows Driver Package - Intel (e1yexpress) Net (07/16/2008 9.52.10.0)
Windows Driver Package - Intel Net (02/06/2008 9.12.18.0)
Windows Driver Package - Intel Net (06/13/2008 9.52.9.0)
Windows Driver Package - Intel Net (07/22/2008 10.3.45.0)
Windows Driver Package - Intel Net (08/05/2008 10.3.49.0)
Windows Driver Package - Intel Net (11/07/2007 8.10.1.0)
Windows Driver Package - Intel System (07/20/2007 1.2.76.0)
Windows Driver Package - Marvell (yukonwlh) Net (03/23/2007 10.12.7.3)
Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0)
Windows Live Sign-in Assistant
Windows Live Upload Tool
.
==== Event Viewer Messages From Past Week ========
.
3/1/2012 12:01:38 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0x9061f000, 0x00000000, 0x861cf7f0, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 030112-33805-01.
3/1/2012 12:01:21 AM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
2/29/2012 6:28:24 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
2/29/2012 6:26:39 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
2/29/2012 6:26:34 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
2/29/2012 6:26:25 PM, Error: Service Control Manager [7023] - The CDRPDACC service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Zpaction service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Zebrmdfl service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Z800bus service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Winproxy service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Tmtdi service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The RushTopDevice service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Prism_a02 service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Pgpserv service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Nsausvc service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Lusbaudio service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Lanusb service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Idisw2km service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Dvd-ram_service service terminated with the following error: The system cannot find the file specified.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Clmtomcatstartersvc service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:24 PM, Error: Service Control Manager [7023] - The Cachemgr service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:23 PM, Error: Service Control Manager [7023] - The Tvtpktfilter service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:23 PM, Error: Service Control Manager [7023] - The SaiClass service terminated with the following error: The specified module could not be found.
2/29/2012 6:26:23 PM, Error: Service Control Manager [7023] - The Nsengine service terminated with the following error: The specified module could not be found.
2/29/2012 4:56:31 PM, Error: Service Control Manager [7023] - The Idisw2km service terminated with the following error: The specified procedure could not be found.
2/29/2012 4:42:53 PM, Error: Service Control Manager [7023] - The SaiClass service terminated with the following error: The specified procedure could not be found.
2/29/2012 4:33:08 PM, Error: Service Control Manager [7023] - The Lanusb service terminated with the following error: The specified procedure could not be found.
2/29/2012 4:15:22 PM, Error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: The specified procedure could not be found.
2/29/2012 4:10:26 PM, Error: Service Control Manager [7023] - The Tmtdi service terminated with the following error: The specified procedure could not be found.
2/29/2012 3:29:32 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007f (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 022912-33368-01.
2/28/2012 10:56:48 PM, Error: Service Control Manager [7023] - The RushTopDevice service terminated with the following error: The specified procedure could not be found.
2/28/2012 10:55:49 PM, Error: Service Control Manager [7023] - The Clmtomcatstartersvc service terminated with the following error: The specified procedure could not be found.
2/27/2012 9:50:10 AM, Error: Service Control Manager [7023] - The Zebrmdfl service terminated with the following error: The specified procedure could not be found.
2/27/2012 9:49:22 AM, Error: Service Control Manager [7023] - The CDRPDACC service terminated with the following error: The specified procedure could not be found.
2/27/2012 12:56:23 AM, Error: Service Control Manager [7023] - The Nsengine service terminated with the following error: The specified procedure could not be found.
2/27/2012 12:40:57 AM, Error: Service Control Manager [7023] - The Cachemgr service terminated with the following error: The specified procedure could not be found.
2/27/2012 12:40:01 AM, Error: Service Control Manager [7023] - The Winproxy service terminated with the following error: The specified procedure could not be found.
2/27/2012 12:30:47 AM, Error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
2/27/2012 10:25:47 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2012 10:25:36 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21
2/27/2012 10:25:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/27/2012 10:25:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/27/2012 10:25:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/27/2012 10:25:26 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/27/2012 10:25:19 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
2/27/2012 10:20:11 AM, Error: Service Control Manager [7023] - The Lusbaudio service terminated with the following error: The specified procedure could not be found.
2/27/2012 10:05:17 AM, Error: Service Control Manager [7023] - The Nsausvc service terminated with the following error: The specified procedure could not be found.
2/27/2012 1:43:19 AM, Error: Service Control Manager [7023] - The Pgpserv service terminated with the following error: The specified procedure could not be found.
2/27/2012 1:41:13 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/27/2012 1:39:23 PM, Error: Service Control Manager [7023] - The Windows Audio Endpoint Builder service terminated with the following error: The RPC server is unavailable.
2/27/2012 1:39:23 PM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Multimedia Class Scheduler service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/27/2012 1:39:23 PM, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/27/2012 1:28:53 AM, Error: Service Control Manager [7023] - The Tvtpktfilter service terminated with the following error: The specified procedure could not be found.
2/27/2012 1:11:00 AM, Error: Service Control Manager [7023] - The Zpaction service terminated with the following error: The specified procedure could not be found.
2/27/2012 1:07:44 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
2/23/2012 2:16:08 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
.
==== End Of File ===========================

And here is the BKreport

RogueKiller V7.2.1 [02/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: Admin [Admin rights]
Mode: Scan -- Date: 02/29/2012 18:38:16

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (0.0.0.0:80) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545016B9SA02 ATA Device +++++
--- User ---
[MBR] 7b658aaaf2d6b56aa35117b2456545e2
[BSP] 4fd3684c7d869df09ef237342a75e7b8 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo
1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 130944 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 268847104 | Size: 21354 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 
And here is aswMBR

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-29 18:06:46
-----------------------------
18:06:46.949 OS Version: Windows 6.1.7600
18:06:46.949 Number of processors: 2 586 0x170A
18:06:46.952 ComputerName: ADMIN-PC UserName: Admin
18:07:20.716 Initialize success
18:08:02.977 AVAST engine defs: 12022901
18:08:39.560 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:08:39.565 Disk 0 Vendor: Hitachi_HTS545016B9SA02 PBBAC60Q Size: 152627MB BusType: 3
18:08:39.634 Disk 0 MBR read successfully
18:08:39.637 Disk 0 MBR scan
18:08:39.641 Disk 0 Windows 7 default MBR code
18:08:39.645 Disk 0 Partition 1 00 EE GPT 200 MB offset 1
18:08:39.684 Disk 0 Partition 2 00 AF HFS / HFS+ 130944 MB offset 409640
18:08:39.742 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 21354 MB offset 268847104
18:08:39.760 Disk 0 scanning sectors +312580096
18:08:39.874 Disk 0 scanning C:\Windows\system32\drivers
18:08:50.795 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Aluroot [Rtk]
18:09:07.098 Disk 0 trace - called modules:
18:09:07.146 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86226f10]<<
18:09:07.152 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85faca58]
18:09:07.160 3 CLASSPNP.SYS[8a79459e] -> nt!IofCallDriver -> [0x86200dd0]
18:09:07.167 \Driver\00001240[0x861f51d0] -> IRP_MJ_CREATE -> 0x86226f10
18:09:09.185 AVAST engine scan C:\Windows
18:09:11.096 AVAST engine scan C:\Windows\system32
18:09:48.446 File: C:\Windows\system32\EQIqw3KV.com **INFECTED** Win32:IRCBot-EMN [Trj]
18:09:48.510 File: C:\Windows\system32\EQIqw3KV.com_ **INFECTED** Win32:IRCBot-EMN [Trj]
18:12:59.518 AVAST engine scan C:\Windows\system32\drivers
18:13:05.197 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Aluroot [Rtk]
18:13:17.726 AVAST engine scan C:\Users\Admin
18:16:04.157 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\MBR.dat"
18:16:04.170 The log file has been saved successfully to "C:\Users\Admin\Desktop\aswMBR.txt"
 
Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
The scan came up clean

20:15:44.0189 0908 TDSS rootkit removing tool 2.7.17.0 Feb 29 2012 14:02:24
20:15:45.0000 0908 ============================================================
20:15:45.0000 0908 Current date / time: 2012/02/29 20:15:45.0000
20:15:45.0000 0908 SystemInfo:
20:15:45.0000 0908
20:15:45.0000 0908 OS Version: 6.1.7600 ServicePack: 0.0
20:15:45.0000 0908 Product type: Workstation
20:15:45.0000 0908 ComputerName: ADMIN-PC
20:15:45.0000 0908 UserName: Admin
20:15:45.0000 0908 Windows directory: C:\Windows
20:15:45.0000 0908 System windows directory: C:\Windows
20:15:45.0000 0908 Processor architecture: Intel x86
20:15:45.0000 0908 Number of processors: 2
20:15:45.0000 0908 Page size: 0x1000
20:15:45.0000 0908 Boot type: Normal boot
20:15:45.0000 0908 ============================================================
20:15:46.0373 0908 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:15:46.0389 0908 \Device\Harddisk0\DR0:
20:15:46.0389 0908 GPT used
20:15:46.0389 0908 \Device\Harddisk0\DR0\Partition0: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {000060FC-3C9C-0000-1E70-000026560000}, Name: EFI system partition, StartLBA 0x28, BlocksNum 0x64000
20:15:46.0389 0908 \Device\Harddisk0\DR0\Partition1: GPT, TypeGUID: {48465300-0000-11AA-AA11-00306543ECAC}, UniqueGUID: {00006758-5B13-0000-5F76-0000B03B0000}, Name: Customer, StartLBA 0x64028, BlocksNum 0xFFC0000
20:15:46.0389 0908 \Device\Harddisk0\DR0\Partition2: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {D284DC21-567F-4769-9D7E-36480FC1030C}, Name: BOOTCAMP, StartLBA 0x10064800, BlocksNum 0x29B5000
20:15:46.0389 0908 Initialize success
20:15:46.0389 0908 ============================================================
20:15:48.0931 2332 ============================================================
20:15:48.0931 2332 Scan started
20:15:48.0931 2332 Mode: Manual;
20:15:48.0931 2332 ============================================================
20:15:49.0665 2332 1394ohci - ok
20:15:49.0727 2332 ACPI - ok
20:15:49.0743 2332 AcpiPmi - ok
20:15:49.0805 2332 adp94xx - ok
20:15:49.0805 2332 adpahci - ok
20:15:49.0821 2332 adpu320 - ok
20:15:49.0852 2332 AFD - ok
20:15:49.0852 2332 agp440 - ok
20:15:49.0867 2332 aic78xx - ok
20:15:49.0883 2332 aliide - ok
20:15:49.0945 2332 amdagp - ok
20:15:49.0945 2332 amdide - ok
20:15:49.0961 2332 AmdK8 - ok
20:15:49.0977 2332 AmdPPM - ok
20:15:49.0992 2332 amdsata - ok
20:15:49.0992 2332 amdsbs - ok
20:15:50.0008 2332 amdxata - ok
20:15:50.0023 2332 AppID - ok
20:15:50.0055 2332 AppleHFS - ok
20:15:50.0070 2332 AppleMNT - ok
20:15:50.0070 2332 applemtm - ok
20:15:50.0086 2332 applemtp - ok
20:15:50.0133 2332 arc - ok
20:15:50.0148 2332 arcsas - ok
20:15:50.0164 2332 AsyncMac - ok
20:15:50.0164 2332 atapi - ok
20:15:50.0179 2332 b06bdrv - ok
20:15:50.0179 2332 b57nd60x - ok
20:15:50.0195 2332 BCM43XX - ok
20:15:50.0195 2332 Beep - ok
20:15:50.0195 2332 blbdrive - ok
20:15:50.0273 2332 bowser - ok
20:15:50.0273 2332 BrFiltLo - ok
20:15:50.0273 2332 BrFiltUp - ok
20:15:50.0289 2332 Brserid - ok
20:15:50.0289 2332 BrSerWdm - ok
20:15:50.0289 2332 BrUsbMdm - ok
20:15:50.0289 2332 BrUsbSer - ok
20:15:50.0304 2332 BthEnum - ok
20:15:50.0320 2332 BTHMODEM - ok
20:15:50.0320 2332 BthPan - ok
20:15:50.0335 2332 BTHPORT - ok
20:15:50.0367 2332 BTHUSB - ok
20:15:50.0382 2332 cdfs - ok
20:15:50.0398 2332 cdrom - ok
20:15:50.0413 2332 circlass - ok
20:15:50.0429 2332 CirrusFilter - ok
20:15:50.0445 2332 CLFS - ok
20:15:50.0460 2332 CmBatt - ok
20:15:50.0460 2332 cmdide - ok
20:15:50.0460 2332 CNG - ok
20:15:50.0476 2332 Compbatt - ok
20:15:50.0491 2332 CompositeBus - ok
20:15:50.0507 2332 crcdisk - ok
20:15:50.0538 2332 CSC - ok
20:15:50.0538 2332 DfsC - ok
20:15:50.0554 2332 discache - ok
20:15:50.0554 2332 Disk - ok
20:15:50.0569 2332 drmkaud - ok
20:15:50.0585 2332 DXGKrnl - ok
20:15:50.0585 2332 ebdrv - ok
20:15:50.0616 2332 elxstor - ok
20:15:50.0616 2332 ErrDev - ok
20:15:50.0632 2332 exfat - ok
20:15:50.0632 2332 fastfat - ok
20:15:50.0647 2332 fdc - ok
20:15:50.0663 2332 FileInfo - ok
20:15:50.0663 2332 Filetrace - ok
20:15:50.0663 2332 flpydisk - ok
20:15:50.0679 2332 FltMgr - ok
20:15:50.0694 2332 FsDepends - ok
20:15:50.0710 2332 Fs_Rec - ok
20:15:50.0710 2332 fvevol - ok
20:15:50.0710 2332 gagp30kx - ok
20:15:50.0710 2332 hcw85cir - ok
20:15:50.0725 2332 HdAudAddService - ok
20:15:50.0725 2332 HDAudBus - ok
20:15:50.0725 2332 HidBatt - ok
20:15:50.0741 2332 HidBth - ok
20:15:50.0741 2332 HidIr - ok
20:15:50.0741 2332 HidUsb - ok
20:15:50.0757 2332 HpSAMD - ok
20:15:50.0772 2332 HTTP - ok
20:15:50.0772 2332 hwpolicy - ok
20:15:50.0803 2332 i8042prt - ok
20:15:50.0803 2332 iaStorV - ok
20:15:50.0819 2332 iirsp - ok
20:15:50.0850 2332 intelide - ok
20:15:50.0866 2332 intelppm - ok
20:15:50.0866 2332 IpFilterDriver - ok
20:15:50.0881 2332 IPMIDRV - ok
20:15:50.0881 2332 IPNAT - ok
20:15:50.0881 2332 IRENUM - ok
20:15:50.0897 2332 IRRemoteFlt - ok
20:15:50.0897 2332 isapnp - ok
20:15:50.0897 2332 iScsiPrt - ok
20:15:50.0928 2332 kbdclass - ok
20:15:50.0944 2332 kbdhid - ok
20:15:50.0944 2332 KeyAgent - ok
20:15:50.0944 2332 KeyMagic - ok
20:15:50.0944 2332 KSecDD - ok
20:15:50.0959 2332 KSecPkg - ok
20:15:50.0975 2332 lltdio - ok
20:15:50.0991 2332 LSI_FC - ok
20:15:50.0991 2332 LSI_SAS - ok
20:15:50.0991 2332 LSI_SAS2 - ok
20:15:51.0006 2332 LSI_SCSI - ok
20:15:51.0022 2332 luafv - ok
20:15:51.0022 2332 MacHALDriver - ok
20:15:51.0022 2332 MBAMProtector - ok
20:15:51.0037 2332 megasas - ok
20:15:51.0037 2332 MegaSR - ok
20:15:51.0053 2332 Modem - ok
20:15:51.0053 2332 monitor - ok
20:15:51.0053 2332 mouclass - ok
20:15:51.0053 2332 mouhid - ok
20:15:51.0069 2332 mountmgr - ok
20:15:51.0069 2332 mpio - ok
20:15:51.0069 2332 mpsdrv - ok
20:15:51.0084 2332 MRxDAV - ok
20:15:51.0084 2332 mrxsmb - ok
20:15:51.0100 2332 mrxsmb10 - ok
20:15:51.0100 2332 mrxsmb20 - ok
20:15:51.0100 2332 msahci - ok
20:15:51.0100 2332 msdsm - ok
20:15:51.0115 2332 Msfs - ok
20:15:51.0131 2332 mshidkmdf - ok
20:15:51.0131 2332 msisadrv - ok
20:15:51.0131 2332 MSKSSRV - ok
20:15:51.0147 2332 MSPCLOCK - ok
20:15:51.0162 2332 MSPQM - ok
20:15:51.0162 2332 MsRPC - ok
20:15:51.0162 2332 mssmbios - ok
20:15:51.0162 2332 MSTEE - ok
20:15:51.0178 2332 MTConfig - ok
20:15:51.0178 2332 Mup - ok
20:15:51.0178 2332 NativeWifiP - ok
20:15:51.0209 2332 NDIS - ok
20:15:51.0225 2332 NdisCap - ok
20:15:51.0256 2332 NdisTapi - ok
20:15:51.0256 2332 Ndisuio - ok
20:15:51.0256 2332 NdisWan - ok
20:15:51.0256 2332 NDProxy - ok
20:15:51.0271 2332 NetBIOS - ok
20:15:51.0271 2332 NetBT - ok
20:15:51.0287 2332 nfrd960 - ok
20:15:51.0303 2332 Npfs - ok
20:15:51.0303 2332 nsiproxy - ok
20:15:51.0318 2332 Ntfs - ok
20:15:51.0318 2332 Null - ok
20:15:51.0318 2332 NVENETFD - ok
20:15:51.0334 2332 nvlddmkm - ok
20:15:51.0334 2332 nvraid - ok
20:15:51.0334 2332 nvsmu - ok
20:15:51.0349 2332 nvstor - ok
20:15:51.0365 2332 nv_agp - ok
20:15:51.0381 2332 ohci1394 - ok
20:15:51.0381 2332 Parport - ok
20:15:51.0396 2332 partmgr - ok
20:15:51.0396 2332 Parvdm - ok
20:15:51.0396 2332 pci - ok
20:15:51.0396 2332 pciide - ok
20:15:51.0412 2332 pcmcia - ok
20:15:51.0412 2332 pcw - ok
20:15:51.0412 2332 PEAUTH - ok
20:15:51.0443 2332 PptpMiniport - ok
20:15:51.0459 2332 Processor - ok
20:15:51.0490 2332 Psched - ok
20:15:51.0505 2332 ql2300 - ok
20:15:51.0521 2332 ql40xx - ok
20:15:51.0537 2332 QWAVEdrv - ok
20:15:51.0537 2332 RasAcd - ok
20:15:51.0537 2332 RasAgileVpn - ok
20:15:51.0537 2332 Rasl2tp - ok
20:15:51.0568 2332 RasPppoe - ok
20:15:51.0568 2332 RasSstp - ok
20:15:51.0568 2332 rdbss - ok
20:15:51.0568 2332 rdpbus - ok
20:15:51.0583 2332 RDPCDD - ok
20:15:51.0583 2332 RDPDR - ok
20:15:51.0583 2332 RDPENCDD - ok
20:15:51.0599 2332 RDPREFMP - ok
20:15:51.0599 2332 RDPWD - ok
20:15:51.0599 2332 rdyboost - ok
20:15:51.0615 2332 RFCOMM - ok
20:15:51.0646 2332 rspndr - ok
20:15:51.0646 2332 s3cap - ok
20:15:51.0661 2332 sbp2port - ok
20:15:51.0677 2332 scfilter - ok
20:15:51.0724 2332 secdrv - ok
20:15:51.0739 2332 Serenum - ok
20:15:51.0739 2332 Serial - ok
20:15:51.0755 2332 sermouse - ok
20:15:51.0755 2332 sffdisk - ok
20:15:51.0771 2332 sffp_mmc - ok
20:15:51.0771 2332 sffp_sd - ok
20:15:51.0771 2332 sfloppy - ok
20:15:51.0786 2332 sisagp - ok
20:15:51.0817 2332 SiSRaid2 - ok
20:15:51.0817 2332 SiSRaid4 - ok
20:15:51.0833 2332 Smb - ok
20:15:51.0849 2332 spldr - ok
20:15:51.0864 2332 srv - ok
20:15:51.0864 2332 srv2 - ok
20:15:51.0864 2332 srvnet - ok
20:15:51.0864 2332 stexstor - ok
20:15:51.0880 2332 storflt - ok
20:15:51.0895 2332 storvsc - ok
20:15:51.0927 2332 swenum - ok
20:15:51.0989 2332 Tcpip - ok
20:15:52.0005 2332 TCPIP6 - ok
20:15:52.0020 2332 tcpipreg - ok
20:15:52.0020 2332 TDPIPE - ok
20:15:52.0020 2332 TDTCP - ok
20:15:52.0036 2332 tdx - ok
20:15:52.0036 2332 TermDD - ok
20:15:52.0067 2332 tssecsrv - ok
20:15:52.0083 2332 tunnel - ok
20:15:52.0083 2332 uagp35 - ok
20:15:52.0083 2332 udfs - ok
20:15:52.0114 2332 uliagpkx - ok
20:15:52.0114 2332 umbus - ok
20:15:52.0114 2332 UmPass - ok
20:15:52.0145 2332 usbaudio - ok
20:15:52.0161 2332 usbccgp - ok
20:15:52.0161 2332 usbcir - ok
20:15:52.0161 2332 usbehci - ok
20:15:52.0176 2332 usbhub - ok
20:15:52.0176 2332 usbohci - ok
20:15:52.0192 2332 USBPNPA - ok
20:15:52.0192 2332 usbprint - ok
20:15:52.0192 2332 USBSTOR - ok
20:15:52.0207 2332 usbuhci - ok
20:15:52.0207 2332 usbvideo - ok
20:15:52.0223 2332 VCSVADHWSer - ok
20:15:52.0223 2332 vdrvroot - ok
20:15:52.0223 2332 vga - ok
20:15:52.0239 2332 VgaSave - ok
20:15:52.0239 2332 vhdmp - ok
20:15:52.0239 2332 viaagp - ok
20:15:52.0239 2332 ViaC7 - ok
20:15:52.0254 2332 viaide - ok
20:15:52.0254 2332 vmbus - ok
20:15:52.0254 2332 VMBusHID - ok
20:15:52.0270 2332 volmgr - ok
20:15:52.0270 2332 volmgrx - ok
20:15:52.0270 2332 volsnap - ok
20:15:52.0285 2332 vsmraid - ok
20:15:52.0301 2332 vwifibus - ok
20:15:52.0301 2332 vwififlt - ok
20:15:52.0317 2332 WacomPen - ok
20:15:52.0317 2332 WANARP - ok
20:15:52.0317 2332 Wanarpv6 - ok
20:15:52.0332 2332 Wd - ok
20:15:52.0332 2332 Wdf01000 - ok
20:15:52.0363 2332 WfpLwf - ok
20:15:52.0363 2332 WIMMount - ok
20:15:52.0395 2332 WmiAcpi - ok
20:15:52.0410 2332 ws2ifsl - ok
20:15:52.0426 2332 WudfPf - ok
20:15:52.0426 2332 WUDFRd - ok
20:15:52.0488 2332 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
20:15:52.0535 2332 \Device\Harddisk0\DR0 - ok
20:15:52.0535 2332 Boot (0x1200) (285fe25c7a0ed4fe0df8fc357d7a4c0f) \Device\Harddisk0\DR0\Partition0
20:15:52.0535 2332 \Device\Harddisk0\DR0\Partition0 - ok
20:15:52.0566 2332 Boot (0x1200) (0dee4092476dd6e930de0f40dba12def) \Device\Harddisk0\DR0\Partition1
20:15:52.0566 2332 \Device\Harddisk0\DR0\Partition1 - ok
20:15:52.0566 2332 Boot (0x1200) (006bc836c67f0c5ed9abf746ebc85c3b) \Device\Harddisk0\DR0\Partition2
20:15:52.0582 2332 \Device\Harddisk0\DR0\Partition2 - ok
20:15:52.0582 2332 ============================================================
20:15:52.0582 2332 Scan finished
20:15:52.0582 2332 ============================================================
20:15:52.0582 2508 Detected object count: 0
20:15:52.0582 2508 Actual detected object count: 0
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Hello Broni! First, I want to say thank you for taking the time to help me with this issue.

I'm not sure Combofix is necessarily not working. I double click on it, a box with a black background and green lettering comes up, it goes through a list then closes. I wait a bit and when nothing happens, I click on it again and it does the same thing, but this time it says it cannot install a file and asks if I would like to Ignore, Abort or Skip.

Before I destroy my computer, I'd like to know your thoughts. Thank you. :)
 
ComboFix 12-03-01.02 - Admin 03/07/2012 19:32:56.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2791.2212 [GMT -6:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\mafwboot.dll
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
.
.
2012-03-01 00:25 . 2012-02-27 03:20 83968 ----a-w- c:\programdata\GkCuTbve.exe
2012-02-29 02:38 . 2012-02-29 02:38 100864 ----a-w- C:\pwlorpob.sys
2012-02-27 19:40 . 2012-02-27 19:40 -------- d-----w- c:\users\Admin\AppData\Local\ElevatedDiagnostics
2012-02-27 19:17 . 2012-02-27 19:17 -------- d-----w- c:\program files\ESET
2012-02-27 03:28 . 2012-02-27 03:28 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-02-11 05:43 . 2012-03-08 01:35 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-11 05:32 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-02-11 05:32 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-11 05:32 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-02-11 05:32 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-02-11 05:32 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-11 05:32 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-02-11 05:32 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-02-11 05:32 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-02-11 05:32 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
2012-02-11 05:32 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2011-12-09 05:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-16 13752864]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2009-07-22 431408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe" [2011-11-16 247968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-12 1343400]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-07-22 136496]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2009-07-22 99632]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-07-22 5760]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-07-22 8576]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [2009-07-22 10496]
S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [2009-07-22 29440]
S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x86.sys [2009-07-22 9728]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2009-07-22 16512]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2009-07-22 23552]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-10 17792]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
symevent
cd20xrnt
vpcusb
mrpostman
sprtsvc_smartagent
s616obex
w810mdm
agrsrvce
qbposdbextservices
mwsarcpkt
dac960nt
odysseyIM3
issvc
SeaPort
w300bus
AVCamUSB20
SPCtl
aeaudio
VC6SecS
alim1541
imountsrv
rkhdrv31
dlaifs_m
filechecker
L8042mou
usbatapi2000
sysenforce
ceepwrsvc
aha154x
Shockprf
cmdmon
dns4meclient
U3sHlpDr
syslogd
StreamDispatcher
symc8xx
XAudio
AlteraByteBlaster
ACDaemon
proxyserverservice
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
LSP: mswsock.dll
TCP: Interfaces\{27AED930-1ECB-4127-AC3E-D108DF72203E}: NameServer = 4.2.2.1,4.2.2.2
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i85qh3sm.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,77,bb,16,f3,1b,21,4b,93,c7,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,77,bb,16,f3,1b,21,4b,93,c7,e1,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(500)
c:\windows\system32\mswsock.dll
mswsock.dll 74f00000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-03-07 19:40:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-08 01:40
.
Pre-Run: 2,554,912,768 bytes free
Post-Run: 3,278,012,416 bytes free
.
- - End Of File - - 3A30DF83201D23F39BE9C0A14345FE25
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
793
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back