Network lag and sporadic windowless ads.

Firstly I'd like to thank you for offering this service.

Today ends my 6 years of virus free computing.

Earlier today I ran an .exe I thought had been properly checked, it must not have been.

The symtoms are as follows.

IE trying to set itself as defualt, IE opening pages without request. (I never use IE.)

Random audio ads seemingly without source, they are choppy, looped and seem to degrade after multiple plays, they are not constant, or even frequent.

Network lag, I have been getting constant DC's when attempting to play games online using XBOX live, which is extremely odd. (however I have not tested the network or modem in any way.

Malwarebytes found 3 files in a full scan and deleted them, this did not rectify the issues.

OTL http://pastebin.com/HHm9N42Z

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-24 22:25:15
-----------------------------
22:25:15.825 OS Version: Windows 6.1.7600
22:25:15.825 Number of processors: 4 586 0x1C0A
22:25:15.825 ComputerName: LEECHER UserName: coxc
22:25:20.427 Initialize success
22:26:01.050 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:26:01.050 Disk 0 Vendor: Hitachi_ ESBO Size: 238475MB BusType: 3
22:26:01.081 Disk 0 MBR read successfully
22:26:01.081 Disk 0 MBR scan
22:26:01.097 Disk 0 unknown MBR code
22:26:01.128 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS 102400 MB offset 2048
22:26:01.159 Disk 0 Partition 2 00 1B Hidd FAT32 MSDOS5.0 15360 MB offset 209717248
22:26:01.190 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 120698 MB offset 241174528
22:26:01.237 Disk 0 Partition 4 00 EF EFI FAT 16 MB offset 488364032
22:26:01.253 Disk 0 scanning sectors +488396800
22:26:01.331 Disk 0 scanning C:\windows\system32\drivers
22:26:01.346 Service scanning
22:26:46.883 Modules scanning
22:26:49.894 Disk 0 trace - called modules:
22:26:49.956 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
22:26:49.972 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86865560]
22:26:50.003 3 CLASSPNP.SYS[889a159e] -> nt!IofCallDriver -> [0x84d5e888]
22:26:50.018 5 ACPI.sys[882a33b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84d33028]
22:26:50.050 Scan finished successfully
22:27:14.292 Disk 0 MBR has been saved successfully to "C:\Users\coxc\Desktop\MBR.dat"
22:27:14.323 The log file has been saved successfully to "C:\Users\coxc\Desktop\aswMBR.txt"


Results of screen317's Security Check version 0.99.32
Windows 7 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Trend Micro Titanium
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Java(TM) 6 Update 30
Java version out of date!
Adobe Flash Player 11.2.202.160
Adobe Reader X (10.1.1)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````



When I booted up today, it took an unusual amount of time, provided no accounts screen and gave an error along the lines of 'windows could not connect to account services'. fml

Attempting to view control panal results in 'the server process could not be started becuase the configured identity is incorrect, check username and password.
same result trying to access anything through the start menu besides

M/SM player2 crashes when asking it to chose files.


Last edited by impwis on 24th March 2012, 11:15 pm; edited 6 times in total (Reason for editing : post too long)

mplayer crash log

C:/Program Files/SMPlayer/mplayer/mplayer.exe -noquiet -nofs -nomouseinput -vc coreserve, -sub-fuzziness 1 -identify -slave -vo gl:yuv=2:force-pbo -ao dsound -nokeepaspect -priority high -framedrop -nodr -nodouble -wid 66322 -monitorpixelaspect 1 -ass -embeddedfonts -ass-line-spacing 0 -ass-font-scale 1 -ass-styles C:/Users/coxc/.smplayer/styles.ass -fontconfig -font Arial -subfont-autoscale 0 -subfont-osd-scale 20 -subfont-text-scale 20 -subcp ISO-8859-1 -vid 0 -aid 0 -subpos 100 -volume 100 -nocache -ss 43 -osdlevel 0 -idx -vf-add screenshot -noslices -channels 2 -af volnorm=1,scaletempo,equalizer=0:0:0:0:0:0:0:0:0:0 -softvol -softvol-max 110 D:/(G_P) Now and Then, Here and There (R2J)/(G_P)_Now_and_Then_Here_and_There_(R2J)_04_[9166EA34].mkv


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.23.05

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
coxc :: LEECHER [administrator]

Protection: Enabled

3/25/2012 10:09:57 AM
mbam-log-2012-03-25 (10-09-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181033
Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Please run all these programs..


Download the TDSSKiller.exe and extract to your Desktop.


Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.


Attach that log here please.



================================

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click PCHelpForum.exe to run it.
  
  You will see the following image:
  
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:





As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.





Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Cant install getting the server process could not be started because the configured indentity is incorrect, I'll try and reboot, see if I can actually log in.

Thanks for the prompt reply.

Pancake wrote:

Please run all these programs..


Download the TDSSKiller.exe and extract to your Desktop.


Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.


Attach that log here please.



================================

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click PCHelpForum.exe to run it.
  
  You will see the following image:
  
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:





As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.





Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Reboot worked, guess that wasn't the virus/rootkit.

Will add requested logs here.

10:44:33.0273 0336 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
10:44:34.0802 0336 ============================================================
10:44:34.0802 0336 Current date / time: 2012/03/25 10:44:34.0802
10:44:34.0802 0336 SystemInfo:
10:44:34.0802 0336
10:44:34.0802 0336 OS Version: 6.1.7600 ServicePack: 0.0
10:44:34.0802 0336 Product type: Workstation
10:44:34.0802 0336 ComputerName: LEECHER
10:44:34.0802 0336 UserName: coxc
10:44:34.0802 0336 Windows directory: C:\windows
10:44:34.0802 0336 System windows directory: C:\windows
10:44:34.0802 0336 Processor architecture: Intel x86
10:44:34.0802 0336 Number of processors: 4
10:44:34.0802 0336 Page size: 0x1000
10:44:34.0802 0336 Boot type: Normal boot
10:44:34.0802 0336 ============================================================
10:44:36.0971 0336 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:44:36.0971 0336 \Device\Harddisk0\DR0:
10:44:36.0986 0336 MBR used
10:44:36.0986 0336 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xC800000
10:44:36.0986 0336 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xE600800, BlocksNum 0xEBBD000
10:44:37.0095 0336 Initialize success
10:44:37.0095 0336 ============================================================
10:45:08.0576 3364 ============================================================
10:45:08.0576 3364 Scan started
10:45:08.0576 3364 Mode: Manual;
10:45:08.0576 3364 ============================================================
10:45:09.0278 3364 1394ohci - ok
10:45:09.0309 3364 ACPI - ok
10:45:09.0341 3364 AcpiPmi - ok
10:45:09.0450 3364 AdobeARMservice - ok
10:45:09.0465 3364 AdobeFlashPlayerUpdateSvc - ok
10:45:09.0481 3364 adp94xx - ok
10:45:09.0512 3364 adpahci - ok
10:45:09.0528 3364 adpu320 - ok
10:45:09.0543 3364 AeLookupSvc - ok
10:45:09.0575 3364 AFD - ok
10:45:09.0590 3364 agp440 - ok
10:45:09.0606 3364 aic78xx - ok
10:45:09.0637 3364 ALG - ok
10:45:09.0668 3364 aliide - ok
10:45:09.0684 3364 amdagp - ok
10:45:09.0715 3364 amdide - ok
10:45:09.0731 3364 AmdK8 - ok
10:45:09.0746 3364 AmdPPM - ok
10:45:09.0824 3364 amdsata - ok
10:45:09.0855 3364 amdsbs - ok
10:45:09.0871 3364 amdxata - ok
10:45:09.0902 3364 AppID - ok
10:45:09.0965 3364 AppIDSvc - ok
10:45:10.0058 3364 Appinfo - ok
10:45:10.0152 3364 arc - ok
10:45:10.0167 3364 arcsas - ok
10:45:10.0308 3364 AsUpIO - ok
10:45:10.0355 3364 AsusService - ok
10:45:10.0401 3364 AsyncMac - ok
10:45:10.0448 3364 atapi - ok
10:45:10.0464 3364 athr - ok
10:45:10.0511 3364 AudioEndpointBuilder - ok
10:45:10.0526 3364 Audiosrv - ok
10:45:10.0620 3364 AxInstSV - ok
10:45:10.0682 3364 b06bdrv - ok
10:45:10.0729 3364 b57nd60x - ok
10:45:10.0901 3364 BBSvc - ok
10:45:11.0010 3364 BBUpdate - ok
10:45:11.0072 3364 BCM43XX - ok
10:45:11.0088 3364 BDESVC - ok
10:45:11.0103 3364 bdfdll - ok
10:45:11.0119 3364 BDFsDrv - ok
10:45:11.0135 3364 BDRsDrv - ok
10:45:11.0166 3364 Beep - ok
10:45:11.0181 3364 BITS - ok
10:45:11.0197 3364 blbdrive - ok
10:45:11.0228 3364 bowser - ok
10:45:11.0228 3364 BrFiltLo - ok
10:45:11.0244 3364 BrFiltUp - ok
10:45:11.0259 3364 Browser - ok
10:45:11.0275 3364 Brserid - ok
10:45:11.0291 3364 BrSerWdm - ok
10:45:11.0291 3364 BrUsbMdm - ok
10:45:11.0306 3364 BrUsbSer - ok
10:45:11.0384 3364 BthEnum - ok
10:45:11.0384 3364 BTHMODEM - ok
10:45:11.0400 3364 BthPan - ok
10:45:11.0431 3364 BTHPORT - ok
10:45:11.0509 3364 bthserv - ok
10:45:11.0525 3364 BTHUSB - ok
10:45:11.0618 3364 btwampfl - ok
10:45:11.0634 3364 btwaudio - ok
10:45:11.0681 3364 btwavdt - ok
10:45:11.0805 3364 btwdins - ok
10:45:11.0821 3364 btwl2cap - ok
10:45:11.0868 3364 btwrchid - ok
10:45:11.0899 3364 cdfs - ok
10:45:11.0946 3364 cdrom - ok
10:45:12.0008 3364 CertPropSvc - ok
10:45:12.0024 3364 circlass - ok
10:45:12.0039 3364 CLFS - ok
10:45:12.0071 3364 clr_optimization_v2.0.50727_32 - ok
10:45:12.0133 3364 clr_optimization_v4.0.30319_32 - ok
10:45:12.0149 3364 CmBatt - ok
10:45:12.0164 3364 cmdide - ok
10:45:12.0180 3364 CNG - ok
10:45:12.0195 3364 Compbatt - ok
10:45:12.0227 3364 CompositeBus - ok
10:45:12.0289 3364 COMSysApp - ok
10:45:12.0320 3364 crcdisk - ok
10:45:12.0351 3364 CryptSvc - ok
10:45:12.0383 3364 cvhsvc - ok
10:45:12.0398 3364 DcomLaunch - ok
10:45:12.0414 3364 defragsvc - ok
10:45:12.0445 3364 DfsC - ok
10:45:12.0476 3364 Dhcp - ok
10:45:12.0492 3364 discache - ok
10:45:12.0554 3364 Disk - ok
10:45:12.0570 3364 Dnscache - ok
10:45:12.0585 3364 dot3svc - ok
10:45:12.0601 3364 DPS - ok
10:45:12.0663 3364 drmkaud - ok
10:45:12.0679 3364 DXGKrnl - ok
10:45:12.0695 3364 EapHost - ok
10:45:12.0710 3364 ebdrv - ok
10:45:12.0726 3364 EFS - ok
10:45:12.0741 3364 elxstor - ok
10:45:12.0757 3364 ErrDev - ok
10:45:12.0804 3364 ETD - ok
10:45:12.0835 3364 EventSystem - ok
10:45:12.0851 3364 exfat - ok
10:45:12.0866 3364 fastfat - ok
10:45:12.0882 3364 Fax - ok
10:45:12.0897 3364 fdc - ok
10:45:12.0913 3364 fdPHost - ok
10:45:12.0929 3364 FDResPub - ok
10:45:12.0944 3364 FileInfo - ok
10:45:12.0944 3364 Filetrace - ok
10:45:12.0991 3364 FileZilla Server - ok
10:45:13.0007 3364 flpydisk - ok
10:45:13.0038 3364 FltMgr - ok
10:45:13.0069 3364 FolderSize - ok
10:45:13.0085 3364 FontCache - ok
10:45:13.0085 3364 FontCache3.0.0.0 - ok
10:45:13.0100 3364 FsDepends - ok
10:45:13.0147 3364 fssfltr - ok
10:45:13.0147 3364 fsssvc - ok
10:45:13.0163 3364 Fs_Rec - ok
10:45:13.0209 3364 fvevol - ok
10:45:13.0225 3364 gagp30kx - ok
10:45:13.0241 3364 gpsvc - ok
10:45:13.0256 3364 hcw85cir - ok
10:45:13.0272 3364 HdAudAddService - ok
10:45:13.0287 3364 HDAudBus - ok
10:45:13.0303 3364 HidBatt - ok
10:45:13.0319 3364 HidBth - ok
10:45:13.0350 3364 HidIr - ok
10:45:13.0365 3364 hidserv - ok
10:45:13.0428 3364 HidUsb - ok
10:45:13.0443 3364 hkmsvc - ok
10:45:13.0459 3364 HomeGroupListener - ok
10:45:13.0475 3364 HomeGroupProvider - ok
10:45:13.0599 3364 HpSAMD - ok
10:45:13.0709 3364 HTTP - ok
10:45:13.0724 3364 hwpolicy - ok
10:45:13.0755 3364 i8042prt - ok
10:45:13.0787 3364 iaStor - ok
10:45:13.0802 3364 iaStorV - ok
10:45:13.0818 3364 idsvc - ok
10:45:13.0833 3364 igfx - ok
10:45:13.0865 3364 iirsp - ok
10:45:13.0880 3364 IKEEXT - ok
10:45:13.0943 3364 IntcAzAudAddService - ok
10:45:13.0943 3364 intelide - ok
10:45:13.0989 3364 intelppm - ok
10:45:14.0005 3364 IPBusEnum - ok
10:45:14.0021 3364 IpFilterDriver - ok
10:45:14.0036 3364 IPMIDRV - ok
10:45:14.0052 3364 IPNAT - ok
10:45:14.0099 3364 IRENUM - ok
10:45:14.0114 3364 isapnp - ok
10:45:14.0130 3364 iScsiPrt - ok
10:45:14.0223 3364 kbdclass - ok
10:45:14.0270 3364 kbdhid - ok
10:45:14.0286 3364 kbfiltr - ok
10:45:14.0301 3364 KeyIso - ok
10:45:14.0317 3364 KSecDD - ok
10:45:14.0333 3364 KSecPkg - ok
10:45:14.0348 3364 KtmRm - ok
10:45:14.0379 3364 L1C - ok
10:45:14.0457 3364 LanmanServer - ok
10:45:14.0489 3364 LanmanWorkstation - ok
10:45:14.0582 3364 lltdio - ok
10:45:14.0598 3364 lltdsvc - ok
10:45:14.0598 3364 lmhosts - ok
10:45:14.0645 3364 LSI_FC - ok
10:45:14.0691 3364 LSI_SAS - ok
10:45:14.0738 3364 LSI_SAS2 - ok
10:45:14.0769 3364 LSI_SCSI - ok
10:45:14.0785 3364 luafv - ok
10:45:14.0863 3364 MBAMProtector - ok
10:45:14.0879 3364 MBAMService - ok
10:45:14.0910 3364 MBAMSwissArmy - ok
10:45:14.0925 3364 mcdbus - ok
10:45:14.0957 3364 megasas - ok
10:45:14.0972 3364 MegaSR - ok
10:45:14.0988 3364 MMCSS - ok
10:45:15.0003 3364 Modem - ok
10:45:15.0113 3364 monitor - ok
10:45:15.0128 3364 mouclass - ok
10:45:15.0159 3364 mouhid - ok
10:45:15.0159 3364 mountmgr - ok
10:45:15.0300 3364 MozillaMaintenance - ok
10:45:15.0315 3364 mpio - ok
10:45:15.0331 3364 mpsdrv - ok
10:45:15.0347 3364 MRxDAV - ok
10:45:15.0362 3364 mrxsmb - ok
10:45:15.0378 3364 mrxsmb10 - ok
10:45:15.0393 3364 mrxsmb20 - ok
10:45:15.0409 3364 msahci - ok
10:45:15.0425 3364 msdsm - ok
10:45:15.0440 3364 MSDTC - ok
10:45:15.0456 3364 Msfs - ok
10:45:15.0471 3364 mshidkmdf - ok
10:45:15.0487 3364 msisadrv - ok
10:45:15.0518 3364 MSiSCSI - ok
10:45:15.0534 3364 msiserver - ok
10:45:15.0549 3364 MSKSSRV - ok
10:45:15.0565 3364 MSPCLOCK - ok
10:45:15.0581 3364 MSPQM - ok
10:45:15.0596 3364 MsRPC - ok
10:45:15.0612 3364 mssmbios - ok
10:45:15.0659 3364 MSTEE - ok
10:45:15.0674 3364 MTConfig - ok
10:45:15.0690 3364 Mup - ok
10:45:15.0690 3364 napagent - ok
10:45:15.0737 3364 NativeWifiP - ok
10:45:15.0768 3364 NDIS - ok
10:45:15.0861 3364 NdisCap - ok
10:45:15.0877 3364 NdisTapi - ok
10:45:15.0939 3364 Ndisuio - ok
10:45:15.0955 3364 NdisWan - ok
10:45:15.0971 3364 NDProxy - ok
10:45:16.0064 3364 Net Driver HPZ12 - ok
10:45:16.0127 3364 NetBIOS - ok
10:45:16.0142 3364 NetBT - ok
10:45:16.0158 3364 Netlogon - ok
10:45:16.0205 3364 Netman - ok
10:45:16.0220 3364 netprofm - ok
10:45:16.0236 3364 NetTcpPortSharing - ok
10:45:16.0267 3364 nfrd960 - ok
10:45:16.0314 3364 nhcDriverDevice - ok
10:45:16.0314 3364 NlaSvc - ok
10:45:16.0329 3364 Npfs - ok
10:45:16.0345 3364 nsi - ok
10:45:16.0361 3364 nsiproxy - ok
10:45:16.0376 3364 Ntfs - ok
10:45:16.0392 3364 Null - ok
10:45:16.0407 3364 nvraid - ok
10:45:16.0423 3364 nvstor - ok
10:45:16.0439 3364 nv_agp - ok
10:45:16.0439 3364 ohci1394 - ok
10:45:16.0454 3364 ose - ok
10:45:16.0470 3364 osppsvc - ok
10:45:16.0485 3364 p2pimsvc - ok
10:45:16.0532 3364 p2psvc - ok
10:45:16.0532 3364 Parport - ok
10:45:16.0548 3364 partmgr - ok
10:45:16.0563 3364 Parvdm - ok
10:45:16.0579 3364 PcaSvc - ok
10:45:16.0595 3364 pci - ok
10:45:16.0610 3364 pciide - ok
10:45:16.0626 3364 pcmcia - ok
10:45:16.0641 3364 pcw - ok
10:45:16.0657 3364 PEAUTH - ok
10:45:16.0704 3364 pla - ok
10:45:16.0704 3364 PlugPlay - ok
10:45:16.0797 3364 Pml Driver HPZ12 - ok
10:45:16.0813 3364 PNRPAutoReg - ok
10:45:16.0813 3364 PNRPsvc - ok
10:45:16.0844 3364 PolicyAgent - ok
10:45:16.0860 3364 Power - ok
10:45:16.0891 3364 PptpMiniport - ok
10:45:16.0907 3364 Processor - ok
10:45:16.0922 3364 ProfSvc - ok
10:45:16.0938 3364 ProtectedStorage - ok
10:45:16.0969 3364 Psched - ok
10:45:16.0985 3364 ql2300 - ok
10:45:17.0000 3364 ql40xx - ok
10:45:17.0016 3364 QWAVE - ok
10:45:17.0031 3364 QWAVEdrv - ok
10:45:17.0047 3364 RasAcd - ok
10:45:17.0078 3364 RasAgileVpn - ok
10:45:17.0094 3364 RasAuto - ok
10:45:17.0109 3364 Rasl2tp - ok
10:45:17.0141 3364 RasMan - ok
10:45:17.0172 3364 RasPppoe - ok
10:45:17.0187 3364 RasSstp - ok
10:45:17.0203 3364 rdbss - ok
10:45:17.0219 3364 rdpbus - ok
10:45:17.0234 3364 RDPCDD - ok
10:45:17.0281 3364 RDPENCDD - ok
10:45:17.0312 3364 RDPREFMP - ok
10:45:17.0312 3364 RDPWD - ok
10:45:17.0328 3364 rdyboost - ok
10:45:17.0343 3364 RemoteAccess - ok
10:45:17.0359 3364 RemoteRegistry - ok
10:45:17.0406 3364 RFCOMM - ok
10:45:17.0453 3364 RpcEptMapper - ok
10:45:17.0468 3364 RpcLocator - ok
10:45:17.0468 3364 RpcSs - ok
10:45:17.0515 3364 rspndr - ok
10:45:17.0531 3364 SamSs - ok
10:45:17.0562 3364 sbp2port - ok
10:45:17.0562 3364 SCardSvr - ok
10:45:17.0577 3364 scfilter - ok
10:45:17.0593 3364 Schedule - ok
10:45:17.0624 3364 SCPolicySvc - ok
10:45:17.0640 3364 SDRSVC - ok
10:45:17.0655 3364 secdrv - ok
10:45:17.0671 3364 seclogon - ok
10:45:17.0702 3364 SENS - ok
10:45:17.0718 3364 Serenum - ok
10:45:17.0749 3364 Serial - ok
10:45:17.0780 3364 sermouse - ok
10:45:17.0811 3364 SessionEnv - ok
10:45:17.0827 3364 sffdisk - ok
10:45:17.0843 3364 sffp_mmc - ok
10:45:17.0858 3364 sffp_sd - ok
10:45:17.0874 3364 sfloppy - ok
10:45:17.0889 3364 Sftfs - ok
10:45:17.0905 3364 sftlist - ok
10:45:17.0921 3364 Sftplay - ok
10:45:17.0936 3364 Sftredir - ok
10:45:17.0952 3364 Sftvol - ok
10:45:17.0952 3364 sftvsa - ok
10:45:17.0967 3364 SharedAccess - ok
10:45:17.0999 3364 ShellHWDetection - ok
10:45:18.0014 3364 sisagp - ok
10:45:18.0045 3364 SiSRaid2 - ok
10:45:18.0061 3364 SiSRaid4 - ok
10:45:18.0123 3364 Smb - ok
10:45:18.0155 3364 SNMPTRAP - ok
10:45:18.0170 3364 spldr - ok
10:45:18.0201 3364 Spooler - ok
10:45:18.0217 3364 sppsvc - ok
10:45:18.0233 3364 sppuinotify - ok
10:45:18.0248 3364 srv - ok
10:45:18.0248 3364 srv2 - ok
10:45:18.0264 3364 srvnet - ok
10:45:18.0279 3364 SSDPSRV - ok
10:45:18.0295 3364 SstpSvc - ok
10:45:18.0311 3364 stexstor - ok
10:45:18.0326 3364 StiSvc - ok
10:45:18.0342 3364 swenum - ok
10:45:18.0357 3364 swprv - ok
10:45:18.0373 3364 SysMain - ok
10:45:18.0389 3364 TabletInputService - ok
10:45:18.0404 3364 tap0901 - ok
10:45:18.0420 3364 TapiSrv - ok
10:45:18.0435 3364 TBS - ok
10:45:18.0467 3364 Tcpip - ok
10:45:18.0498 3364 TCPIP6 - ok
10:45:18.0513 3364 tcpipreg - ok
10:45:18.0545 3364 TDPIPE - ok
10:45:18.0560 3364 TDTCP - ok
10:45:18.0591 3364 tdx - ok
10:45:18.0607 3364 TermDD - ok
10:45:18.0623 3364 TermService - ok
10:45:18.0654 3364 Themes - ok
10:45:18.0669 3364 THREADORDER - ok
10:45:18.0685 3364 TrkWks - ok
10:45:18.0716 3364 truecrypt - ok
10:45:18.0732 3364 TrustedInstaller - ok
10:45:18.0763 3364 tssecsrv - ok
10:45:18.0779 3364 tunnel - ok
10:45:18.0794 3364 uagp35 - ok
10:45:18.0810 3364 udfs - ok
10:45:18.0841 3364 UI0Detect - ok
10:45:18.0950 3364 uliagpkx - ok
10:45:18.0966 3364 umbus - ok
10:45:18.0997 3364 UmPass - ok
10:45:19.0013 3364 upnphost - ok
10:45:19.0044 3364 usbaudio - ok
10:45:19.0059 3364 usbccgp - ok
10:45:19.0075 3364 usbcir - ok
10:45:19.0091 3364 usbehci - ok
10:45:19.0106 3364 usbhub - ok
10:45:19.0122 3364 usbohci - ok
10:45:19.0137 3364 usbprint - ok
10:45:19.0153 3364 USBSTOR - ok
10:45:19.0169 3364 usbuhci - ok
10:45:19.0231 3364 usbvideo - ok
10:45:19.0247 3364 UxSms - ok
10:45:19.0262 3364 VaultSvc - ok
10:45:19.0293 3364 vdrvroot - ok
10:45:19.0309 3364 vds - ok
10:45:19.0340 3364 vga - ok
10:45:19.0356 3364 VgaSave - ok
10:45:19.0371 3364 vhdmp - ok
10:45:19.0387 3364 viaagp - ok
10:45:19.0418 3364 ViaC7 - ok
10:45:19.0434 3364 viaide - ok
10:45:19.0512 3364 VideAceWindowsService - ok
10:45:19.0527 3364 volmgr - ok
10:45:19.0543 3364 volmgrx - ok
10:45:19.0559 3364 volsnap - ok
10:45:19.0574 3364 vsmraid - ok
10:45:19.0590 3364 VSS - ok
10:45:19.0605 3364 vwifibus - ok
10:45:19.0637 3364 vwififlt - ok
10:45:19.0652 3364 W32Time - ok
10:45:19.0668 3364 WacomPen - ok
10:45:19.0699 3364 WANARP - ok
10:45:19.0715 3364 Wanarpv6 - ok
10:45:19.0715 3364 wbengine - ok
10:45:19.0730 3364 WbioSrvc - ok
10:45:19.0746 3364 wcncsvc - ok
10:45:19.0761 3364 WcsPlugInService - ok
10:45:19.0777 3364 Wd - ok
10:45:19.0793 3364 Wdf01000 - ok
10:45:19.0808 3364 WdiServiceHost - ok
10:45:19.0824 3364 WdiSystemHost - ok
10:45:19.0839 3364 WebClient - ok
10:45:19.0855 3364 Wecsvc - ok
10:45:19.0871 3364 wercplsupport - ok
10:45:19.0917 3364 WerSvc - ok
10:45:19.0949 3364 WfpLwf - ok
10:45:19.0964 3364 WIMMount - ok
10:45:19.0980 3364 WinHttpAutoProxySvc - ok
10:45:19.0995 3364 Winmgmt - ok
10:45:20.0011 3364 WinRM - ok
10:45:20.0042 3364 Wlansvc - ok
10:45:20.0058 3364 wlcrasvc - ok
10:45:20.0073 3364 wlidsvc - ok
10:45:20.0089 3364 wmconnectcds - ok
10:45:20.0120 3364 WmiAcpi - ok
10:45:20.0136 3364 wmiApSrv - ok
10:45:20.0151 3364 WMPNetworkSvc - ok
10:45:20.0167 3364 WPCSvc - ok
10:45:20.0183 3364 WPDBusEnum - ok
10:45:20.0198 3364 ws2ifsl - ok
10:45:20.0214 3364 WSearch - ok
10:45:20.0307 3364 wsvd - ok
10:45:20.0323 3364 wuauserv - ok
10:45:20.0339 3364 WudfPf - ok
10:45:20.0354 3364 WUDFRd - ok
10:45:20.0385 3364 wudfsvc - ok
10:45:20.0401 3364 WwanSvc - ok
10:45:20.0495 3364 MBR (0x1B8) (fb2bd68d9599e4ff39931d2977fab819) \Device\Harddisk0\DR0
10:45:21.0680 3364 \Device\Harddisk0\DR0 - ok
10:45:21.0696 3364 Boot (0x1200) (7d6c9c9155d56d4c7dd8d18009a32406) \Device\Harddisk0\DR0\Partition0
10:45:21.0696 3364 \Device\Harddisk0\DR0\Partition0 - ok
10:45:21.0727 3364 Boot (0x1200) (7d307cf5c95a28519701a9311058963a) \Device\Harddisk0\DR0\Partition1
10:45:21.0758 3364 \Device\Harddisk0\DR0\Partition1 - ok
10:45:21.0758 3364 ============================================================
10:45:21.0758 3364 Scan finished
10:45:21.0758 3364 ============================================================
10:45:21.0789 3208 Detected object count: 0
10:45:21.0789 3208 Actual detected object count: 0

ComboFix 12-03-22.01 - coxc 03/25/2012 11:39:52.1.4 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.2038.1283 [GMT 11:00]
Running from: c:\users\coxc\Desktop\PCforumhelp.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\$NtUninstallKB14816$
c:\windows\$NtUninstallKB14816$\382807857\@
c:\windows\$NtUninstallKB14816$\382807857\cfg.ini
c:\windows\$NtUninstallKB14816$\382807857\Desktop.ini
c:\windows\$NtUninstallKB14816$\382807857\L\xadqgnnk
c:\windows\$NtUninstallKB14816$\382807857\oemid
c:\windows\$NtUninstallKB14816$\382807857\U\00000001.@
c:\windows\$NtUninstallKB14816$\382807857\U\00000002.@
c:\windows\$NtUninstallKB14816$\382807857\U\00000004.@
c:\windows\$NtUninstallKB14816$\382807857\U\80000000.@
c:\windows\$NtUninstallKB14816$\382807857\U\80000004.@
c:\windows\$NtUninstallKB14816$\382807857\U\80000032.@
c:\windows\$NtUninstallKB14816$\382807857\version
c:\windows\$NtUninstallKB14816$\4159976919
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 00:53 . 2012-03-25 00:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 00:53 . 2012-03-25 00:53 -------- d-----w- c:\users\coxc\AppData\Local\temp
2012-03-24 23:16 . 2012-03-24 23:32 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\vlc
2012-03-24 23:04 . 2012-03-24 23:04 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2012-03-24 22:54 . 2012-03-24 22:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2012-03-24 12:59 . 2012-03-24 01:36 84992 ----a-w- c:\windows\system32\268W38xW.com
2012-03-24 09:32 . 2012-03-24 09:32 -------- d--h--w- c:\windows\PIF
2012-03-24 01:07 . 2012-03-24 23:04 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-23 11:13 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BEEEEBD-DC9A-4B8D-9635-C6E7D7577799}\mpengine.dll
2012-03-23 02:14 . 2012-03-23 02:14 -------- d-----w- c:\users\coxc\AppData\Roaming\rockbox.org
2012-03-21 04:54 . 2012-03-21 04:54 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 04:54 . 2012-03-21 04:54 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 22:36 . 2012-03-15 22:36 -------- d-----w- c:\users\coxc\AppData\Roaming\Stellarium
2012-03-15 21:56 . 2012-03-15 22:39 -------- d-----w- c:\program files\Stellarium
2012-03-15 21:05 . 2012-03-15 21:05 -------- d-----w- c:\program files\QTTabBar
2012-03-15 20:56 . 2012-03-15 20:56 -------- d-----w- c:\program files\qBittorrent
2012-03-14 16:00 . 2011-11-19 14:25 3957616 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-14 16:00 . 2011-11-19 14:25 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 08:25 . 2012-02-03 04:01 2341376 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 08:25 . 2012-02-10 05:41 1074176 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 08:25 . 2012-02-10 05:41 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 08:25 . 2012-02-10 05:41 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 08:25 . 2012-02-10 05:41 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 08:25 . 2012-02-10 05:41 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 08:20 . 2012-02-15 05:44 826368 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 08:20 . 2012-02-15 04:22 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 08:20 . 2012-02-15 04:22 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-14 08:20 . 2012-01-25 05:44 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 08:20 . 2012-01-25 05:44 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 08:20 . 2012-01-25 05:40 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-08 11:06 . 2012-03-25 00:02 -------- d-----w- C:\Detective Conan
2012-03-08 10:17 . 2012-03-08 10:32 -------- d-----w- C:\Ano Hi Mita Hana no Namae o Bokutachi wa Mada Shiranai. [FroZen]
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\program files\Nightly
2012-03-04 04:37 . 2012-03-04 04:37 -------- d-----w- c:\users\coxc\AppData\Local\fontconfig
2012-03-04 04:24 . 2012-03-04 04:37 -------- d-----w- c:\users\coxc\AppData\Local\SMPlayer2
2012-02-28 00:06 . 2012-02-28 00:11 -------- d-----w- c:\programdata\ReaConverter
2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----w- c:\users\coxc\AppData\Roaming\RCP 6
2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----w- c:\program files\ReaConverter 6.7 Standard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 22:18 . 2012-02-16 05:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 09:00 . 2012-02-17 09:00 71680 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2012-01-08 01:38 . 2012-01-08 01:30 21840 ----atw- c:\windows\system32\SIntfNT.dll
2012-01-08 01:38 . 2012-01-08 01:30 17212 ----atw- c:\windows\system32\SIntf32.dll
2012-01-08 01:38 . 2012-01-08 01:30 12067 ----atw- c:\windows\system32\SIntf16.dll
2012-01-07 06:46 . 2012-01-07 06:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-04 09:03 . 2012-02-14 20:54 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-03 05:44 . 2012-02-14 20:54 478208 ----a-w- c:\windows\system32\timedate.cpl
2012-03-21 04:54 . 2012-01-06 06:06 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"TrueCrypt"="c:\program files\truecrypt\TrueCrypt.exe" [2011-12-17 1517520]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-03-07 399224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-04-13 548744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-09-05 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-10 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-10 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-24 9722472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\coxc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2012-1-7 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsHook]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
2010-06-10 21:12 414384 ----a-w- c:\program files\Asus\Eee Docking\Eee Docking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2011-11-05 01:17 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyMon]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyService]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Hardware Control]
2010-12-27 10:43 914432 ----a-w- c:\users\coxc\Documents\NotebookHardwareControl_2.4.3_32bit\Notebook Hardware Control 2.4.3\nhc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperHybridEngine]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-24 253600]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-03-24 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-03-06 112584]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-22 81704]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-03-31 11520]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-09-04 64952]
S2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-09-30 508776]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [2011-01-12 91464]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-05-21 293928]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-05-21 33320]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-13 109960]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-09-27 68208]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-09-30 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-09-30 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-09-30 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-09-30 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-09-30 219496]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wmconnectcds
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-19 21:55]
.
2012-03-24 c:\windows\Tasks\At1.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At10.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At11.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At12.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At13.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At14.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At15.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At16.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At17.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At18.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At19.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At2.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At20.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At21.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At22.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At23.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At24.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At25.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At26.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At27.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At28.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At29.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At3.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At30.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At31.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At32.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At33.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At34.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At35.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At36.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At37.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At38.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At39.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At4.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At40.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At41.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At42.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At43.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At44.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At45.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At46.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At47.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At48.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At5.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At6.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At7.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At8.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At9.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14200
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\coxc\AppData\Roaming\Mozilla\Firefox\Profiles\ko6rcm0p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-Locked - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ASUSWebStorage - c:\program files\ASUS\ASUS WebStorage\3.0.58.109\AsusWSPanel.exe
MSConfigStartUp-Google Update - c:\users\coxc\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SSDMonitor - c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
MSConfigStartUp-VizorHtmlDialog - c:\program files\Trend Micro\Titanium\VizorHtmlDialog.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5420)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Elantech\ETDCtrlHelper.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Windows Live\Companion\companionuser.exe
c:\windows\system32\268W38~1.COM
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\268W38~1.COM
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2012-03-25 12:07:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-25 01:07
.
Pre-Run: 1,007,824,896 bytes free
Post-Run: 1,367,334,912 bytes free
.
- - End Of File - - 9D0A89871E455C19518F71D337E3FA07

Did you also want the log Combo opens after completion?

Seems it was rootkit.zero.access in tcp/ip stack, funny name for something that gave me a large amount of access.

Here it is anyway.

ComboFix 12-03-22.01 - coxc 03/25/2012 11:39:52.1.4 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.2038.1283 [GMT 11:00]
Running from: c:\users\coxc\Desktop\PCforumhelp.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\$NtUninstallKB14816$
c:\windows\$NtUninstallKB14816$\382807857\@
c:\windows\$NtUninstallKB14816$\382807857\cfg.ini
c:\windows\$NtUninstallKB14816$\382807857\Desktop.ini
c:\windows\$NtUninstallKB14816$\382807857\L\xadqgnnk
c:\windows\$NtUninstallKB14816$\382807857\oemid
c:\windows\$NtUninstallKB14816$\382807857\U\00000001.@
c:\windows\$NtUninstallKB14816$\382807857\U\00000002.@
c:\windows\$NtUninstallKB14816$\382807857\U\00000004.@
c:\windows\$NtUninstallKB14816$\382807857\U\80000000.@
c:\windows\$NtUninstallKB14816$\382807857\U\80000004.@
c:\windows\$NtUninstallKB14816$\382807857\U\80000032.@
c:\windows\$NtUninstallKB14816$\382807857\version
c:\windows\$NtUninstallKB14816$\4159976919
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 00:53 . 2012-03-25 00:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 00:53 . 2012-03-25 00:53 -------- d-----w- c:\users\coxc\AppData\Local\temp
2012-03-24 23:16 . 2012-03-24 23:32 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\vlc
2012-03-24 23:04 . 2012-03-24 23:04 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2012-03-24 22:54 . 2012-03-24 22:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2012-03-24 12:59 . 2012-03-24 01:36 84992 ----a-w- c:\windows\system32\268W38xW.com
2012-03-24 09:32 . 2012-03-24 09:32 -------- d--h--w- c:\windows\PIF
2012-03-24 01:07 . 2012-03-24 23:04 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-23 11:13 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BEEEEBD-DC9A-4B8D-9635-C6E7D7577799}\mpengine.dll
2012-03-23 02:14 . 2012-03-23 02:14 -------- d-----w- c:\users\coxc\AppData\Roaming\rockbox.org
2012-03-21 04:54 . 2012-03-21 04:54 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 04:54 . 2012-03-21 04:54 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 22:36 . 2012-03-15 22:36 -------- d-----w- c:\users\coxc\AppData\Roaming\Stellarium
2012-03-15 21:56 . 2012-03-15 22:39 -------- d-----w- c:\program files\Stellarium
2012-03-15 21:05 . 2012-03-15 21:05 -------- d-----w- c:\program files\QTTabBar
2012-03-15 20:56 . 2012-03-15 20:56 -------- d-----w- c:\program files\qBittorrent
2012-03-14 16:00 . 2011-11-19 14:25 3957616 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-14 16:00 . 2011-11-19 14:25 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 08:25 . 2012-02-03 04:01 2341376 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 08:25 . 2012-02-10 05:41 1074176 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 08:25 . 2012-02-10 05:41 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 08:25 . 2012-02-10 05:41 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 08:25 . 2012-02-10 05:41 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 08:25 . 2012-02-10 05:41 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 08:20 . 2012-02-15 05:44 826368 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 08:20 . 2012-02-15 04:22 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 08:20 . 2012-02-15 04:22 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-14 08:20 . 2012-01-25 05:44 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 08:20 . 2012-01-25 05:44 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 08:20 . 2012-01-25 05:40 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-08 11:06 . 2012-03-25 00:02 -------- d-----w- C:\Detective Conan
2012-03-08 10:17 . 2012-03-08 10:32 -------- d-----w- C:\Ano Hi Mita Hana no Namae o Bokutachi wa Mada Shiranai. [FroZen]
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\program files\Nightly
2012-03-04 04:37 . 2012-03-04 04:37 -------- d-----w- c:\users\coxc\AppData\Local\fontconfig
2012-03-04 04:24 . 2012-03-04 04:37 -------- d-----w- c:\users\coxc\AppData\Local\SMPlayer2
2012-02-28 00:06 . 2012-02-28 00:11 -------- d-----w- c:\programdata\ReaConverter
2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----w- c:\users\coxc\AppData\Roaming\RCP 6
2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----w- c:\program files\ReaConverter 6.7 Standard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 22:18 . 2012-02-16 05:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 09:00 . 2012-02-17 09:00 71680 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2012-01-08 01:38 . 2012-01-08 01:30 21840 ----atw- c:\windows\system32\SIntfNT.dll
2012-01-08 01:38 . 2012-01-08 01:30 17212 ----atw- c:\windows\system32\SIntf32.dll
2012-01-08 01:38 . 2012-01-08 01:30 12067 ----atw- c:\windows\system32\SIntf16.dll
2012-01-07 06:46 . 2012-01-07 06:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-04 09:03 . 2012-02-14 20:54 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-03 05:44 . 2012-02-14 20:54 478208 ----a-w- c:\windows\system32\timedate.cpl
2012-03-21 04:54 . 2012-01-06 06:06 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"TrueCrypt"="c:\program files\truecrypt\TrueCrypt.exe" [2011-12-17 1517520]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-03-07 399224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-04-13 548744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-09-05 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-10 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-10 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-24 9722472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\coxc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2012-1-7 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsHook]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
2010-06-10 21:12 414384 ----a-w- c:\program files\Asus\Eee Docking\Eee Docking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2011-11-05 01:17 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyMon]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyService]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Hardware Control]
2010-12-27 10:43 914432 ----a-w- c:\users\coxc\Documents\NotebookHardwareControl_2.4.3_32bit\Notebook Hardware Control 2.4.3\nhc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperHybridEngine]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-24 253600]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-03-24 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-03-06 112584]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-22 81704]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-03-31 11520]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-09-04 64952]
S2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-09-30 508776]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [2011-01-12 91464]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-05-21 293928]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-05-21 33320]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-13 109960]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-09-27 68208]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-09-30 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-09-30 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-09-30 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-09-30 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-09-30 219496]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wmconnectcds
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-19 21:55]
.
2012-03-24 c:\windows\Tasks\At1.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At10.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At11.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At12.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At13.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At14.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At15.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At16.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At17.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At18.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At19.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At2.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At20.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At21.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At22.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At23.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At24.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At25.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At26.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At27.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At28.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At29.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At3.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At30.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At31.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At32.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At33.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At34.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At35.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At36.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At37.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At38.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At39.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At4.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At40.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At41.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At42.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At43.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At44.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At45.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At46.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At47.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At48.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At5.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At6.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At7.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At8.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At9.job
- c:\windows\system32\268W38xW.com [2012-03-24 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14200
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\coxc\AppData\Roaming\Mozilla\Firefox\Profiles\ko6rcm0p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-Locked - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ASUSWebStorage - c:\program files\ASUS\ASUS WebStorage\3.0.58.109\AsusWSPanel.exe
MSConfigStartUp-Google Update - c:\users\coxc\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SSDMonitor - c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
MSConfigStartUp-VizorHtmlDialog - c:\program files\Trend Micro\Titanium\VizorHtmlDialog.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5420)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Elantech\ETDCtrlHelper.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Windows Live\Companion\companionuser.exe
c:\windows\system32\268W38~1.COM
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\268W38~1.COM
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2012-03-25 12:07:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-25 01:07
.
Pre-Run: 1,007,824,896 bytes free
Post-Run: 1,367,334,912 bytes free
.
- - End Of File - - 9D0A89871E455C19518F71D337E3FA07

========================================

WARNING these fixes are designed for this user only and may cause damage if run on any other machine.




Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the the text in the quotebox below into it:

File::
c:\windows\Tasks\*.job
c:\windows\system32\268W38xW.com

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

ComboFix 12-03-22.01 - coxc 03/25/2012 13:28:27.2.4 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.2038.943 [GMT 11:00]
Running from: c:\users\coxc\Desktop\PCforumhelp.exe
Command switches used :: c:\users\coxc\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\268W38xW.com"
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 02:41 . 2012-03-25 02:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-03-25 02:41 . 2012-03-25 02:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 01:59 . 2012-03-24 01:36 84992 ----a-w- c:\windows\system32\268W38xW.com
2012-03-25 01:07 . 2012-03-25 01:07 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BEEEEBD-DC9A-4B8D-9635-C6E7D7577799}\offreg.dll
2012-03-25 00:53 . 2012-03-25 02:41 -------- d-----w- c:\users\coxc\AppData\Local\temp
2012-03-24 23:53 . 2012-03-25 01:08 -------- d-----w- C:\PCforumhelp
2012-03-24 23:16 . 2012-03-24 23:32 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\vlc
2012-03-24 23:04 . 2012-03-24 23:04 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2012-03-24 22:54 . 2012-03-24 22:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2012-03-24 09:32 . 2012-03-24 09:32 -------- d--h--w- c:\windows\PIF
2012-03-24 01:07 . 2012-03-24 23:04 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-23 11:13 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4BEEEEBD-DC9A-4B8D-9635-C6E7D7577799}\mpengine.dll
2012-03-23 02:14 . 2012-03-23 02:14 -------- d-----w- c:\users\coxc\AppData\Roaming\rockbox.org
2012-03-21 04:54 . 2012-03-21 04:54 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 04:54 . 2012-03-21 04:54 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 22:36 . 2012-03-15 22:36 -------- d-----w- c:\users\coxc\AppData\Roaming\Stellarium
2012-03-15 21:56 . 2012-03-15 22:39 -------- d-----w- c:\program files\Stellarium
2012-03-15 21:05 . 2012-03-15 21:05 -------- d-----w- c:\program files\QTTabBar
2012-03-15 20:56 . 2012-03-15 20:56 -------- d-----w- c:\program files\qBittorrent
2012-03-14 16:00 . 2011-11-19 14:25 3957616 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-14 16:00 . 2011-11-19 14:25 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 08:25 . 2012-02-03 04:01 2341376 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 08:25 . 2012-02-10 05:41 1074176 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 08:25 . 2012-02-10 05:41 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 08:25 . 2012-02-10 05:41 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 08:25 . 2012-02-10 05:41 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 08:25 . 2012-02-10 05:41 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 08:20 . 2012-02-15 05:44 826368 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 08:20 . 2012-02-15 04:22 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 08:20 . 2012-02-15 04:22 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-14 08:20 . 2012-01-25 05:44 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 08:20 . 2012-01-25 05:44 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 08:20 . 2012-01-25 05:40 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-08 11:06 . 2012-03-25 00:02 -------- d-----w- C:\Detective Conan
2012-03-08 10:17 . 2012-03-08 10:32 -------- d-----w- C:\Ano Hi Mita Hana no Namae o Bokutachi wa Mada Shiranai. [FroZen]
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\program files\Nightly
2012-03-04 04:37 . 2012-03-04 04:37 -------- d-----w- c:\users\coxc\AppData\Local\fontconfig
2012-03-04 04:24 . 2012-03-04 04:37 -------- d-----w- c:\users\coxc\AppData\Local\SMPlayer2
2012-02-28 00:06 . 2012-02-28 00:11 -------- d-----w- c:\programdata\ReaConverter
2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----w- c:\users\coxc\AppData\Roaming\RCP 6
2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----w- c:\program files\ReaConverter 6.7 Standard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 22:18 . 2012-02-16 05:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 09:00 . 2012-02-17 09:00 71680 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2012-01-08 01:38 . 2012-01-08 01:30 21840 ----atw- c:\windows\system32\SIntfNT.dll
2012-01-08 01:38 . 2012-01-08 01:30 17212 ----atw- c:\windows\system32\SIntf32.dll
2012-01-08 01:38 . 2012-01-08 01:30 12067 ----atw- c:\windows\system32\SIntf16.dll
2012-01-07 06:46 . 2012-01-07 06:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-04 09:03 . 2012-02-14 20:54 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-03 05:44 . 2012-02-14 20:54 478208 ----a-w- c:\windows\system32\timedate.cpl
2012-03-21 04:54 . 2012-01-06 06:06 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"TrueCrypt"="c:\program files\truecrypt\TrueCrypt.exe" [2011-12-17 1517520]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-03-07 399224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-04-13 548744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-09-05 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-10 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-10 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-24 9722472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\coxc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2012-1-7 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsHook]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
2010-06-10 21:12 414384 ----a-w- c:\program files\Asus\Eee Docking\Eee Docking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2011-11-05 01:17 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyMon]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyService]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Hardware Control]
2010-12-27 10:43 914432 ----a-w- c:\users\coxc\Documents\NotebookHardwareControl_2.4.3_32bit\Notebook Hardware Control 2.4.3\nhc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperHybridEngine]
2010-11-22 19:12 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-24 253600]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-03-24 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-03-06 112584]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-22 81704]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-03-31 11520]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-09-04 64952]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-09-30 508776]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [2011-01-12 91464]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-05-21 293928]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-05-21 33320]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-13 109960]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-09-27 68208]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-09-30 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-09-30 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-09-30 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-09-30 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-09-30 219496]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wmconnectcds
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-19 21:55]
.
2012-03-24 c:\windows\Tasks\At1.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At10.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At11.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At12.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At13.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At14.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At15.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At16.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At17.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At18.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At19.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At2.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At20.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At21.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-25 c:\windows\Tasks\At22.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At23.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-25 c:\windows\Tasks\At24.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-25 c:\windows\Tasks\At25.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-25 c:\windows\Tasks\At26.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At27.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At28.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At29.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At3.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At30.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At31.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At32.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At33.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At34.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At35.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At36.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At37.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At38.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At39.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At4.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At40.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At41.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At42.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At43.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At44.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At45.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At46.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At47.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At48.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At5.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At6.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At7.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
2012-03-24 c:\windows\Tasks\At8.job
- c:\windows\system32\268W38xW.com_ [2012-03-24 01:36]
.
2012-03-24 c:\windows\Tasks\At9.job
- c:\windows\system32\268W38xW.com [2012-03-25 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14200
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\coxc\AppData\Roaming\Mozilla\Firefox\Profiles\ko6rcm0p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-25 13:46:56
ComboFix-quarantined-files.txt 2012-03-25 02:46
ComboFix2.txt 2012-03-25 01:07
.
Pre-Run: 1,428,705,280 bytes free
Post-Run: 1,401,163,776 bytes free
.
- - End Of File - - 1ADF594C587824B16C3D917E21F09906


If we're all done could I get a recommendation for a small AV to drop downloads into for scanning.

If we're all done could I get a recommendation for a small AV to drop downloads into for scanning

Try the free Kaspersky. http://www.scanwith.com/download/Kaspersky_Anti-Virus.htm

or AVG http://www.scanwith.com/download/AVG_Free_Edition.htm

Pancake wrote:

If we're all done could I get a recommendation for a small AV to drop downloads into for scanning

Try the free Kaspersky. http://www.scanwith.com/download/Kaspersky_Anti-Virus.htm

or AVG http://www.scanwith.com/download/AVG_Free_Edition.htm

So thats all done, and there are no more active renments of the rootkit on my system?

Thanks very much for the help

Any idea what this is ? c:\windows\system32\268W38xW.com

None at all, google reports one instance of the phrase on a french AV site, but I am unable to actually locate said phase on the site.

Surely .com files don't belong in sys32?

anyway I'm sure one of your compatriots here will know what it is, and what it does ;)

Oh dear, I swear I just heard a 2second blip of a windowless ad.

Yep, still have the ads. Did the logs suggest nothing was left?

Does the rootkit Zero.Access! even cause audio ads, I see no cause for them, or reason. And the fact that they don't play the whole way though/degrade after multiple plays is strange.


EDIT I don't think ZeroAccess causes the problems I'm having, where any other threats found in the logs?

The .com file is a MS- DOS file with FULL permissions.

Should I just go ahead and delete that using MWB's fileassassin, or same? Or would this possibly make the problem worse.
I VERY much doubt it's a legit file.

We need to remove this file...

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.
  
  

  Code:

  
Files to delete:
c:\windows\system32\268W38xW.com
Folders to delete:
c:\windows\system32\268W38xW.com
c:\windows\Tasks



  
  
  
• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a shutdown. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log, along with a new HijackThis log in your next reply.

Did you actually want a Hijackthis log, or was left there from some other user. Eh, I'll just do one anyway; cant hurt.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\268W38xW.com" deleted successfully.

Error: folder "c:\windows\system32\268W38xW.com" not found!
Deletion of folder "c:\windows\system32\268W38xW.com" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\windows\Tasks" deleted successfully.

Completed script processing.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:45:55 PM, on 3/25/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16930)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\wininit.exe
C:\windows\system32\csrss.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\lsm.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\AsusService.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe
C:\ExpressGateUtil\VAWinService.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\msiexec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=14200
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: QTTabBar AutoLoader - {d2bf470e-ed1c-487f-a777-2bd8835eb6ce} - mscoree.dll (file missing)
O2 - BHO: Windows 7 Starter Helper - {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - C:\Program Files\Oceanis\SystemSetting\StarterHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: QTTabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QTTab Standard Buttons - {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TrueCrypt] "C:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Asus Launcher Service (AsusService) - Unknown owner - C:\Windows\System32\AsusService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe (file missing)
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: VideAceWindowsService - Unknown owner - C:\ExpressGateUtil\VAWinService.exe

--
End of file - 8573 bytes

Ok.Lets see it that improves things....

All I can do in that regard is wait to see if I still get the ads.

I'm fairly sure it's right now though, thanks a mil, man.

I'll go ahead and remove all this (hopefully) useless software.

Once again I'd like to thank you and GP for the prompt and free service.

The ads are still here, seems to be loading about 10 of each, like you would see accidently opening multiple tabs.

OK...




I'd like you to scan your machine with ESET OnlineScan www.eset.com/onlinescan/

• Scan your system with this Scanner
• Place a check mark in the box YES, I accept the Terms Of Use.
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
  
• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Make sure that the option to "Remove Found Threats" is UN checked.
  
• Push the "Start" button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push
  

[url]www.eset.com/onlinescan [/url]

ESET has been running for 2hours and is at 30%

Currently found 2x
Win32/Trojan.Clicker.Agent.NEB trojan

would this cause the invisiads


ESET 4hrs 33% (so damned slow)
In addition to last 2, we have.

Win32/Adware ADON application
a variant of Win32/Adware.Mediafinder.C application



Last edited by impwis on 25th March 2012, 12:21 pm; edited 1 time in total

I just noticed Iexplorer.exe is usinga large amount of resources, unless the alternate browser version of ESET is using IE ( and multiple instances at that) this is obviously caused by the infection. Ending process tree just results in 4 new processing being created straight away.

ESET

C:\ProgramData\J8066d7H.exe Win32/TrojanClicker.Agent.NEB trojan
C:\Users\All Users\J8066d7H.exe Win32/TrojanClicker.Agent.NEB trojan
C:\Users\coxc\Downloads\Unlocker1.9.1.exe Win32/Adware.ADON application
C:\Users\coxc\Downloads\Windows_7_Home_Premium_OEM.rar.exe a variant of Win32/Adware.MediaFinder.C application
C:\Windows\System32\268W38xW.com_ Win32/TrojanClicker.Agent.NEB trojan

I would think Unlocker 1.9.1 is a false positive, as I believe I got it from FileHippo.
I don't think I've ever seen, or ran the win7 file. 2.6MB with all but special permissions.

You will need to remove those files.

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.
  
  

  Code:

  
Files to delete:
C:\ProgramData\J8066d7H.exe
C:\Users\All Users\J8066d7H.exe
C:\Users\coxc\Downloads\Windows_7_Home_Premium_OEM.rar.exe
Folders to delete:
C:\Windows\System32\268W38xW.com_



  
  
  
• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a shutdown. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log, along with a new HijackThis log in your next reply.

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\ProgramData\J8066d7H.exe" deleted successfully.

Error: could not open file "C:\Users\All Users\J8066d7H.exe"
Deletion of file "C:\Users\All Users\J8066d7H.exe" failed!
Status: 0xc0000715

File "C:\Users\coxc\Downloads\Windows_7_Home_Premium_OEM.rar.exe" deleted successfully.

Error: "C:\Windows\System32\268W38xW.com_" is not a folder! It may instead be a file.
Deletion of folder "C:\Windows\System32\268W38xW.com_" failed!
Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file


Completed script processing.

*******************

Finished! Terminate.

C:\Users\All Users\J8066d7H.exe is gone, but wasn't deleted.

These 3 files where in all users

J8066d7H.exe.b J8066d7H.exe_.b o6konpI3k.dat

All very small 1kb, if that helps.

Can you delete those manualy.?

Pancake wrote:

Can you delete those manualy.?

Just didn't know if I should. Done.

Is it safe for me to tell Fileassassin or use Eraser to delete

C:\Windows\System32\268W38xW.com
As your script missed that, or should I use Avenger with a reboot?

Use Eraser or just do it manually.

OK, I did that.

Would like any scans done while I'm at work? leaving in an hour.

Ok.All done.I see no more malware.Log looks good! All that was detected is now either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


You can now uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download OTC to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Afterwork

Malware Prevention

How Did I Get Infected

More Tips on Prevention

=============================

thanks Pancake, enjoy your week mate.