Ok. I ran into a few issues attempting to do what was requested.
I first tried to install Avast, but each time it would crash my computer before it finished installing. I tried 3 times before I figured I was getting nowhere. I assumed my current issues were preventing it from installing, so decided to skip it for now and install it after I was clean.
I next downloaded and ran RSIT as instructed. Shortly after starting the program produced and error message and stops. This happened only a few seconds into the scan. I also tried to run this 3 times, and got the same error each time. The error I received was as follows:
AutoIt Error
Line-1:
Error: Subscript used with non-Array variable
RSIT did still produce a log.txt, so I will include in this post what it contained. There is no info.txt though. I'm guessing that's because it did not complete?
Next I downloaded and extracted GMER as instructed. I ran it according to your instructions and I did receive the warning about rootkit activity. The scan continued, but within 15 seconds or so it crashed my computer. After reboot I attempted the process again, with the same results.
At this point I decided to start back at the beginning. I this time chose AntiVir and installed it. AntiVir installed and ran without a problem. It found the threats that made me seek help here, but said it could not delete/quarantine them. So I now have an Antivirus installed, and it confirmed my problems.
After the antivirus installation I again tried the other steps you listed. RSIT ended up with the same results as before. GMER now ran without a problem and I have the full scan txt for that.
Here is the RSIT log.txt that I do have, followed by the GMER text. I apologize if any of the above sounds confusing, but believe me, I am confused at this point.
Again, thank you for your help.
Logfile of random's system information tool 1.06 (written by random/random)
Run by Brian at 2010-04-28 15:21:43
Microsoft® Windows Vista™ Ultimate Service Pack 2
System drive C: has 209 GB (66%) free of 314 GB
Total RAM: 3326 MB (66% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:48 PM, on 4/28/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brian\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Brian.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\Users\Brian\AppData\Local\Temp\t5mulcv.dll, RestoreWindows
O4 - HKCU\..\Run: [tolrpm] RUNDLL32.EXE C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
--
End of file - 5573 bytes
======Scheduled tasks folder======
C:\Windows\tasks\At1.job
C:\Windows\tasks\At10.job
C:\Windows\tasks\At11.job
C:\Windows\tasks\At12.job
C:\Windows\tasks\At13.job
C:\Windows\tasks\At14.job
C:\Windows\tasks\At15.job
C:\Windows\tasks\At16.job
C:\Windows\tasks\At17.job
C:\Windows\tasks\At18.job
C:\Windows\tasks\At19.job
C:\Windows\tasks\At2.job
C:\Windows\tasks\At20.job
C:\Windows\tasks\At21.job
C:\Windows\tasks\At22.job
C:\Windows\tasks\At23.job
C:\Windows\tasks\At24.job
C:\Windows\tasks\At3.job
C:\Windows\tasks\At4.job
C:\Windows\tasks\At5.job
C:\Windows\tasks\At6.job
C:\Windows\tasks\At7.job
C:\Windows\tasks\At8.job
C:\Windows\tasks\At9.job
C:\Windows\tasks\NOIMJHYS.job
C:\Windows\tasks\ParetoLogic Registration.job
======Registry dump======
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2006-10-17 1164912]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2006-10-17 1941784]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-03-26 142120]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-03-02 282792]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"mcexecwin"=C:\Users\Brian\AppData\Local\Temp\t5mulcv.dll, RestoreWindows []
"tolrpm"=C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-04-01 2010864]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
**************************************************
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-04-28 15:38:44
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Brian\AppData\Local\Temp\aglcqpow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x953AD320] <-- ROOTKIT !!!
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 621 81CE8D84 4 Bytes [20, D3, 3A, 95]
.pak2 C:\Windows\System32\Drivers\stkak.sys entry point in ".pak2" section [0x8227F4E0]
? C:\Windows\System32\Drivers\stkak.sys A device attached to the system is not functioning.
.rsrc C:\Windows\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0x905DE014]
---- User code sections - GMER 1.0.15 ----
? C:\Windows\System32\svchost.exe[3144] image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] ntdll.dll!NtQueryInformationProcess 776E4E54 5 Bytes JMP 01DD0DED
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!closesocket 7786330C 5 Bytes JMP 01DBC549
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!recv 7786343A 5 Bytes JMP 01DBC300
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!GetAddrInfoW 77863D12 5 Bytes JMP 01DBB90E
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!getaddrinfo 7786418A 5 Bytes JMP 01DBB833
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!WSASend 77864496 5 Bytes JMP 01DBC3A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!send 7786659B 5 Bytes JMP 01DBC25D
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!WSARecv 77868400 5 Bytes JMP 01DBC465
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!WSAAsyncGetHostByName 77875FB9 5 Bytes JMP 01DBBBA6
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!gethostbyname 778762D4 5 Bytes JMP 01DBB779
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextExW 75E791CE 5 Bytes JMP 01DBCB0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextW 75E797D3 5 Bytes JMP 01DBC94C
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextA 75E8558D 5 Bytes JMP 01DBC873
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextExA 75E855C4 5 Bytes JMP 01DBCA25
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DialogBoxParamW 75E910B0 5 Bytes JMP 01DBBC7E
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!SetClipboardData 75EA6410 5 Bytes JMP 01DBC5D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!ExtTextOutW 7789872B 5 Bytes JMP 01DBCCD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!GetGlyphIndicesW 7789B765 5 Bytes JMP 01DBD143
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!ExtTextOutA 778A00A5 5 Bytes JMP 01DBCBEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!TextOutA 778A0BAB 5 Bytes JMP 01DBC6DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!TextOutW 778A0D6D 5 Bytes JMP 01DBC7A9
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!GetGlyphIndicesA 778B9DC0 5 Bytes JMP 01DBD07C
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\system32\services.exe[740] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00130002
IAT C:\Windows\system32\services.exe[740] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00130000
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] 51EC8B55
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 1845DB51
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] F855DD56
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] E8084DDC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 000004D2
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] FF184589
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 40516015
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] F845DD00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B104DDC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 1865DAF0
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 0004B9E8
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 8BC88B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] F74199C6
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] C28B5EF9
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] C9184503
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 6015FFC3
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 8B004051
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 2B08244C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 9904244C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 8BF9F741
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] 244403C2
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] FF56C304
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 244C8B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [748D9908] C:\Windows\System32\WINMM.dll (MCI API DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 2BC28B5E
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 244403C1
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 15FFC308
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] [00405160] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 04244C8B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] F9F74199
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] FFC3C28B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 40516015
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] 646A9900
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 33F9F759
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] 24543BC0
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] C09C0F04
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] EC8B55C3
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 0204EC81
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 00000100
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 8B590040
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] 8D500000
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_adjust_fdiv] FFFEFC8D
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] C93351FF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] 558D5151
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 8D5052FC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] FFFDFC85
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] FF5150FF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 40504415
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] 56216A00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memset] FFFC75FF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 40515C15
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 0CC48300
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] C01BD8F7
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] C95EC623
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] EC8B55C3
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 458B5151
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] 33565308
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 33FC7589
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01518DFF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 8441198A
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 2BF975DB
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 802974CA
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 7420063C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [75FF850A] C:\Windows\system32\urlmon.dll (OLE32 Extensions for Win32/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegDisablePredefinedCacheEx] 45FF470C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 8A01518D
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] DB844119
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] CA2BF975
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] D772F13B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 5FFC458B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] C3C95B5E
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 56530CEC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 68F63357
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 00000400
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] FFF87589
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 40515815
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 085D8B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] C38BF88B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] FC758959
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 8D0007C6
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 108A0148
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 75D28440
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 1E048D66
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 74203880
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] FC7D8328
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] FF0A7500
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 45C7F845
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 000001FC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 0C4D8B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] F84D3941
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 016A3275
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 85F60130
AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
Device -> \Driver\iaStorV \Device\Harddisk0\DR0 87503AC8
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] stkak <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@Group Boot Bus Extender
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\DRIVERS\mouclass.sys suspicious modification
File C:\Windows\system32\drivers\iaStorV.sys suspicious modification
---- EOF - GMER 1.0.15 ----