Find your solution!

emeraldnzl · 29-Oct-2009, 12:08 AM **#16**

Hello djtappin,

Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

C:\Documents and Settings\Administrator\CCA8.0\othread2.dll

Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

And do the same with this one:

C:\WINDOWS\system32\drivers\atapi.sys

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip
C:\Program Files\Adobe\Flash\install.js

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

djtappin · 29-Oct-2009, 12:56 AM **#17**

Hey there,

Below are the reports you requested.

VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 00:31:50 (EDT)
Scanner results: 79% Scanner(s) (30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/report/e8541b64f8...aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32

ialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32

ialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

VirSCAN.org Scanned Report :
Scanned time : 2009/10/29 00:08:25 (EDT)
Scanner results: 32% Scanner(s) (12/37) found malware!
File Name : atapi.sys
File Size : 96512 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 554deb762f86770ef2fd7d80b4f68c0f
SHA1 : be1fc0067855135de2a131bcdd2a258d7a213d7d
Online report : http://virscan.org/report/9034b84f4b...2f335951f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091029023454 2009-10-29 4.37 Rootkit.Win32.TDSS!IK
AhnLab V3 2009.10.29.00 2009.10.29 2009-10-29 1.00 Win-Trojan/Patched.X
AntiVir 8.2.1.50 7.1.6.162 2009-10-28 0.08 -
Antiy 2.0.18 20091028.3102810 2009-10-28 0.12 -
Arcavir 2009 200910281552 2009-10-28 0.05 -
Authentium 5.1.1 200910281538 2009-10-28 1.26 -
AVAST! 4.7.4 091028-0 2009-10-28 0.01 Win32:Patched-LF [Trj]
AVG 8.5.288 270.14.37/2466 2009-10-29 0.32 Rootkit-Pakes.U
BitDefender 7.81008.4468145 7.28630 2009-10-29 3.89 -
CA (VET) 35.1.0 7087 2009-10-27 4.82 -
ClamAV 0.95.2 9958 2009-10-29 0.02 -
Comodo 3.12 2764 2009-10-29 0.92 -
CP Secure 1.3.0.5 2009.10.29 2009-10-29 0.07 -
Dr.Web 4.44.0.9170 2009.10.28 2009-10-28 6.11 BackDoor.Tdss.565
F-Prot 4.4.4.56 20091028 2009-10-28 1.18 -
F-Secure 7.02.73807 2009.10.28.20 2009-10-28 0.10 Rootkit.Win32.TDSS.u [AVP]
Fortinet 2.81-3.120 10.997 2009-10-28 0.22 -
GData 19.8625/19.526 20091029 2009-10-29 7.06 Rootkit.Win32.TDSS.u [Engine:A]
ViRobot 20091028 2009.10.28 2009-10-28 0.96 -
Ikarus T3.1.01.72 2009.10.29.74310 2009-10-29 4.25 Rootkit.Win32.TDSS
JiangMin 11.0.800 2009.10.26 2009-10-26 5.75 Rootkit.TDSS.ctt
Kaspersky 5.5.10 2009.10.29 2009-10-29 0.07 Rootkit.Win32.TDSS.u
KingSoft 2009.2.5.15 2009.10.28.21 2009-10-28 0.67 -
McAfee 5.3.00 5785 2009-10-28 3.38 -
Microsoft 1.5202 2009.10.28 2009-10-28 6.51 Virus:Win32/Alureon.A
Norman 6.01.09 6.01.00 2009-10-28 4.01 -
Panda 9.05.01 2009.10.28 2009-10-28 2.01 -
Trend Micro 8.700-1004 6.584.01 2009-10-28 0.03 -
Quick Heal 10.00 2009.10.29 2009-10-29 1.22 -
Rising 20.0 21.53.30.00 2009-10-29 0.82 -
Sophos 3.00.1 4.46 2009-10-29 2.77 -
Sunbelt 5472 5472 2009-10-27 1.68 -
Symantec 1.3.0.24 20091028.006 2009-10-28 0.25 -
nProtect 20091028.01 6034135 2009-10-28 9.19 Trojan/W32.Rootkit.96512
The Hacker 6.5.0.2 v00056 2009-10-28 1.01 -
VBA32 3.12.10.11 20091027.1255 2009-10-27 1.93 -
VirusBuster 4.5.11.10 10.112.82/2011851 2009-10-28 2.51 -

ComboFix 09-10-28.01 - Administrator 10/29/2009 0:34.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.764 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip"
"c:\program files\Adobe\Flash\install.js"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip
c:\program files\Adobe\Flash\install.js

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 04:28 . 2009-10-29 04:29 -------- d-----w- C:\Combo-Fix
2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-28 22:34 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-29 04:03 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-28 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-28 13:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:33 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-30 23:17 . 2009-06-16 18:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-28_01.30.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 22:17 . 2009-10-28 22:17 16384 c:\windows\Temp\Perflib_Perfdata_eec.dat
+ 2009-10-29 04:44 . 2009-10-29 04:44 16384 c:\windows\Temp\Perflib_Perfdata_e78.dat
+ 2009-10-29 04:42 . 2009-10-29 04:42 16384 c:\windows\Temp\Perflib_Perfdata_698.dat
+ 2006-10-17 19:01 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
+ 2009-10-28 22:10 . 2009-10-28 22:10 149280 c:\windows\system32\javaws.exe
+ 2009-10-28 22:10 . 2009-10-28 22:10 145184 c:\windows\system32\javaw.exe
+ 2009-10-28 22:10 . 2009-10-28 22:10 145184 c:\windows\system32\java.exe
- 2006-10-17 18:27 . 2009-08-29 07:36 380928 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 18:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll
+ 2007-05-10 12:02 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-10 12:02 . 2009-08-29 07:36 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2009-10-28 05:03 . 2009-10-28 05:03 817152 c:\windows\Installer\8f2bb.msi
+ 2009-10-28 22:10 . 2009-10-28 22:10 537600 c:\windows\Installer\24209f.msi
- 2009-07-29 13:02 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB972260-IE7\update\update.exe
+ 2009-07-29 13:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB972260-IE7\update\update.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMo n.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGServ ice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*Deregistered* - ephdlink
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 00:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\combo-fix2902c\CF28242.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\combo-fix2902c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 0:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 04:50
ComboFix2.txt 2009-10-28 01:36

Pre-Run: 6,599,766,016 bytes free
Post-Run: 6,708,240,384 bytes free

- - End Of File - - B956A486D6185F052FF56D7E3E093897

emeraldnzl · 29-Oct-2009, 02:18 AM **#18**

Hello djtappin,

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

----------------------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

----------------------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\Documents and Settings\Administrator\CCA8.0\othread2.dll

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt Please post that here for further review.

Next

Download GMER from here

Unzip it to the desktop.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

So when you return please post
ComboFix.txt

GMER Rootkit revealer scan results

djtappin · 29-Oct-2009, 10:18 AM **#19**

Hello,

Below are the results.

ComboFix 09-10-28.08 - Administrator 10/29/2009 9:45.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.311 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Administrator\CCA8.0\othread2.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\CCA8.0\othread2.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-29 13:25 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-29 05:06 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-28 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-28 13:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:33 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-30 23:17 . 2009-06-16 18:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMo n.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGServ ice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
*Deregistered* - ephdlink
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-10-29 10:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 14:02
ComboFix2.txt 2009-10-29 04:51

Pre-Run: 6,712,750,080 bytes free
Post-Run: 6,747,004,928 bytes free

- - End Of File - - FE10F6946BD543774EACABBE21102D3E

djtappin · 29-Oct-2009, 10:20 AM **#20**

Hello again,

Here is the other log.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-29 10:14:13
Windows 5.1.2600 Service Pack 3
Running: ucvzo6qy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwdoqpow.sys

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\CLASSPNP_2.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\atapi_2.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eafsprot.sys (EAFS Volume File Protector/PC Guardian)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice eafsprot.sys (EAFS Volume File Protector/PC Guardian)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

emeraldnzl · 29-Oct-2009, 07:27 PM **#21**

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
atapi_2.sys
PROCEXP90.SYS
CLASSPNP_2.sys
ucvzo6qy.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

djtappin · 29-Oct-2009, 09:03 PM **#22**

Hi

I want to again thank you for your support, you've really helpful I must say.

Here is the log below. I noticed it said files not found in this log, but for some reason the Rootkit-Pakes.U trojan atapi.sys is still in the system32/drivers folder. When AVG scans daily it finds it but it will not delete it, it says it's a important file and cannot be deleted, LOL but it's showing as a trojan hmmm :-). But maybe I'm getting a little a head of myself, I apologze if so. You guys have been doing a great job in helping me with this problem. So I'll continue to let you do your job with out complaining :-)

Thanks a lot!

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:53 on 29/10/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi_2.sys"
No files found.

Searching for "PROCEXP90.SYS"
No files found.

Searching for "CLASSPNP_2.sys"
No files found.

Searching for "ucvzo6qy.exe"
C:\Documents and Settings\Administrator\Desktop\ucvzo6qy.exe --a--- 291328 bytes [14:07 29/10/2009] [14:07 29/10/2009] BE611621504065D54AC2CE8F2F7BC27A

-=End Of File=-

emeraldnzl · 29-Oct-2009, 10:40 PM **#23**

Hello djtappin,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
atapi.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\Documents and Settings\Administrator\Desktop\ucvzo6qy.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwdoqpow.sys

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

So when you return please post
SystemLook.txt

ComboFix.txt

djtappin · 29-Oct-2009, 11:13 PM **#24**

Hello,

Below are the logs.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:46 on 29/10/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [16:28 24/10/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [00:10 25/04/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [04:09 23/04/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 554DEB762F86770EF2FD7D80B4F68C0F
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:41 18/09/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

ComboFix 09-10-28.08 - Administrator 10/29/2009 22:54.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.459 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\kwdoqpow.sys"
"c:\documents and settings\Administrator\Desktop\ucvzo6qy.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Desktop\ucvzo6qy.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-29 23:12 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-29 22:25 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-29 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-29 22:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 02:23 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-29_13.54.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-29 13:55 . 2009-10-29 13:55 16384 c:\windows\Temp\Perflib_Perfdata_d40.dat
+ 2009-10-30 03:00 . 2009-10-30 03:00 16384 c:\windows\Temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMo n.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGServ ice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - ephdlink
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-30 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 23:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-10-30 23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 03:08
ComboFix2.txt 2009-10-29 14:03
ComboFix3.txt 2009-10-29 04:51

Pre-Run: 6,693,847,040 bytes free
Post-Run: 6,689,574,912 bytes free

- - End Of File - - 5BA3B2B1E277A01233E4B041919F13A6

emeraldnzl · 30-Oct-2009, 12:04 AM **#25**

Hello djtappin,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sy
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\ServicePackFiles\i386\atapi.sys

Registry::
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

djtappin · 30-Oct-2009, 12:54 AM **#26**

Hello,

Here is the log report!

ComboFix 09-10-28.08 - Administrator 10/30/2009 0:26.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.556 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sy
c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-30 03:10 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-30 03:28 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-29 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-29 22:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 02:23 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-29_13.54.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-30 04:41 . 2009-10-30 04:41 16384 c:\windows\Temp\Perflib_Perfdata_f0c.dat
+ 2009-10-29 13:55 . 2009-10-29 13:55 16384 c:\windows\Temp\Perflib_Perfdata_d40.dat
+ 2009-10-30 04:40 . 2009-10-30 04:40 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSM on.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMo n.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGServ ice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - ephdlink
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-30 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 00:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-10-30 0:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 04:48
ComboFix2.txt 2009-10-30 03:09
ComboFix3.txt 2009-10-29 14:03
ComboFix4.txt 2009-10-29 04:51

Pre-Run: 6,709,170,176 bytes free
Post-Run: 6,939,365,376 bytes free

- - End Of File - - 5F2B31400283B0C0F1E1D7891E92DABC

emeraldnzl · 30-Oct-2009, 01:16 AM **#27**

Okay time to have another check that we aren't missing anything else.

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

Read through the requirements and privacy statement and click on Accept button.
It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Copy and paste that information in your next post.

So when you return please post
MBAM log

Kaspersky scan results

and tell me how your computer is performing now

djtappin · 30-Oct-2009, 03:35 PM **#28**

Hello,

Are the logs.

Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 3

10/30/2009 1:48:26 AM
mbam-log-2009-10-30 (01-48-26).txt

Scan type: Quick Scan
Objects scanned: 103993
Time elapsed: 26 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 30, 2009 15:47:42
Records in database: 3104654
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\

Scan statistics:
Objects scanned: 84799
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 04:13:25

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\CCA8.0\othread2.dll.vir Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP491\A0080351.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\WINDOWS\system32\drivers\atapi.sys Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.

emeraldnzl · 30-Oct-2009, 05:46 PM **#29**

Looking good. One of those found by Kaspersky is in quarantine in the tools we have been using, one is in System Restore and will be dealt with when we clean up and the third may be a false positive but we will just check.

Now

Please run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:processes


:OTL

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.
Also please answer my question at last post about how your computer is now.

djtappin · 30-Oct-2009, 06:07 PM **#30**

Hello,

I can tell a little bit that it's running a little better. My computer is running good, it was actually running descent when I first contacted you guys, even after AVG found the Rootkit-Pakes. U trojan atapi.sys. That's why I looked it up and found you guys and I saw where another guy found the same file and it was repaired and sovled.

But you guys have found even more infections that AVG didn't find, so I really thank you for that.

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\2728 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_wDHjKNgPN39aG7QWCdiP scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\fla212.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_710.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_c0c.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DB9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DC6.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53A8.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53BE.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53D5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5406.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF547E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF548B.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 111034833 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OWICFSQ3\client_ad[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O8DGROHU\client_ad[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 2203324 bytes
->Java cache emptied: 97609745 bytes
->FireFox cache emptied: 90716123 bytes
->Google Chrome cache emptied: 369447136 bytes
->Apple Safari cache emptied: 722935040 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\LMI10.tmp folder deleted successfully.
C:\WINDOWS\LMI11.tmp folder deleted successfully.
C:\WINDOWS\LMI29.tmp folder deleted successfully.
C:\WINDOWS\LMI2A.tmp folder deleted successfully.
C:\WINDOWS\LMI2C.tmp folder deleted successfully.
C:\WINDOWS\LMI43.tmp folder deleted successfully.
C:\WINDOWS\LMIF.tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 12232305 bytes
%systemroot%\System32 .tmp files removed: 4532241 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6c0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_eac.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 55899 bytes
RecycleBin emptied: 3418 bytes

Total Files Cleaned = 1345.54 mb

OTL by OldTimer - Version 3.0.22.1 log created on 10302009_175217

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\2728 not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_wDHjKNgPN39aG7QWCdiP not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\fla212.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_710.dat not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_c0c.dat not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DB9.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DC6.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53A8.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53BE.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53D5.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5406.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF547E.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF548B.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OWICFSQ3\client_ad[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O8DGROHU\client_ad[1].htm moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6c0.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_eac.dat moved successfully.

Registry entries deleted on Reboot...

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: