There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Go to first new post Somethings Amiss....
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Family Cyber Removal
Go to first new post Cannot access any google sites - youtube ...
Go to first new post We Got System Checked :-(
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post System Check problem
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Overall Sluggish Performance, Video Hicc ...
Go to first new post Extremely slow computer
Go to first new post RegClean Pro
Tag Cloud
access acer asus bios bsod computer crash dns drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet java laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Need help with Trojan horse Rootkit-Pakes.U repair (In Progress)

Reply  
Thread Tools
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
20-Oct-2009, 07:53 PM #1
Talking Need help with Trojan horse Rootkit-Pakes.U repair
I am running AVG 9.0 Internet Security and has detected that C:\Windows\system32\drivers\atapi.sys is infected with Rootkit-Pakes.U. I've attached a screen print of the AVG warning. I have also ran a Kapersky online scan and received the same result. I am running Windows XP SP3 on my good ol' P4 3ghz with 2gb of ram. Did I mention it does hyper threading . Below is my HijackThis Log. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:17 PM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\My Mobile\MyMobiler\MyMobiler.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1254970250046
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4842 bytes
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Register for free to hide this ad!
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
23-Oct-2009, 01:28 PM #2
Welcome to TSG

Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
23-Oct-2009, 10:34 PM #3
Here are the scan results

ComboFix 09-10-22.01 - John 10/23/2009 18:27.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1513 [GMT -7:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-22 01:30 . 2009-06-01 20:51 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2009-10-22 01:30 . 2009-10-22 01:30 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-10-20 22:43 . 2009-10-20 22:43 -------- d-----w- c:\program files\Trend Micro
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\documents and settings\John\Application Data\Nitro PDF
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\program files\Nitro PDF
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\program files\Common Files\Nitro PDF
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\program files\Common Files\BCL Technologies
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2009-10-20 05:13 . 2009-10-20 05:13 -------- d-----w- c:\windows\Downloaded Installations
2009-10-20 05:02 . 2009-10-20 05:02 -------- d-----w- c:\documents and settings\John\Application Data\InfraRecorder
2009-10-20 05:01 . 2009-10-20 05:01 -------- d-----w- c:\program files\InfraRecorder
2009-10-20 03:45 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-20 03:45 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-20 03:45 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-20 03:45 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-10-17 22:41 . 2009-10-17 22:41 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Identities
2009-10-17 17:32 . 2009-10-17 17:32 -------- d-----w- c:\windows\Sun
2009-10-17 17:31 . 2009-10-17 17:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-17 17:31 . 2009-10-17 17:31 -------- d-----w- c:\program files\Java
2009-10-16 04:29 . 2009-10-16 04:58 -------- d-----w- c:\documents and settings\John\Application Data\Apple Computer
2009-10-16 04:29 . 2009-05-18 21:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-16 04:29 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-16 04:28 . 2009-10-16 04:28 -------- d-----w- c:\program files\iPod
2009-10-16 04:20 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Apple Computer
2009-10-16 01:15 . 2009-10-16 01:15 -------- d-----w- c:\windows\system32\LogFiles
2009-10-15 23:22 . 2009-10-15 23:23 -------- d-----w- c:\program files\My Mobile
2009-10-15 23:13 . 2009-10-15 23:13 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-14 00:18 . 2009-10-14 00:18 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-10-14 00:17 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 00:17 . 2009-10-14 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 00:17 . 2009-10-14 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 00:17 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 00:05 . 2009-10-14 00:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-14 00:05 . 2009-10-14 00:05 -------- d-----w- c:\program files\uTorrent
2009-10-14 00:05 . 2009-10-14 00:13 -------- d-----w- c:\documents and settings\John\Application Data\uTorrent
2009-10-12 04:57 . 2009-10-13 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2009-10-12 04:45 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2009-10-12 04:44 . 2009-10-12 04:44 -------- d-----w- c:\program files\Daniusoft
2009-10-11 21:17 . 2009-10-11 21:17 -------- d-----w- c:\program files\ImTOO
2009-10-10 21:43 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-10 21:43 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-10 14:50 . 2009-10-10 14:50 -------- d-----w- c:\documents and settings\John\Application Data\Foxit
2009-10-10 14:50 . 2009-10-20 01:00 -------- d-----w- c:\program files\Foxit Software
2009-10-10 04:27 . 2009-10-10 04:27 -------- d-sh--w- c:\documents and settings\John\IETldCache
2009-10-10 04:24 . 2009-10-10 04:24 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Google
2009-10-10 04:24 . 2009-10-17 15:36 -------- d-----w- c:\program files\Google
2009-10-10 04:17 . 2009-10-10 04:27 -------- d-----w- c:\documents and settings\John\Tracing
2009-10-10 04:16 . 2009-10-10 04:16 -------- d-----w- c:\program files\Microsoft
2009-10-10 04:16 . 2009-10-10 04:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-10 04:15 . 2009-10-10 04:16 -------- d-----w- c:\program files\Windows Live
2009-10-10 04:13 . 2009-10-10 04:13 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-10 03:33 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-10 03:32 . 2009-10-10 03:33 -------- d-----w- c:\windows\ie8updates
2009-10-10 03:32 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-10 03:32 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-10 03:32 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-10 03:32 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-10 03:32 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-10 03:32 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-10 03:31 . 2009-10-10 03:32 -------- dc-h--w- c:\windows\ie8
2009-10-09 05:24 . 2009-10-09 05:26 -------- d-----w- c:\program files\The KMPlayer
2009-10-09 04:26 . 2009-10-09 04:27 -------- d-----w- c:\program files\DivX
2009-10-09 04:22 . 2009-10-09 04:22 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\WinAVI
2009-10-09 04:21 . 2009-10-09 04:21 -------- d-----w- c:\program files\WinAVI Video Converter
2009-10-09 00:51 . 2009-10-09 00:51 -------- d-----w- c:\program files\RealVNC
2009-10-09 00:24 . 2009-08-29 08:08 916480 -c----w- c:\windows\system32\dllcache\wininet.dll
2009-10-09 00:24 . 2009-08-29 08:08 1208832 -c----w- c:\windows\system32\dllcache\urlmon.dll
2009-10-09 00:23 . 2008-10-16 01:00 1499136 -c----w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-09 00:23 . 2009-08-29 08:08 5940224 -c----w- c:\windows\system32\dllcache\mshtml.dll
2009-10-08 03:59 . 2009-10-08 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2009-10-08 03:59 . 2009-10-23 02:10 14364 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-08 03:57 . 2009-10-08 03:59 -------- d-----w- c:\documents and settings\John\Application Data\Digsby
2009-10-08 03:57 . 2009-10-08 03:59 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Digsby
2009-10-08 03:56 . 2009-10-08 03:58 -------- d-----w- c:\program files\Digsby
2009-10-08 03:54 . 2009-10-08 03:54 -------- d-----w- c:\documents and settings\John\Application Data\TeraCopy
2009-10-08 03:33 . 2009-10-08 03:33 0 ----a-w- c:\windows\nsreg.dat
2009-10-08 03:32 . 2009-10-08 03:32 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Mozilla
2009-10-08 03:32 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-08 03:30 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-08 03:30 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-08 03:30 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-10-08 03:30 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-08 03:30 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-08 03:30 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-08 03:29 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-08 03:29 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-10-08 03:29 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-08 03:29 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-08 03:29 . 2009-06-22 06:44 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2009-10-08 03:23 . 2009-10-08 03:23 -------- d-----w- c:\program files\Defraggler
2009-10-08 03:23 . 2009-10-08 03:23 -------- d-----w- c:\program files\FreeFileSync
2009-10-08 03:20 . 2009-10-08 03:20 -------- d-----w- c:\program files\VS Revo Group
2009-10-08 03:20 . 2009-10-08 03:20 -------- d-----w- c:\program files\CCleaner
2009-10-08 03:15 . 2009-10-08 03:15 -------- d-----w- c:\program files\TeraCopy
2009-10-08 03:15 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-10-08 03:08 . 2009-10-08 03:08 -------- d-----w- c:\windows\system32\scripting
2009-10-08 03:08 . 2009-10-08 03:08 -------- d-----w- c:\windows\system32\en
2009-10-08 03:08 . 2009-10-08 03:08 -------- d-----w- c:\windows\system32\bits
2009-10-08 03:08 . 2009-10-08 03:08 -------- d-----w- c:\windows\l2schemas
2009-10-08 03:08 . 2009-10-22 03:07 14080 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 03:07 . 2009-10-08 03:07 -------- d-----w- c:\windows\ServicePackFiles
2009-10-08 03:03 . 2009-10-08 03:03 -------- d-----w- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 01:28 . 2009-10-07 19:18 -------- d-----w- c:\program files\Common Files
2009-10-22 23:23 . 2009-10-08 03:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-22 23:23 . 2009-10-08 03:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-22 23:23 . 2009-10-08 03:22 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-10-22 23:23 . 2009-10-08 03:22 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-10-22 23:23 . 2009-10-08 03:22 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-16 04:30 . 2009-10-16 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-16 04:30 . 2009-10-16 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:29 . 2009-10-16 04:28 -------- d-----w- c:\program files\iTunes
2009-10-16 04:29 . 2009-10-16 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 04:28 . 2009-10-16 04:21 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 04:28 . 2009-10-16 04:22 -------- d-----w- c:\program files\Bonjour
2009-10-16 04:22 . 2009-10-16 04:22 -------- d-----w- c:\program files\QuickTime
2009-08-26 08:00 . 2007-09-03 15:41 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-12 07:36 . 2009-08-12 07:36 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-12 07:36 . 2009-08-12 07:36 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-12 07:36 . 2009-08-12 07:36 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-08-07 02:24 . 2009-10-08 02:42 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2009-10-08 02:42 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2009-10-08 02:51 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-10-08 02:42 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-10-08 02:42 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2007-09-03 15:40 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2009-10-08 02:42 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-10-08 02:42 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2007-09-03 15:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2007-09-03 15:41 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:37 . 2007-09-03 15:41 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2007-09-03 15:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-26 23:44 . 2009-07-26 23:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-22 2010904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-08 03:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/7/2009 8:22 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/7/2009 8:22 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/7/2009 8:22 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/7/2009 8:22 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [10/22/2009 4:23 PM 2321208]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/7/2009 8:22 PM 30104]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_D eviceS(1).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_D eviceS(2).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_D eviceS(3).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_D eviceS(4).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_D eviceS(5).sys [10/11/2009 9:45 PM 25704]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/7/2009 8:22 PM 30104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
cscript //B "c:\program files\Nitro PDF\Professional\RemoveOldAddins.vbs"
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 20:51]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6j7cc6pq.default\
FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6j7cc6pq.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6j7cc6pq.default\extensions\ietab@ip.cn\plugi ns\npCoralIETab.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3916)
c:\windows\system32\WININET.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-24 18:30
ComboFix-quarantined-files.txt 2009-10-24 01:30

Pre-Run: 116,464,672,768 bytes free
Post-Run: 116,487,667,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A043C2F21A25C1FC85D44F35A1364DB2


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:36 PM, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\My Mobile\MyMobiler\MyMobiler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1254970250046
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4281 bytes
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
27-Oct-2009, 01:16 AM #4
bump...
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
28-Oct-2009, 05:15 PM #5
Sorry about the wait, i missed your reply.


Please delete your current copy of ComboFix, it has been updated to better deal with this infection.


Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
28-Oct-2009, 10:06 PM #6
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:53 PM, on 10/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1254970250046
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 4079 bytes

***ComboFix log had to be attached because it was too large to post in reply
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
07-Nov-2009, 04:06 PM #7
bump...
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
07-Nov-2009, 04:29 PM #8
lets see if anymore copies of atapi.sys are on your system. I don't see any evidence being on your system anymore, but we still need to check.

Sorry for the delay.

Open notepad and copy/paste the text in the codebox below into it:
Code:
@echo off
cls
echo................Searching for File..............
echo...............Please be patient................
dir /a d /s "%systemdrive%\atapi.sys" > log.txt
notepad log.txt
del %0
Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:
Double click on search.bat & allow it to run
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
07-Nov-2009, 05:04 PM #9
I still receive warnings from AVG stating the Rootkit is still present. I just scanned the c:\windows folder and it still detects it. I attached a screen shot.

Would a fresh install solve this??

===============================================
Volume in drive C has no label.
Volume Serial Number is BCE8-5918

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/03/2004 03:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 11:40 AM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of C:\WINDOWS\system32\drivers

04/13/2008 11:40 AM 96,512 atapi.sys
1 File(s) 96,512 bytes

Total Files Listed:
3 File(s) 288,384 bytes
0 Dir(s) 62,861,500,416 bytes free
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Last edited by loudjp; 07-Nov-2009 at 05:23 PM..
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
07-Nov-2009, 08:45 PM #10
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Files to move:
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
07-Nov-2009, 09:17 PM #11
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\atapi.sys|C:\WINDOWS\system32\drivers\ata pi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
==============================================
I think that did the trick. I just ran another scan and it did not detect any infections! Thanks
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
07-Nov-2009, 09:53 PM #12
lets clean up some of the tools

Go to Start ---> Run ---> Type [/b]ComboFix /u[/b] and press Enter.
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
08-Nov-2009, 01:06 AM #13
ComboFix 09-11-07.02 - John 11/07/2009 21:56.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1439 [GMT -7:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-07 16:31 . 2009-11-07 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMonkey
2009-11-02 04:25 . 2009-11-02 04:25 -------- d-----w- C:\_OTL
2009-11-02 04:12 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-01 18:15 . 2009-11-01 18:15 -------- d-----w- c:\documents and settings\John\Application Data\UltraVNC
2009-11-01 18:14 . 2009-11-01 18:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-01 18:13 . 2009-11-01 21:51 -------- d-----w- c:\program files\UltraVNC
2009-10-31 23:40 . 2009-10-31 23:40 -------- d-----w- c:\documents and settings\John\Application Data\AVG9
2009-10-31 23:25 . 2009-10-31 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Cerberus LLC
2009-10-31 23:22 . 2009-10-31 23:22 -------- d-----w- c:\program files\Cerberus LLC
2009-10-31 02:47 . 2009-10-31 02:47 -------- d--h--w- c:\windows\PIF
2009-10-31 01:35 . 2009-11-01 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 01:35 . 2009-10-31 01:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 03:03 . 2009-10-31 23:31 -------- d-----w- c:\documents and settings\John\Application Data\FileZilla
2009-10-28 03:03 . 2009-10-28 03:03 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-27 23:57 . 2009-11-07 17:30 -------- d-----w- c:\documents and settings\John\Application Data\DVD Flick
2009-10-27 23:57 . 2003-01-26 20:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-10-27 23:57 . 2009-10-27 23:57 -------- d-----w- c:\program files\DVD Flick
2009-10-27 23:46 . 2009-10-22 23:23 3767064 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-10-27 23:46 . 2009-10-22 23:23 2321208 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfws9.exe
2009-10-26 00:58 . 2009-10-26 00:58 -------- d-----w- c:\documents and settings\John\Application Data\Canneverbe_Limited
2009-10-26 00:58 . 2009-10-26 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2009-10-26 00:58 . 2009-09-29 04:57 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-10-26 00:58 . 2009-10-26 00:58 -------- d-----w- c:\program files\CDBurnerXP
2009-10-26 00:54 . 2009-10-26 00:54 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-26 00:54 . 2009-10-26 00:54 -------- d-----w- c:\program files\MSBuild
2009-10-26 00:54 . 2009-10-26 00:54 -------- d-----w- c:\program files\Reference Assemblies
2009-10-26 00:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-26 00:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-26 00:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-26 00:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-26 00:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-26 00:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-26 00:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-25 21:07 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-25 21:07 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-25 21:07 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-10-25 21:07 . 2009-10-13 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-25 21:07 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-10-25 21:07 . 2009-10-25 21:07 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-25 17:03 . 2009-10-25 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-25 17:03 . 2009-10-25 17:03 -------- d-----w- c:\program files\DVD Shrink
2009-10-25 16:59 . 2009-10-25 16:59 -------- d-----w- c:\documents and settings\John\.dvdcss
2009-10-25 04:08 . 2009-10-25 04:08 -------- d-sh--w- c:\documents and settings\John\IECompatCache
2009-10-25 04:05 . 2009-10-25 04:05 -------- d-sh--w- c:\documents and settings\John\PrivacIE
2009-10-25 04:05 . 2009-10-25 04:05 -------- d-----w- c:\program files\Digiarty
2009-10-24 04:07 . 2009-11-04 05:03 -------- d-----w- c:\program files\PeerGuardian2
2009-10-22 01:30 . 2009-06-01 20:51 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2009-10-22 01:30 . 2009-10-22 01:30 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-10-20 22:43 . 2009-10-20 22:43 -------- d-----w- c:\program files\Trend Micro
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\documents and settings\John\Application Data\Nitro PDF
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\program files\Nitro PDF
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\program files\Common Files\Nitro PDF
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\program files\Common Files\BCL Technologies
2009-10-20 05:14 . 2009-10-20 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2009-10-20 05:13 . 2009-10-20 05:13 -------- d-----w- c:\windows\Downloaded Installations
2009-10-20 05:02 . 2009-10-20 05:02 -------- d-----w- c:\documents and settings\John\Application Data\InfraRecorder
2009-10-20 05:01 . 2009-10-20 05:01 -------- d-----w- c:\program files\InfraRecorder
2009-10-20 03:45 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-20 03:45 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-20 03:45 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-20 03:45 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-10-17 22:41 . 2009-10-17 22:41 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Identities
2009-10-17 17:32 . 2009-10-17 17:32 -------- d-----w- c:\windows\Sun
2009-10-17 17:31 . 2009-10-17 17:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-17 17:31 . 2009-10-17 17:31 -------- d-----w- c:\program files\Java
2009-10-17 17:31 . 2009-10-17 17:31 152576 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-16 04:29 . 2009-10-16 04:58 -------- d-----w- c:\documents and settings\John\Application Data\Apple Computer
2009-10-16 04:29 . 2009-05-18 21:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-16 04:29 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-16 04:28 . 2009-10-16 04:28 -------- d-----w- c:\program files\iPod
2009-10-16 04:20 . 2009-11-07 22:09 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Apple Computer
2009-10-16 01:15 . 2009-11-01 04:56 -------- d-----w- c:\windows\system32\LogFiles
2009-10-15 23:22 . 2009-10-15 23:23 -------- d-----w- c:\program files\My Mobile
2009-10-15 23:13 . 2009-10-15 23:13 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-14 00:18 . 2009-10-14 00:18 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-10-14 00:17 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 00:17 . 2009-10-14 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 00:17 . 2009-10-14 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 00:17 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 00:05 . 2009-10-14 00:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-14 00:05 . 2009-10-14 00:05 -------- d-----w- c:\program files\uTorrent
2009-10-14 00:05 . 2009-11-05 01:50 -------- d-----w- c:\documents and settings\John\Application Data\uTorrent
2009-10-12 04:57 . 2009-10-13 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2009-10-12 04:45 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2009-10-12 04:44 . 2009-09-01 17:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2009-10-12 04:44 . 2009-10-12 04:44 -------- d-----w- c:\program files\Daniusoft
2009-10-11 21:17 . 2009-10-11 21:17 -------- d-----w- c:\program files\ImTOO
2009-10-10 21:43 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-10 21:43 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-10 14:50 . 2009-10-10 14:50 -------- d-----w- c:\documents and settings\John\Application Data\Foxit
2009-10-10 14:50 . 2009-10-20 01:00 -------- d-----w- c:\program files\Foxit Software
2009-10-10 04:27 . 2009-10-10 04:27 -------- d-sh--w- c:\documents and settings\John\IETldCache
2009-10-10 04:24 . 2009-10-10 04:24 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Google
2009-10-10 04:24 . 2009-10-17 15:36 -------- d-----w- c:\program files\Google
2009-10-10 04:17 . 2009-10-10 04:27 -------- d-----w- c:\documents and settings\John\Tracing
2009-10-10 04:16 . 2009-10-10 04:16 -------- d-----w- c:\program files\Microsoft
2009-10-10 04:16 . 2009-10-10 04:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-10 04:15 . 2009-10-10 04:16 -------- d-----w- c:\program files\Windows Live
2009-10-10 04:13 . 2009-10-10 04:13 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-10 03:33 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-10 03:32 . 2009-10-10 03:33 -------- d-----w- c:\windows\ie8updates
2009-10-10 03:32 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-10 03:32 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-10 03:32 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-10 03:32 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-10 03:32 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-10 03:32 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-10 03:31 . 2009-10-10 03:32 -------- dc-h--w- c:\windows\ie8
2009-10-09 05:24 . 2009-10-26 05:00 -------- d-----w- c:\program files\The KMPlayer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 01:51 . 2009-10-08 03:56 -------- d-----w- c:\program files\Digsby
2009-10-28 00:35 . 2009-10-08 03:59 14716 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-26 00:58 . 2009-10-08 03:08 14080 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 00:42 . 2009-10-08 03:22 -------- d-----w- c:\program files\MediaMonkey
2009-10-22 23:23 . 2009-10-08 03:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-22 23:23 . 2009-10-08 03:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-22 23:23 . 2009-10-08 03:22 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-10-22 23:23 . 2009-10-08 03:22 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-10-22 23:23 . 2009-10-08 03:22 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-16 04:30 . 2009-10-16 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-16 04:30 . 2009-10-16 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:29 . 2009-10-16 04:28 -------- d-----w- c:\program files\iTunes
2009-10-16 04:29 . 2009-10-16 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 04:28 . 2009-10-16 04:21 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 04:28 . 2009-10-16 04:22 -------- d-----w- c:\program files\Bonjour
2009-10-16 04:22 . 2009-10-16 04:22 -------- d-----w- c:\program files\QuickTime
2009-10-16 04:21 . 2009-10-16 04:21 -------- d-----w- c:\program files\Apple Software Update
2009-10-09 04:27 . 2009-10-09 04:26 -------- d-----w- c:\program files\DivX
2009-10-09 04:21 . 2009-10-09 04:21 -------- d-----w- c:\program files\WinAVI Video Converter
2009-10-08 03:59 . 2009-10-08 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2009-10-08 03:59 . 2009-10-08 03:57 -------- d-----w- c:\documents and settings\John\Application Data\Digsby
2009-10-08 03:54 . 2009-10-08 03:54 -------- d-----w- c:\documents and settings\John\Application Data\TeraCopy
2009-10-08 03:33 . 2009-10-08 03:33 0 ----a-w- c:\windows\nsreg.dat
2009-10-08 03:23 . 2009-10-08 03:23 -------- d-----w- c:\program files\Defraggler
2009-10-08 03:23 . 2009-10-08 03:23 -------- d-----w- c:\program files\FreeFileSync
2009-10-08 03:22 . 2009-10-08 03:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-08 03:22 . 2009-10-08 03:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-08 03:22 . 2009-10-08 03:22 -------- d-----w- c:\program files\AVG
2009-10-08 03:22 . 2009-10-08 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-08 03:20 . 2009-10-08 03:20 -------- d-----w- c:\program files\VS Revo Group
2009-10-08 03:20 . 2009-10-08 03:20 -------- d-----w- c:\program files\CCleaner
2009-10-08 03:15 . 2009-10-08 03:15 -------- d-----w- c:\program files\TeraCopy
2009-10-08 03:10 . 2009-10-08 02:44 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-08 02:45 . 2009-10-08 02:45 -------- d-----w- c:\program files\microsoft frontpage
2009-10-08 02:42 . 2009-10-08 02:42 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-07 19:19 . 2009-10-07 19:19 -------- d-----w- c:\program files\Analog Devices
2009-09-22 00:09 . 2009-09-22 00:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-04 21:03 . 2007-09-03 15:40 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-09-03 15:41 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-10-16 04:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-10-16 04:21 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2007-09-03 15:41 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-12 07:36 . 2009-08-12 07:36 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-12 07:36 . 2009-08-12 07:36 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-12 07:36 . 2009-08-12 07:36 1060864 ----a-w- c:\windows\system32\MFC71.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-07_05.20.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-03 15:41 . 2009-11-06 03:30 67312 c:\windows\system32\perfc009.dat
+ 2007-09-03 15:41 . 2009-11-07 17:51 67312 c:\windows\system32\perfc009.dat
+ 2007-09-03 15:41 . 2009-11-07 17:51 432356 c:\windows\system32\perfh009.dat
- 2007-09-03 15:41 . 2009-11-06 03:30 432356 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-22 2010904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-08 03:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cerberus LLC\\Cerberus FTP Server\\CerberusGUI.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/7/2009 8:22 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/7/2009 8:22 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/7/2009 8:22 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/7/2009 8:22 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [10/22/2009 4:23 PM 2321720]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/7/2009 8:22 PM 30104]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_D eviceS(1).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_D eviceS(2).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_D eviceS(3).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_D eviceS(4).sys [10/11/2009 9:44 PM 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_D eviceS(5).sys [10/11/2009 9:45 PM 25704]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/7/2009 8:22 PM 30104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
cscript //B "c:\program files\Nitro PDF\Professional\RemoveOldAddins.vbs"
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 20:51]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6j7cc6pq.default\
FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6j7cc6pq.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\John\LOCALS~1\Temp\RGI74.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2008)
c:\windows\system32\WININET.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-11-08 22:01
ComboFix-quarantined-files.txt 2009-11-08 05:01
ComboFix2.txt 2009-11-07 05:22

Pre-Run: 65,446,998,016 bytes free
Post-Run: 65,420,230,656 bytes free

- - End Of File - - 413E9BE036FBA3CEAFB27E97EB205B77
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
08-Nov-2009, 05:05 PM #14
sorry that was my bad

please type this into your Run command box.

ComboFix /u
loudjp's Avatar
Member with 98 posts.
  
Join Date: Aug 2002
Location: AZ
08-Nov-2009, 06:26 PM #15
combofix uninstalled
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 01:55 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.