Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

I cant run my antivirus

2K views 26 replies 2 participants last post by  NeonFx 
#1 ·
I have tried to run several different antivirus and antispyware programs and I keep getting an error that says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Please help, I tried to run HiJackthis and got the same error so I cannot post a log file yet. I also tried to get into Safe mode and it keeps restarting and wont boot into safe mode.
 
#2 ·
Hello there :cool: Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

  • The fixes are specific to your problem and should only be used on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
  • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Step 1

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

  1. Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
  2. A black command prompt window shall appear.
  3. It will now begin to scan. This may take a while, please be paitent until the scan is complete.
  4. Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
  5. A log file called Win32KDiag.txt will be created on your desktop.
  6. Please copy and paste the contents of that log file here in your next reply.
 
#3 ·
Running from: C:\Documents and Settings\Glenn\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Glenn\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP190.tmp\ZAP190.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25E.tmp\ZAP25E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35E.tmp\ZAP35E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP374.tmp\ZAP374.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\EffectResources\FT\FT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\7.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2006-02-28 04:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[2] 2006-02-28 04:00:00 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 16:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\NDP1.1sp1-KB953297-X86\NDP1.1sp1-KB953297-X86

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^

Finished!

Thanks for your help I will look forward to your reply.
 
#4 ·
Alright, I can see what's wrong now. Please do the following:

STEP 1

Please delete your version of Win32kDiag.exe (along with the old Win32kDiag.txt file that was created) and redownload it from HERE

Make sure win32kdiag.exe is on your Desktop. Click on Start -> Run , and copy-paste the following command (the bolded text) into the "Open" box, and click OK. (If you use Vista just paste it into the text box that apears next to your start button)

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

STEP 2

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
#5 ·
ok here are the logs.

Running from: C:\Documents and Settings\Glenn\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Glenn\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP190.tmp\ZAP190.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP190.tmp\ZAP190.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25E.tmp\ZAP25E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25E.tmp\ZAP25E.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35E.tmp\ZAP35E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35E.tmp\ZAP35E.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP374.tmp\ZAP374.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP374.tmp\ZAP374.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\EffectResources\FT\FT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\EffectResources\FT\FT

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\7.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\7.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[2] 2006-02-28 04:00:00 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 16:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\History\Results\Results

Found mount point : C:\WINDOWS\Temp\NDP1.1sp1-KB953297-X86\NDP1.1sp1-KB953297-X86

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\NDP1.1sp1-KB953297-X86\NDP1.1sp1-KB953297-X86

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Finished!

______________________________________________________
 
#6 ·
ComboFix 09-11-08.03 - Glenn 11/08/2009 21:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1453 [GMT -8:00]
Running from: c:\documents and settings\Glenn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Glenn\Application Data\inst.exe
c:\program files\INSTALL.LOG

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-08 23:41 . 2009-11-08 23:41 -------- d-----w- c:\documents and settings\Glenn\Application Data\QuickScan
2009-11-08 23:41 . 2009-10-29 23:39 679936 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-11-08 23:41 . 2009-10-29 23:39 614400 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-11-08 23:36 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-08 22:29 . 2009-11-08 22:29 -------- d-----w- c:\documents and settings\Glenn\Application Data\AVG8
2009-11-08 22:07 . 2009-11-08 22:07 -------- d-----w- c:\program files\Trend Micro
2009-11-08 22:03 . 2009-11-08 22:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-08 16:59 . 2009-11-08 23:31 0 ----a-r- c:\windows\win32k.sys
2009-11-07 18:04 . 2009-10-28 01:44 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-29 02:03 . 2009-10-29 02:03 -------- d-----w- C:\.jagex_cache_32
2009-10-28 22:34 . 2009-11-05 03:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-10-28 22:28 . 2009-10-28 22:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-28 22:23 . 2009-10-28 22:23 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 22:23 . 2009-10-28 22:23 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-10-28 22:23 . 2009-10-28 22:23 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-10-28 22:23 . 2009-10-28 22:23 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-10-28 22:23 . 2009-10-28 22:23 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-10-28 22:23 . 2009-10-28 22:23 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-10-28 22:23 . 2009-10-28 22:23 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-10-28 22:23 . 2009-10-28 22:23 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-10-28 22:22 . 2009-10-28 22:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-28 22:22 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-28 02:26 . 2009-10-28 02:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 02:26 . 2009-10-28 02:26 -------- d-----w- c:\windows\DQ Tycoon
2009-10-28 02:21 . 2009-10-28 02:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-28 01:36 . 2009-10-28 01:36 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-17 21:27 . 2009-10-17 21:27 -------- d-----w- c:\program files\PC-home
2009-10-17 21:10 . 2009-10-28 02:26 -------- d-----w- c:\program files\DQ Tycoon
2009-10-17 11:07 . 2009-10-17 11:07 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-10-16 17:05 . 2009-10-16 17:04 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-11 06:18 . 2009-10-11 06:23 -------- d-----w- c:\program files\Xobni

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 05:07 . 2009-04-05 17:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-08 22:36 . 2008-05-26 16:04 -------- d-----w- c:\program files\AVG
2009-11-08 22:35 . 2008-05-26 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-08 22:14 . 2009-04-05 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 22:13 . 2009-04-05 17:13 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-08 17:57 . 2008-05-26 21:15 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-08 17:48 . 2008-05-26 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-11-08 17:45 . 2008-05-23 23:21 -------- d-----w- c:\program files\SlySoft
2009-11-08 17:41 . 2009-04-05 17:25 117760 ----a-w- c:\documents and settings\Glenn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-08 17:16 . 2008-08-06 07:47 -------- d-----w- c:\documents and settings\Glenn\Application Data\Vso
2009-11-08 17:16 . 2009-08-07 05:38 -------- d-----w- c:\program files\DVDFab 6
2009-11-04 01:27 . 2008-07-24 21:25 38 ----a-w- c:\documents and settings\Glenn\jagex_runescape_preferences.dat
2009-11-04 00:51 . 2009-09-04 14:43 63 ----a-w- c:\documents and settings\Glenn\jagex_runescape_preferences2.dat
2009-11-01 23:56 . 2008-01-26 00:16 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-01 23:25 . 2008-01-26 00:17 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-28 02:45 . 2008-01-29 16:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-25 01:13 . 2008-07-28 02:30 -------- d-----w- c:\program files\ee
2009-10-17 21:26 . 2009-04-21 06:58 -------- d-----w- c:\documents and settings\Glenn\Application Data\Azureus
2009-10-11 06:19 . 2009-04-21 14:41 10686001 ----a-w- c:\documents and settings\Glenn\Application Data\Azureus\plugins\azump\mplayer.exe
2009-10-11 06:16 . 2009-04-21 06:58 -------- d-----w- c:\program files\Vuze
2009-09-28 18:20 . 2009-09-28 18:20 89256 ------w- c:\windows\system32\ElbyCDIO.dll
2009-09-26 17:57 . 2009-09-26 17:57 25768 ------w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-23 12:55 . 2009-07-02 21:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-21 21:28 . 2009-09-21 21:28 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-21 21:28 . 2009-08-28 06:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-21 21:28 . 2009-09-21 21:28 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-21 21:28 . 2009-09-21 21:28 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-21 21:28 . 2009-07-02 21:27 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-20 19:44 . 2009-01-20 22:59 -------- d-----w- c:\documents and settings\Glenn\Application Data\Move Networks
2009-09-19 21:07 . 2009-09-19 20:57 126970 ----a-w- c:\documents and settings\Glenn\Application Data\Move Networks\uninstall.exe
2009-09-19 21:07 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Glenn\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-19 16:22 . 2008-01-25 06:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-15 01:58 . 2008-01-25 07:24 65256 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-04-05 17:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-04-05 17:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 20:32 . 2009-09-09 20:32 10134 ----a-r- c:\documents and settings\Glenn\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 18:02 . 2008-05-26 16:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 18:02 . 2008-05-26 16:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 18:02 . 2008-01-25 01:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2001-11-05 17:30 . 2008-01-25 04:45 165376 ----a-w- c:\program files\UNWISE.EXE
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-26 21:18 . 2008-05-26 21:06 24 --sh--w- c:\windows\S22E9CA8D.tmp
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[-] 2008-04-13 18:40 . A5AD8AAD1269649BE1C44AD301608995 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2006-02-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-15 2000112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-28 788368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-5-20 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 18:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Glenn^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Glenn\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Glenn^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Glenn\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KITCHEN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Wsmkatwtt"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"OneTouch 4.0 Monitor"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\ee\\Empire Earth.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/2/2009 1:28 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/8/2009 3:38 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 4:27 PM 297752]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [1/25/2008 2:00 PM 12160]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1179232]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 jfdcd;jfdcd;\??\c:\docume~1\Glenn\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\Glenn\LOCALS~1\Temp\jfdcd.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys --> c:\windows\system32\drivers\vmfilter303.sys [?]
S4 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [1/26/2005 11:39 AM 118784]
S4 Wsmkatwtt;Wsmkatwtt; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Atomic Email Hunter - c:\program files\AtomPark\Atomic Email Hunter\ie.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - component: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Glenn\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
.
**************************************************************************
.
Completion time: 2009-11-09 21:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 05:19

Pre-Run: 41,014,030,336 bytes free
Post-Run: 42,463,776,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - E78EB0B6894C6B8983C4A35F5D3C9B96
 
#7 ·
Good Job :) That seems to have taken care of the main problem. Please do the following:

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:
KillAll::

File::
c:\windows\win32k.sys
c:\docume~1\Glenn\LOCALS~1\Temp\DX9\Session Launcher.exe 
c:\docume~1\Glenn\LOCALS~1\Temp\jfdcd.sys 

Driver::
SessionLauncher
jfdcd
Wsmkatwtt

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
#8 ·
here is the new cf log

ComboFix 09-11-08.03 - Glenn 11/08/2009 21:39.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1469 [GMT -8:00]
Running from: c:\documents and settings\Glenn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Glenn\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\Glenn\LOCALS~1\Temp\DX9\Session Launcher.exe"
"c:\docume~1\Glenn\LOCALS~1\Temp\jfdcd.sys"
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\win32k.sys

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JFDCD
-------\Legacy_SESSIONLAUNCHER
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_jfdcd
-------\Service_SessionLauncher
-------\Service_Wsmkatwtt

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-08 23:41 . 2009-11-08 23:41 -------- d-----w- c:\documents and settings\Glenn\Application Data\QuickScan
2009-11-08 23:41 . 2009-10-29 23:39 679936 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-11-08 23:41 . 2009-10-29 23:39 614400 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-11-08 23:36 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-08 22:29 . 2009-11-08 22:29 -------- d-----w- c:\documents and settings\Glenn\Application Data\AVG8
2009-11-08 22:07 . 2009-11-08 22:07 -------- d-----w- c:\program files\Trend Micro
2009-11-08 22:03 . 2009-11-08 22:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 18:04 . 2009-10-28 01:44 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-29 02:03 . 2009-10-29 02:03 -------- d-----w- C:\.jagex_cache_32
2009-10-28 22:34 . 2009-11-05 03:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-10-28 22:28 . 2009-10-28 22:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-28 22:23 . 2009-10-28 22:23 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 22:23 . 2009-10-28 22:23 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-10-28 22:23 . 2009-10-28 22:23 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-10-28 22:23 . 2009-10-28 22:23 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-10-28 22:23 . 2009-10-28 22:23 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-10-28 22:23 . 2009-10-28 22:23 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-10-28 22:23 . 2009-10-28 22:23 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-10-28 22:23 . 2009-10-28 22:23 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-10-28 22:22 . 2009-10-28 22:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-28 22:22 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-28 02:26 . 2009-10-28 02:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 02:26 . 2009-10-28 02:26 -------- d-----w- c:\windows\DQ Tycoon
2009-10-28 02:21 . 2009-10-28 02:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-28 01:36 . 2009-10-28 01:36 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-17 21:27 . 2009-10-17 21:27 -------- d-----w- c:\program files\PC-home
2009-10-17 21:10 . 2009-10-28 02:26 -------- d-----w- c:\program files\DQ Tycoon
2009-10-17 11:07 . 2009-10-17 11:07 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-10-16 17:05 . 2009-10-16 17:04 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-11 06:18 . 2009-10-11 06:23 -------- d-----w- c:\program files\Xobni

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 05:42 . 2009-04-05 17:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-08 22:36 . 2008-05-26 16:04 -------- d-----w- c:\program files\AVG
2009-11-08 22:35 . 2008-05-26 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-08 22:14 . 2009-04-05 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 22:13 . 2009-04-05 17:13 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-08 17:57 . 2008-05-26 21:15 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-08 17:48 . 2008-05-26 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-11-08 17:45 . 2008-05-23 23:21 -------- d-----w- c:\program files\SlySoft
2009-11-08 17:41 . 2009-04-05 17:25 117760 ----a-w- c:\documents and settings\Glenn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-08 17:16 . 2008-08-06 07:47 -------- d-----w- c:\documents and settings\Glenn\Application Data\Vso
2009-11-08 17:16 . 2009-08-07 05:38 -------- d-----w- c:\program files\DVDFab 6
2009-11-04 01:27 . 2008-07-24 21:25 38 ----a-w- c:\documents and settings\Glenn\jagex_runescape_preferences.dat
2009-11-04 00:51 . 2009-09-04 14:43 63 ----a-w- c:\documents and settings\Glenn\jagex_runescape_preferences2.dat
2009-11-01 23:56 . 2008-01-26 00:16 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-01 23:25 . 2008-01-26 00:17 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-28 02:45 . 2008-01-29 16:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-25 01:13 . 2008-07-28 02:30 -------- d-----w- c:\program files\ee
2009-10-17 21:26 . 2009-04-21 06:58 -------- d-----w- c:\documents and settings\Glenn\Application Data\Azureus
2009-10-11 06:19 . 2009-04-21 14:41 10686001 ----a-w- c:\documents and settings\Glenn\Application Data\Azureus\plugins\azump\mplayer.exe
2009-10-11 06:16 . 2009-04-21 06:58 -------- d-----w- c:\program files\Vuze
2009-09-28 18:20 . 2009-09-28 18:20 89256 ------w- c:\windows\system32\ElbyCDIO.dll
2009-09-26 17:57 . 2009-09-26 17:57 25768 ------w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-23 12:55 . 2009-07-02 21:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-21 21:28 . 2009-09-21 21:28 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-21 21:28 . 2009-08-28 06:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-21 21:28 . 2009-09-21 21:28 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-21 21:28 . 2009-09-21 21:28 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-21 21:28 . 2009-07-02 21:27 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-20 19:44 . 2009-01-20 22:59 -------- d-----w- c:\documents and settings\Glenn\Application Data\Move Networks
2009-09-19 21:07 . 2009-09-19 20:57 126970 ----a-w- c:\documents and settings\Glenn\Application Data\Move Networks\uninstall.exe
2009-09-19 21:07 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Glenn\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-19 16:22 . 2008-01-25 06:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-15 01:58 . 2008-01-25 07:24 65256 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-04-05 17:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-04-05 17:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 20:32 . 2009-09-09 20:32 10134 ----a-r- c:\documents and settings\Glenn\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 18:02 . 2008-05-26 16:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 18:02 . 2008-05-26 16:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 18:02 . 2008-01-25 01:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2001-11-05 17:30 . 2008-01-25 04:45 165376 ----a-w- c:\program files\UNWISE.EXE
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-26 21:18 . 2008-05-26 21:06 24 --sh--w- c:\windows\S22E9CA8D.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-09_05.13.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-02-28 12:00 . 2009-11-09 01:04 72922 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-11-09 05:16 72922 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2006-02-28 12:00 . 2009-11-09 05:16 447108 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-11-09 01:04 447108 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-15 2000112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-28 788368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-5-20 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 18:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Glenn^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Glenn\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Glenn^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Glenn\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Wsmkatwtt"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"OneTouch 4.0 Monitor"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\ee\\Empire Earth.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/2/2009 1:28 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/8/2009 3:38 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 4:27 PM 297752]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [1/25/2008 2:00 PM 12160]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1179232]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys --> c:\windows\system32\drivers\vmfilter303.sys [?]
S4 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [1/26/2005 11:39 AM 118784]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Atomic Email Hunter - c:\program files\AtomPark\Atomic Email Hunter\ie.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - component: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
.
**************************************************************************
.
Completion time: 2009-11-09 21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 05:52
ComboFix2.txt 2009-11-09 05:19

Pre-Run: 42,488,602,624 bytes free
Post-Run: 42,442,264,576 bytes free

- - End Of File - - 3AC21FE81AE903B9BE79A6117D454C7A
 
#9 ·
Did you disable all those items in msconfig ? If you don't know what I'm talking about then the answer is probably no.

Please do the following:

STEP 1

Please uninstall AVG8 and install it's newer version from HERE

To uninstall it go to Start > Control Panel > Add/Remove Programs

STEP 2

For the programs that don't want to run (You get a permissions error) do the following:

Download this program

Drag each of the .exe files that you are unable to run and drop them onto Inherit.exe.

Then wait for it to say "OK". The programs should run fine after doing that.

Note: Dragging shortcuts to Inherit.exe will not work. To see what files shortcuts point to you will need to right-click the shortcut and select "Properties."
The .exe file that you will have to drag onto Inherit.exe is listed next to "Target"


If Inherit.exe does not fix your problem with a certain program you will have to uninstall and reinstall the malfunctioning program for it to work properly.

STEP 3

Run MalwareBytes AntiMalware

  • Update it by clicking on the Update tab and then on the button.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 
#10 ·
ok so I did what you said and it seems to have worked. My Firefox is working again. Thank You I am still having a few issues. I had Spybot s&d in my machine before and I have not been able to to get it to work again using your suggestions, so I uninstalled it but the folder wont go away and when I try to reinstall i get an error that says:

C:\Program files\Spybot Search and Destroy\SpybotSD.exe

The existing file is marked as read-only.

Click Retry to remove the read-only attribute and try again, Ignore to skip this file, or abort to cancel the installation.


I clicked Retry like 20 times and nothing happens the error doesnt go away. If I click ignore it finishes the install and gives me another error message that says:

Unable to execute file:
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

CreateProcess failed; code 5.
Access is denied.

now what should i do? I already tried to manually uncheck the read only attribute and I clicked apply but it keeps going back to read-only by itself.
 
#11 ·
Have you tried deleting the whole folder before installing the new one?

You will have to remove both of these:

C:\Program Files\Spybot - Search & Destroy\
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\

If you can't, have you tried dragging the following onto Inherit? It will fix all permissions, including the read-only permission.

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

Also, let me know when you have the results from step 3.
 
#12 ·
ok I was able to finally remove the file. here is the log from step 3.

Malwarebytes' Anti-Malware 1.41
Database version: 3131
Windows 5.1.2600 Service Pack 3

11/9/2009 6:53:15 AM
mbam-log-2009-11-09 (06-53-15).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 455342
Time elapsed: 1 hour(s), 30 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B66D4D54-A71F-4A91-8AAC-82F38AA40D3B}\RP750\A0110071.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B66D4D54-A71F-4A91-8AAC-82F38AA40D3B}\RP750\A0110087.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
 
#13 ·
Excellent. Let's run an online scanner to be absolutely sure you're clean. This will take a while but it's worth it as it can often find things all other scans will miss.

STEP 1

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your computer after installing.

STEP 2

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • [*]Spyware, adware, dialers, and other riskware
      [*]Archives
      [*]E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
 
#14 ·
Sorry it took me so long to get back t you here is the log file you requested. Thank you for your help.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 09, 2009 04:01:21
Records in database: 3346133
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\
L:\

Scan statistics:
Objects scanned: 398147
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 21:38:16


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\System Volume Information\_restore{B66D4D54-A71F-4A91-8AAC-82F38AA40D3B}\RP750\A0110185.sys Infected: Rootkit.Win32.TDSS.y 1
F:\My Pictures\My Pictures\Kodak Pictures\web\yahoo\braless group\future posts\SoT5.jpg Infected: Trojan-Clicker.HTML.IFrame.rp 1
J:\filestorage bckup\My Pictures\My Pictures\Kodak Pictures\web\yahoo\braless group\future posts\SoT5.jpg Infected: Trojan-Clicker.HTML.IFrame.rp 1

Selected area has been scanned.
 
#15 ·
Please delete these two copies of the same file:

F:\My Pictures\My Pictures\Kodak Pictures\web\yahoo\braless group\future posts\SoT5.jpg
J:\filestorage bckup\My Pictures\My Pictures\Kodak Pictures\web\yahoo\braless group\future posts\SoT5.jpg

How's the computer running?
 
#17 ·
It's possible you got reinfected, please double click on ComboFix.exe to run it.

Attach C:\ComboFix.txt to your next reply for me.
 
#19 ·
ComboFix was taken off the market yesterday because of a major bug.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
 
#20 ·
Host Name: INTEGRITY
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Glenn Woodruff
Registered Organization: Integrity Home Services
Product ID: 76487-OEM-0068383-16209
Original Install Date: 1/24/2008, 4:07:38 PM
System Up Time: 0 Days, 11 Hours, 51 Minutes, 2 Seconds
System Manufacturer: System manufacturer
System Model: System Product Name
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 15 Model 43 Stepping 1 AuthenticAMD ~2004 Mhz
BIOS Version: A M I - 3000607
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,343 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: HOME
Logon Server: \\INTEGRITY
Hotfix(s): 215 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: Q147222
[98]: M953297 - Update
[99]: S867460 - Update
[100]: Q936181
[101]: Q954430
[102]: Q973688
[103]: IDNMitigationAPIs - Update
[104]: NLSDownlevelMapping - Update
[105]: KB929399
[106]: KB952069_WM9
[107]: KB954155_WM9
[108]: KB968816_WM9
[109]: KB973540_WM9
[110]: KB936782_WMP11
[111]: KB939683
[112]: KB954154_WM11
[113]: KB959772_WM11
[114]: KB925398_WMP64
[115]: KB936782_WMP9
[116]: KB932471 - Update
[117]: KB941569
[118]: KB938127-IE7 - Update
[119]: KB942615-IE7 - Update
[120]: KB944533-IE7 - Update
[121]: KB947864-IE7 - Update
[122]: KB950759-IE7 - Update
[123]: KB953838-IE7 - Update
[124]: KB956390-IE7 - Update
[125]: KB958215-IE7 - Update
[126]: KB960714-IE7 - Update
[127]: KB961260-IE7 - Update
[128]: KB963027-IE7 - Update
[129]: KB969897-IE7 - Update
[130]: KB969897-IE8 - Update
[131]: KB971930-IE8 - Update
[132]: KB971961-IE8 - Update
[133]: KB972260-IE8 - Update
[134]: KB974455-IE8 - Update
[135]: KB976325-IE8 - Update
[136]: KB976749-IE8 - Update
[137]: MSCompPackV1 - Update
[138]: KB936929 - Service Pack
[139]: KB923561 - Update
[140]: KB938464 - Update
[141]: KB938464-v2 - Update
[142]: KB946648 - Update
[143]: KB950760 - Update
[144]: KB950762 - Update
[145]: KB950974 - Update
[146]: KB951066 - Update
[147]: KB951072-v2 - Update
[148]: KB951376 - Update
[149]: KB951376-v2 - Update
[150]: KB951698 - Update
[151]: KB951748 - Update
[152]: KB951978 - Update
[153]: KB952004 - Update
[154]: KB952287 - Update
[155]: KB952954 - Update
[156]: KB953839 - Update
[157]: KB954211 - Update
[158]: KB954459 - Update
[159]: KB954550-v5 - Update
[160]: KB954600 - Update
[161]: KB955069 - Update
[162]: KB955839 - Update
[163]: KB956391 - Update
[164]: KB956572 - Update
[165]: KB956744 - Update
[166]: KB956802 - Update
[167]: KB956803 - Update
[168]: KB956841 - Update
[169]: KB956844 - Update
[170]: KB957095 - Update
[171]: KB957097 - Update
[172]: KB958644 - Update
[173]: KB958687 - Update
[174]: KB958690 - Update
[175]: KB958869 - Update
[176]: KB959426 - Update
[177]: KB960225 - Update
[178]: KB960715 - Update
[179]: KB960803 - Update
[180]: KB960859 - Update
[181]: KB961118 - Update
[182]: KB961371 - Update
[183]: KB961373 - Update
[184]: KB961501 - Update
[185]: KB961503 - Update
[186]: KB967715 - Update
[187]: KB968389 - Update
[188]: KB968537 - Update
[189]: KB969059 - Update
[190]: KB969898 - Update
[191]: KB969947 - Update
[192]: KB970238 - Update
[193]: KB970430 - Update
[194]: KB970653-v3 - Update
[195]: KB971486 - Update
[196]: KB971557 - Update
[197]: KB971633 - Update
[198]: KB971657 - Update
[199]: KB971737 - Update
[200]: KB973346 - Update
[201]: KB973354 - Update
[202]: KB973507 - Update
[203]: KB973525 - Update
[204]: KB973687 - Update
[205]: KB973815 - Update
[206]: KB973869 - Update
[207]: KB973904 - Update
[208]: KB974112 - Update
[209]: KB97

NetWork Card(s): 4 NIC(s) Installed.
[01]: 1394 Net Adapter
Connection Name: 1394 Connection 2
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
[02]: 1394 Net Adapter
Connection Name: 1394 Connection
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
[03]: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.100
[04]: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Connection Name: Local Area Connection 2
Status: Media disconnected
22:21:42:484 4132 ForceUnloadDriver: NtUnloadDriver error 2
22:21:42:484 4132 ForceUnloadDriver: NtUnloadDriver error 2
22:21:42:484 4132 ForceUnloadDriver: NtUnloadDriver error 2
22:21:42:500 4132 main: Driver KLMD successfully dropped
22:21:42:531 4132 main: Driver KLMD successfully loaded
22:21:42:531 4132
Scanning Registry ...
22:21:42:531 4132 ScanServices: Searching service UACd.sys
22:21:42:531 4132 ScanServices: Open/Create key error 2
22:21:42:531 4132 ScanServices: Searching service TDSSserv.sys
22:21:42:531 4132 ScanServices: Open/Create key error 2
22:21:42:531 4132 ScanServices: Searching service gaopdxserv.sys
22:21:42:531 4132 ScanServices: Open/Create key error 2
22:21:42:531 4132 ScanServices: Searching service gxvxcserv.sys
22:21:42:531 4132 ScanServices: Open/Create key error 2
22:21:42:531 4132 ScanServices: Searching service MSIVXserv.sys
22:21:42:531 4132 ScanServices: Open/Create key error 2
22:21:42:531 4132 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
22:21:42:546 4132 UnhookRegistry: Kernel local addr: A40000
22:21:42:562 4132 UnhookRegistry: KeServiceDescriptorTable addr: AC5700
22:21:42:640 4132 UnhookRegistry: KiServiceTable addr: A6D460
22:21:42:640 4132 UnhookRegistry: NtEnumerateKey service number (local): 47
22:21:42:640 4132 UnhookRegistry: NtEnumerateKey local addr: B8CFF2
22:21:42:656 4132 KLMD_OpenDevice: Trying to open KLMD device
22:21:42:656 4132 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
22:21:42:656 4132 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
22:21:42:656 4132 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
22:21:42:656 4132 UnhookRegistry: NtEnumerateKey service number (kernel): 47
22:21:42:656 4132 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
22:21:42:656 4132 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
22:21:42:656 4132 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
22:21:42:656 4132 UnhookRegistry: No SDT hooks found on NtEnumerateKey
22:21:42:656 4132 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
22:21:42:656 4132 UnhookRegistry: No splicing found on NtEnumerateKey
22:21:42:656 4132
Scanning Kernel memory ...
22:21:42:656 4132 KLMD_OpenDevice: Trying to open KLMD device
22:21:42:656 4132 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
22:21:42:656 4132 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
22:21:42:656 4132 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AED8CA0
22:21:42:656 4132 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
22:21:42:656 4132 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8AED1C68
22:21:42:656 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AED1C68
22:21:42:656 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AED1C68[0x38]
22:21:42:656 4132 DetectCureTDL3: DRIVER_OBJECT addr: 8AED8CA0
22:21:42:656 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AED8CA0[0xA8]
22:21:42:656 4132 KLMD_ReadMem: Trying to ReadMemory 0xE1F98A40[0x208]
22:21:42:656 4132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:21:42:656 4132 DetectCureTDL3: IrpHandler (0) addr: BA10EBB0
22:21:42:656 4132 DetectCureTDL3: IrpHandler (1) addr: 804F4562
22:21:42:656 4132 DetectCureTDL3: IrpHandler (2) addr: BA10EBB0
22:21:42:656 4132 DetectCureTDL3: IrpHandler (3) addr: BA108D1F
22:21:42:656 4132 DetectCureTDL3: IrpHandler (4) addr: BA108D1F
22:21:42:656 4132 DetectCureTDL3: IrpHandler (5) addr: 804F4562
22:21:42:656 4132 DetectCureTDL3: IrpHandler (6) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (7) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (8) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (9) addr: BA1092E2
22:21:42:671 4132 DetectCureTDL3: IrpHandler (10) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (11) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (12) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (13) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (14) addr: BA1093BB
22:21:42:671 4132 DetectCureTDL3: IrpHandler (15) addr: BA10CF28
22:21:42:671 4132 DetectCureTDL3: IrpHandler (16) addr: BA1092E2
22:21:42:671 4132 DetectCureTDL3: IrpHandler (17) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (18) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (19) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (20) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (21) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (22) addr: BA10AC82
22:21:42:671 4132 DetectCureTDL3: IrpHandler (23) addr: BA10F99E
22:21:42:671 4132 DetectCureTDL3: IrpHandler (24) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (25) addr: 804F4562
22:21:42:671 4132 DetectCureTDL3: IrpHandler (26) addr: 804F4562
22:21:42:671 4132 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
22:21:42:671 4132 KLMD_ReadMem: DeviceIoControl error 1
22:21:42:671 4132 TDL3_StartIoHookDetect: Unable to get StartIo handler code
22:21:42:671 4132 TDL3_FileDetect: Processing driver: Disk
22:21:42:671 4132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
22:21:42:671 4132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
22:21:42:671 4132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
22:21:42:687 4132 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8AEEA6F0
22:21:42:687 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEEA6F0
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AEEA6F0[0x38]
22:21:42:687 4132 DetectCureTDL3: DRIVER_OBJECT addr: 8AED8CA0
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AED8CA0[0xA8]
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0xE1F98A40[0x208]
22:21:42:687 4132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:21:42:687 4132 DetectCureTDL3: IrpHandler (0) addr: BA10EBB0
22:21:42:687 4132 DetectCureTDL3: IrpHandler (1) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (2) addr: BA10EBB0
22:21:42:687 4132 DetectCureTDL3: IrpHandler (3) addr: BA108D1F
22:21:42:687 4132 DetectCureTDL3: IrpHandler (4) addr: BA108D1F
22:21:42:687 4132 DetectCureTDL3: IrpHandler (5) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (6) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (7) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (8) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (9) addr: BA1092E2
22:21:42:687 4132 DetectCureTDL3: IrpHandler (10) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (11) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (12) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (13) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (14) addr: BA1093BB
22:21:42:687 4132 DetectCureTDL3: IrpHandler (15) addr: BA10CF28
22:21:42:687 4132 DetectCureTDL3: IrpHandler (16) addr: BA1092E2
22:21:42:687 4132 DetectCureTDL3: IrpHandler (17) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (18) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (19) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (20) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (21) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (22) addr: BA10AC82
22:21:42:687 4132 DetectCureTDL3: IrpHandler (23) addr: BA10F99E
22:21:42:687 4132 DetectCureTDL3: IrpHandler (24) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (25) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (26) addr: 804F4562
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
22:21:42:687 4132 KLMD_ReadMem: DeviceIoControl error 1
22:21:42:687 4132 TDL3_StartIoHookDetect: Unable to get StartIo handler code
22:21:42:687 4132 TDL3_FileDetect: Processing driver: Disk
22:21:42:687 4132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
22:21:42:687 4132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
22:21:42:687 4132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
22:21:42:687 4132 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8AEEAAB8
22:21:42:687 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEEAAB8
22:21:42:687 4132 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8AEE49E8
22:21:42:687 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEE49E8
22:21:42:687 4132 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8AEDFD98
22:21:42:687 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEDFD98
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AEDFD98[0x38]
22:21:42:687 4132 DetectCureTDL3: DRIVER_OBJECT addr: 8AEEF868
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AEEF868[0xA8]
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0xE10028B0[0x208]
22:21:42:687 4132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
22:21:42:687 4132 DetectCureTDL3: IrpHandler (0) addr: B9F156F2
22:21:42:687 4132 DetectCureTDL3: IrpHandler (1) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (2) addr: B9F156F2
22:21:42:687 4132 DetectCureTDL3: IrpHandler (3) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (4) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (5) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (6) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (7) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (8) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (9) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (10) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (11) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (12) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (13) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (14) addr: B9F15712
22:21:42:687 4132 DetectCureTDL3: IrpHandler (15) addr: BA338D60
22:21:42:687 4132 DetectCureTDL3: IrpHandler (16) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (17) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (18) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (19) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (20) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (21) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (22) addr: B9F1573C
22:21:42:687 4132 DetectCureTDL3: IrpHandler (23) addr: B9F1C336
22:21:42:687 4132 DetectCureTDL3: IrpHandler (24) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (25) addr: 804F4562
22:21:42:687 4132 DetectCureTDL3: IrpHandler (26) addr: 804F4562
22:21:42:687 4132 KLMD_ReadMem: Trying to ReadMemory 0xB9F12864[0x400]
22:21:42:687 4132 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
22:21:42:687 4132 TDL3_FileDetect: Processing driver: atapi
22:21:42:687 4132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
22:21:42:687 4132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
22:21:42:687 4132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
22:21:42:703 4132 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8AEE9AB8
22:21:42:703 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEE9AB8
22:21:42:703 4132 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8AEECF18
22:21:42:703 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEECF18
22:21:42:703 4132 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8AEE6D98
22:21:42:703 4132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEE6D98
22:21:42:703 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AEE6D98[0x38]
22:21:42:703 4132 DetectCureTDL3: DRIVER_OBJECT addr: 8AEEF868
22:21:42:703 4132 KLMD_ReadMem: Trying to ReadMemory 0x8AEEF868[0xA8]
22:21:42:703 4132 KLMD_ReadMem: Trying to ReadMemory 0xE10028B0[0x208]
22:21:42:703 4132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
22:21:42:703 4132 DetectCureTDL3: IrpHandler (0) addr: B9F156F2
22:21:42:703 4132 DetectCureTDL3: IrpHandler (1) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (2) addr: B9F156F2
22:21:42:703 4132 DetectCureTDL3: IrpHandler (3) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (4) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (5) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (6) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (7) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (8) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (9) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (10) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (11) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (12) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (13) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (14) addr: B9F15712
22:21:42:703 4132 DetectCureTDL3: IrpHandler (15) addr: BA338D60
22:21:42:703 4132 DetectCureTDL3: IrpHandler (16) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (17) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (18) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (19) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (20) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (21) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (22) addr: B9F1573C
22:21:42:703 4132 DetectCureTDL3: IrpHandler (23) addr: B9F1C336
22:21:42:703 4132 DetectCureTDL3: IrpHandler (24) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (25) addr: 804F4562
22:21:42:703 4132 DetectCureTDL3: IrpHandler (26) addr: 804F4562
22:21:42:703 4132 KLMD_ReadMem: Trying to ReadMemory 0xB9F12864[0x400]
22:21:42:703 4132 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
22:21:42:703 4132 TDL3_FileDetect: Processing driver: atapi
22:21:42:703 4132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
22:21:42:703 4132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
22:21:42:703 4132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
22:21:42:703 4132
Completed

Results:
22:21:42:703 4132 Infected objects in memory: 0
22:21:42:703 4132 Cured objects in memory: 0
22:21:42:703 4132 Infected objects on disk: 0
22:21:42:703 4132 Objects on disk cured on reboot: 0
22:21:42:703 4132 Objects on disk deleted on reboot: 0
22:21:42:703 4132 Registry nodes deleted on reboot: 0
22:21:42:703 4132
 
#21 ·
Were you having these problems before you got infected?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.
 
#23 ·
Combofix is back up. You can run it again and update when it asks you to, or delete your copy and redownload it from HERE

Could you describe the symptoms you're still experiencing?

Attach C:\ComboFix.txt after running it.
 
#24 ·
ok i was able to download and install the combofix I ran the scan and the log is below.
My machine never froze before I ran into this issue you are helping me with, now it randomly freezes and I have to shut it down from the reset button on front. Other than that it seems to be working properly.

Thanks

ComboFix 09-12-22.09 - Glenn 12/23/2009 16:44:55.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1392 [GMT -8:00]
Running from: f:\tools\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-23 00:49 . 2009-12-23 21:52 0 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\prvlcl.dat
2009-12-02 05:46 . 2009-12-02 05:46 -------- d-----w- c:\program files\SlySoft
2009-11-29 02:57 . 2009-11-29 02:57 -------- d-----w- c:\program files\Common Files\EasyInfo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 00:59 . 2009-12-20 22:45 52224 ----a-w- c:\documents and settings\Glenn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-21 00:12 . 2008-01-26 00:16 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-20 23:51 . 2008-01-26 00:17 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-20 22:45 . 2009-04-05 17:25 117760 ----a-w- c:\documents and settings\Glenn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-20 22:03 . 2009-11-13 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 22:03 . 2009-04-21 06:58 -------- d-----w- c:\documents and settings\Glenn\Application Data\Azureus
2009-12-20 21:48 . 2008-03-18 23:30 -------- d-----w- c:\program files\Bonjour
2009-12-19 23:24 . 2009-07-02 21:28 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-19 23:24 . 2009-07-02 21:27 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-19 23:24 . 2009-07-02 21:27 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-19 23:24 . 2009-10-28 22:23 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-19 23:24 . 2009-07-02 21:27 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-19 23:24 . 2009-07-02 21:28 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-19 23:23 . 2009-07-02 21:27 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-19 23:23 . 2009-07-02 21:27 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-19 23:23 . 2009-07-02 21:27 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-19 23:23 . 2009-07-02 21:27 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-19 23:23 . 2009-07-02 21:27 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-19 23:23 . 2009-07-02 21:27 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-19 23:23 . 2009-07-02 21:27 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-18 19:37 . 2009-12-22 18:13 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-16 22:42 . 2009-12-23 00:27 872960 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 22:42 . 2009-12-23 00:27 43008 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 22:42 . 2009-12-23 00:27 340480 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 22:41 . 2009-12-23 00:27 346624 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 18:54 . 2009-09-04 14:43 69 ----a-w- c:\documents and settings\Glenn\jagex_runescape_preferences2.dat
2009-12-16 18:12 . 2008-07-24 21:25 39 ----a-w- c:\documents and settings\Glenn\jagex_runescape_preferences.dat
2009-12-11 21:15 . 2009-12-22 18:13 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-11 21:15 . 2009-12-22 18:13 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-11 21:15 . 2009-12-22 18:13 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-05 02:08 . 2009-04-05 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 02:08 . 2009-04-05 17:13 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-04 00:14 . 2009-04-05 17:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-04-05 17:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 17:53 . 2009-11-09 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-01 06:02 . 2009-04-21 06:58 -------- d-----w- c:\program files\Vuze
2009-11-28 01:57 . 2009-10-28 22:34 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-27 01:39 . 2009-12-16 00:16 678912 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-11-27 01:37 . 2009-12-16 00:16 768512 ----a-w- c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-11-22 18:41 . 2009-11-22 18:41 -------- d-----w- c:\program files\Microsoft
2009-11-21 23:23 . 2009-07-02 21:27 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-21 23:23 . 2009-07-02 21:27 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-21 23:23 . 2009-07-02 21:27 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-21 23:23 . 2009-09-21 21:28 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-13 03:26 . 2009-11-13 03:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 11:22 . 2009-11-11 11:22 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-11-09 16:48 . 2009-06-08 23:38 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 15:05 . 2009-04-05 17:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-09 06:22 . 2008-05-26 16:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 06:22 . 2008-05-26 16:04 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 06:22 . 2008-01-25 01:54 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 06:22 . 2008-05-26 16:04 -------- d-----w- c:\program files\AVG
2009-11-08 23:41 . 2009-11-08 23:41 -------- d-----w- c:\documents and settings\Glenn\Application Data\QuickScan
2009-11-08 22:07 . 2009-11-08 22:07 -------- d-----w- c:\program files\Trend Micro
2009-11-08 22:03 . 2009-11-08 22:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-08 17:57 . 2008-05-26 21:15 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-08 17:48 . 2008-05-26 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-11-08 17:16 . 2008-08-06 07:47 -------- d-----w- c:\documents and settings\Glenn\Application Data\Vso
2009-11-08 17:16 . 2009-08-07 05:38 -------- d-----w- c:\program files\DVDFab 6
2009-10-29 07:45 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 22:23 . 2009-10-28 22:23 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 22:23 . 2009-10-28 22:23 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-10-28 22:23 . 2009-10-28 22:23 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-10-28 22:23 . 2009-08-28 06:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-28 22:23 . 2009-07-02 21:27 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-10-28 22:23 . 2009-10-28 22:23 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-10-28 22:23 . 2009-10-28 22:23 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-10-28 22:23 . 2009-10-28 22:23 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-10-28 22:23 . 2009-10-28 22:23 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-10-28 22:22 . 2009-10-28 22:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-28 02:26 . 2009-10-28 02:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 02:26 . 2009-10-17 21:10 -------- d-----w- c:\program files\DQ Tycoon
2009-10-25 01:13 . 2008-07-28 02:30 -------- d-----w- c:\program files\ee
2009-10-21 05:38 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-02-28 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-02-28 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-02-28 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-02-28 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 06:19 . 2009-04-21 14:41 10686001 ----a-w- c:\documents and settings\Glenn\Application Data\Azureus\plugins\azump\mplayer.exe
2009-10-03 08:15 . 2009-10-28 22:22 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-09-28 18:20 . 2009-09-28 18:20 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2009-09-26 17:57 . 2009-09-26 17:57 25768 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2001-11-05 17:30 . 2008-01-25 04:45 165376 ----a-w- c:\program files\UNWISE.EXE
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-26 21:18 . 2008-05-26 21:06 24 --sh--w- c:\windows\S22E9CA8D.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-15 2000112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-19 788880]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-11 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 06:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Glenn^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Glenn\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Glenn^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Glenn\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus C88 Series on KITCHEN]
2005-01-27 12:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 10:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-07-23 03:18 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 06:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-24 22:52 240112 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Wsmkatwtt"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"OneTouch 4.0 Monitor"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\ee\\Empire Earth.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/2/2009 1:28 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:04 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/8/2009 3:38 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/8/2009 10:22 PM 285392]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [1/25/2008 2:00 PM 12160]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 jfdcd;jfdcd;\??\c:\docume~1\Glenn\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\Glenn\LOCALS~1\Temp\jfdcd.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys --> c:\windows\system32\drivers\vmfilter303.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1181328]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Atomic Email Hunter - c:\program files\AtomPark\Atomic Email Hunter\ie.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - component: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Glenn\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\s2rs9omh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
MSConfigStartUp-{0228e555-4f9c-4e35-a3ec-b109a192b4c2} - c:\program files\Google\Gmail Notifier\gnotify.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 16:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-23 17:04:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 01:04
ComboFix2.txt 2009-11-09 05:52
ComboFix3.txt 2009-11-09 05:19

Pre-Run: 45,158,285,312 bytes free
Post-Run: 45,325,660,160 bytes free

- - End Of File - - 4D0DDCF54130BDA2898E6F4B0BC37546
 
#25 ·
Looks as though you're all set to go. If you need more assistance with the lockups or with computer being slow you should create a new topic in the technical forums.

Let's cleanup.

STEP 1

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)

ComboFix /Uninstall

Note: If you renamed ComboFix to something else (Combo-Fix or Gotcha for example) you might have to change the command accordingly: Combo-Fix /Uninstall

STEP 2

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)

You might want to keep MalwareBytes AntiMalware though and that's fine :) Make sure you update it before you run the scans in the future.

All Clean

Congratulations!,
, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to (Start) > (All) Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.

See how to get it HERE
(For Vista and 7 see HERE )

You can also use a tool to update your Hosts file. See HERE and HERE

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Note: A Hosts file can slow some systems down. If it is slowed down beyond tolerable you might want to empty the Hosts file or reset it using one of the tools.

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

Read further information HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.

Please mark this thread as Solved by clicking on the button at the top of this page. Let me know if you need anything else.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top