Author Topic: Atapi.sys and other stuff (Read 32246 times)

cldmafia · « **on:** March 02, 2010, 12:04:19 AM »

Recently there's a been a surge in virus and malware stuff that's pretty much never happened to me up until this point. I thought I could handle it by myself but now it just seems like it's getting out of hand, either coincidence or all these are connected.

So maybe a week ago I got a virus(?) called av.exe and I thought I fixed that, but now I'm getting stuff detected by AVG like lyepsftav.exe and cpwk.exe.

I've been using Spybot Search and Destroy but I got MalwareBytes' as well to delete avsoft or whatever off of my computer.

Now I just got an alert from AVG telling me about atapi.sys being infected and something about Win32/Patched.CG? I've just been reading horror stories of deleting the file through MalwareBytes' so I'm pretty weary of what I should do and how concerned I should be.

Can anyone help?

Geek-9pm · « **Reply #1 on:** March 02, 2010, 12:22:04 AM »

If you have a full system backup you can find the virgin file on the backup and put it onto your system. But that may be tricky. It is a system file and you might not be able to overwrite it.
You may need to wait awhile for a solution. The problem is widespread and Malware bytes and others are working on it. This is not all new, but this is a new twist on a trick that was used before.
Here is a thread with some more recent information.
http://www.bleepingcomputer.com/forums/topic294140.html
Note that they do not have a clear answer.
On this forum you may find this topic using the key-phrase Google redirect.
http://www.computerhope.com/search.htm?cx=003411668307610607965%3Ah4yba8pbdco&cof=FORID%3A9%3BNB%3A1&q=Google+redirect&sa=Search

Look and see if that is what your have.

cldmafia · « **Reply #2 on:** March 02, 2010, 12:43:23 AM »

I don't know about that first post, but I did look through the google redirect problems. I don't quite understand the problem but whenever I search for anything and click on a link it takes me there. However, when I use Internet Explorer 8 (I usually use Firefox like right now) and go to Tools and try to use Windows Update (like what some other people have been saying) it says "Internet Explorer cannot display the webpage."

Oh and I just tried googling the URL for the windows update site and that also gives me the "cannot display webpage." Or if I google "windows update" and then click on the first link it redirects me to the same page then if I click it again it sends me to "cannot display webpage" again.

BC_Programmer · « **Reply #3 on:** March 02, 2010, 02:45:22 AM »

follow the guide here and post the three logs (Malware bytes, Super Anti-Spyware, Hijackthis) here and wait for a Malware expert to assist you.

evilfantasy · « **Reply #4 on:** March 02, 2010, 09:37:25 AM »

Please leave the malware topics for the malware team. Any reply makes them have to wait longer when we are busy.

evilfantasy · « **Reply #5 on:** March 02, 2010, 09:38:26 AM »

@ cldmafia

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link #1
Link #2

Rename ComboFix to Combo-Fix before saving it to the desktop.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista and Windows 7 users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

cldmafia · « **Reply #6 on:** March 02, 2010, 04:50:51 PM »

ComboFix 10-03-02.02 - HP_Administrator 03/02/2010 14:33:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3065 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Linksys Wireless-N PCI Adapter
c:\documents and settings\All Users\Start Menu\Programs\Linksys Wireless-N PCI Adapter \Uninstall.lnk
c:\documents and settings\All Users\Start Menu\Programs\Linksys Wireless-N PCI Adapter \Wireless Network Monitor.lnk
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 04:15 . 2010-03-02 04:15   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-02-28 13:49 . 2010-03-01 22:14   --------   d-----w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\pycdys
2010-02-22 08:15 . 2010-02-22 08:15   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-02-22 08:15 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 08:15 . 2010-02-22 08:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 08:15 . 2010-02-22 08:15   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-22 08:15 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-22 08:04 . 2010-02-22 08:07   --------   d-----w-   c:\windows\system32\NtmsData
2010-02-21 05:43 . 2010-02-21 11:32   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\ImgBurn
2010-02-21 04:43 . 2010-02-21 05:02   --------   d-----w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\QuickPar
2010-02-21 03:51 . 2010-02-21 03:51   --------   d-----w-   c:\program files\7-Zip
2010-02-21 03:49 . 2010-02-21 03:49   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\RapidCRC
2010-02-20 22:49 . 2010-02-20 22:49   --------   d-----w-   c:\program files\ImgBurn
2010-02-20 22:46 . 2010-02-21 05:02   --------   d-----w-   c:\program files\QuickPar
2010-02-20 22:33 . 2010-02-20 22:33   --------   d-----w-   c:\program files\RapidCRC
2010-02-01 23:43 . 2010-02-01 23:48   --------   d-----w-   c:\program files\Common Files\BioWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 22:08 . 2009-11-05 03:35   1743153   ----a-w-   c:\windows\Internet Logs\tvDebug.Zip
2010-03-02 22:00 . 2009-11-02 06:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-02 17:34 . 2009-11-12 03:31   0   ----a-w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
2010-03-02 06:28 . 2004-08-10 04:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-03-02 03:01 . 2009-11-02 06:54   --------   d-----w-   c:\program files\CCleaner
2010-02-28 11:00 . 2009-11-02 07:44   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\uTorrent
2010-02-27 17:34 . 2010-02-27 17:39   1738240   ----a-w-   c:\windows\Internet Logs\xDB8.tmp
2010-02-27 07:15 . 2006-07-31 23:25   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-02-25 07:22 . 2009-11-02 09:29   1   ----a-w-   c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-22 06:48 . 2009-11-02 06:55   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-22 10:30 . 2010-01-12 03:59   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\vlc
2010-01-22 07:26 . 2010-01-12 04:28   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-22 03:50 . 2010-01-22 03:50   20976794   ----a-w-   c:\windows\Internet Logs\vsmon_on_demand_thread_2010_01_21_19_42_41_full.dmp.zip
2010-01-21 02:44 . 2010-01-21 02:44   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\SharePod
2010-01-12 05:25 . 2010-01-12 05:23   --------   d-----w-   c:\program files\QuickTime
2010-01-12 05:23 . 2010-01-12 05:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-12 05:03 . 2010-01-12 05:03   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2010-01-12 04:53 . 2010-01-12 04:53   --------   d-----w-   c:\program files\Common Files\Apple
2010-01-12 04:53 . 2010-01-12 04:53   --------   d-----w-   c:\program files\Apple Software Update
2010-01-12 04:53 . 2010-01-12 04:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-01-12 04:29 . 2010-01-12 04:29   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Publish Providers
2010-01-12 04:28 . 2010-01-12 04:28   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Sony
2010-01-12 04:20 . 2010-01-12 04:20   --------   d-----w-   c:\program files\Vstplugins
2010-01-12 04:19 . 2010-01-12 04:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sony
2010-01-12 04:19 . 2010-01-12 04:19   --------   d-----w-   c:\program files\Sony
2010-01-12 04:17 . 2010-01-12 04:17   --------   d-----w-   c:\program files\Sony Setup
2010-01-12 03:57 . 2010-01-12 03:57   --------   d-----w-   c:\program files\VideoLAN
2010-01-09 07:35 . 2010-01-01 05:07   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Tropico 3
2010-01-07 03:24 . 2009-11-02 07:42   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Winamp
2009-12-31 16:50 . 2004-08-10 04:00   353792   ------w-   c:\windows\system32\drivers\srv.sys
2009-12-29 01:07 . 2009-12-29 01:09   1620992   ----a-w-   c:\windows\Internet Logs\xDB2.tmp
2009-12-27 00:53 . 2009-12-27 00:53   10134   ----a-r-   c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}\ARPPRODUCTICON.exe
2009-12-23 21:08 . 2006-07-31 23:23   60216   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-10 04:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-20 18:33 . 2009-12-20 18:33   138240   ----a-w-   c:\documents and settings\HP_Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-12-20 18:33 . 2009-12-20 18:33   138240   ----a-w-   c:\documents and settings\HP_Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-12-20 18:33 . 2009-12-20 18:33   138240   ----a-w-   c:\documents and settings\HP_Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-12-20 18:33 . 2009-12-20 18:33   138240   ----a-w-   c:\documents and settings\HP_Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-12-16 18:43 . 2004-08-10 04:00   343040   ------w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 04:00   33280   ------w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 11:00   2145280   ------w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-10 11:00   2023936   ------w-   c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-10 04:00   455424   ------w-   c:\windows\system32\drivers\mrxsmb.sys
2009-09-25 16:41 . 2009-09-25 16:41   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-25 05:48 . 2009-11-01 21:17   32   --sha-w-   c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2009-10-01 3634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"nwiz"="nwiz.exe" [2007-11-07 1626112]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-04-25 1273856]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-31 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-01 23:14   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\HP_Administrator\\My Documents\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Documents and Settings\\HP_Administrator\\My Documents\\Games\\Mass Effect\\MassEffectLauncher.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/1/2009 3:14 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/1/2009 3:14 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/1/2009 3:14 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/1/2009 3:14 PM 285392]
R2 WMP300NSvc;WMP300NSvc;c:\program files\Wireless-N PCI Adapter\WLService.exe [11/1/2009 1:50 PM 53307]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/1/2009 11:41 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\User_Feed_Synchronization-{F068B669-B50B-4187-BD1C-9DC518DAF20B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\v5matk0v.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 14:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4006090707-571570240-760207826-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ c*" Ó* g*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(924)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Wireless-N PCI Adapter\WMP300N.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\hp\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-03-02 15:43:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 23:43

Pre-Run: 97,985,253,376 bytes free
Post-Run: 98,000,879,616 bytes free

- - End Of File - - 95E66C128C26BC34A7AEE2513147B448

evilfantasy · « **Reply #7 on:** March 02, 2010, 04:56:34 PM »

Thank you.

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

----------

It may take two posts to get all of the logs posted and that's fine.

Logs needed:

MBAM log
GMER log
Both DDS logs

cldmafia · « **Reply #8 on:** March 02, 2010, 07:37:58 PM »

Malwarebytes' Anti-Malware 1.44
Database version: 3816
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/2/2010 4:31:31 PM
mbam-log-2010-03-02 (16-31-31).txt

Scan type: Quick Scan
Objects scanned: 125899
Time elapsed: 11 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

cldmafia · « **Reply #9 on:** March 02, 2010, 07:38:37 PM »

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 18:36:48.68 on Tue 03/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2810 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\v5matk0v.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-1 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-1 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-1 360584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-1 353672]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-1 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-1 285392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WMP300NSvc;WMP300NSvc;c:\program files\wireless-n pci adapter\WLService.exe [2009-11-1 53307]

=============== Created Last 30 ================

2010-03-02 22:09:26   98816   ----a-w-   c:\windows\sed.exe
2010-03-02 22:09:26   77312   ----a-w-   c:\windows\MBR.exe
2010-03-02 22:09:26   261632   ----a-w-   c:\windows\PEV.exe
2010-03-02 22:09:26   161792   ----a-w-   c:\windows\SWREG.exe
2010-02-22 08:15:36   0   d-----w-   c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-02-22 08:15:29   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 08:15:27   0   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-22 08:15:25   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-22 08:15:25   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-22 08:04:01   0   d-----w-   c:\windows\system32\NtmsData
2010-02-21 03:49:57   0   d-----w-   c:\docume~1\hp_adm~1\applic~1\RapidCRC
2010-02-20 22:46:35   0   d-----w-   c:\program files\QuickPar
2010-02-20 22:33:16   0   d-----w-   c:\program files\RapidCRC
2010-02-01 23:43:08   0   d-----w-   c:\program files\common files\BioWare

==================== Find3M ====================

2010-03-02 06:28:14   96512   ----a-w-   c:\windows\system32\dllcache\atapi.sys
2010-03-02 06:28:14   96512   ------w-   c:\windows\system32\drivers\atapi.sys
2009-12-31 16:50:03   353792   ------w-   c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18   173056   ------w-   c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27   343040   ------w-   c:\windows\system32\mspaint.exe
2009-12-16 18:43:27   343040   ------w-   c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23   33280   ------w-   c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:08:23   33280   ------w-   c:\windows\system32\csrsrv.dll
2009-12-09 05:53:44   726528   ----a-w-   c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51   2189184   ------w-   c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15   2145280   ------w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15   2145280   ------w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51   2023936   ------w-   c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51   2023936   ------w-   c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50   2066048   ------w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28   474112   ------w-   c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22   455424   ------w-   c:\windows\system32\dllcache\mrxsmb.sys
2006-11-25 05:48:18   32   --sha-w-   c:\windows\sminst\HPCD.SYS

============= FINISH: 18:37:38.81 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/1/2009 2:24:06 PM
System Uptime: 3/2/2010 6:30:16 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | NODUSM3
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2004/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 225 GiB total, 91.267 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 0.928 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Linksys Wireless-N PCI Adapter WMP300N
Device ID: PCI\VEN_14E4&DEV_4329&SUBSYS_00601737&REV_01\4&DC268A3&0&5080
Manufacturer: Linksys, A Division of Cisco Systems, Inc.
Name: Linksys Wireless-N PCI Adapter WMP300N
PNP Device ID: PCI\VEN_14E4&DEV_4329&SUBSYS_00601737&REV_01\4&DC268A3&0&5080
Service: BCM43XX

==== System Restore Points ===================

RP62: 12/3/2009 1:36:53 AM - System Checkpoint
RP63: 12/4/2009 2:04:11 AM - System Checkpoint
RP64: 12/5/2009 2:34:51 AM - System Checkpoint
RP65: 12/6/2009 3:59:56 AM - System Checkpoint
RP66: 12/7/2009 4:34:51 AM - System Checkpoint
RP67: 12/8/2009 5:39:48 AM - System Checkpoint
RP68: 12/9/2009 1:11:56 AM - Software Distribution Service 3.0
RP69: 12/9/2009 5:36:50 PM - Software Distribution Service 3.0
RP70: 12/9/2009 10:43:21 PM - Installed TBS WMP Plug-in
RP71: 12/9/2009 10:52:03 PM - Configured TBS WMP Plug-in
RP72: 12/9/2009 10:52:29 PM - Installed TBS WMP Plug-in
RP73: 12/9/2009 11:03:53 PM - Configured TBS WMP Plug-in
RP74: 12/10/2009 7:51:06 PM - Software Distribution Service 3.0
RP75: 12/11/2009 8:48:37 AM - Avg8 Update
RP76: 12/11/2009 10:52:06 PM - Avg8 Update
RP77: 12/13/2009 2:21:48 AM - System Checkpoint
RP78: 12/14/2009 2:51:17 AM - System Checkpoint
RP79: 12/15/2009 3:48:41 AM - System Checkpoint
RP80: 12/16/2009 4:39:34 AM - System Checkpoint
RP81: 12/17/2009 5:39:35 AM - System Checkpoint
RP82: 12/18/2009 6:40:39 AM - System Checkpoint
RP83: 12/18/2009 9:25:23 AM - Avg8 Update
RP84: 12/19/2009 9:39:34 AM - System Checkpoint
RP85: 12/19/2009 8:56:23 PM - Software Distribution Service 3.0
RP86: 12/20/2009 8:57:05 PM - System Checkpoint
RP87: 12/21/2009 10:26:46 AM - Installed Batman: Arkham Asylum
RP88: 12/21/2009 10:33:28 AM - Installed Batman: Arkham Asylum
RP89: 12/21/2009 11:11:36 AM - Installed Batman: Arkham Asylum
RP90: 12/22/2009 3:00:24 AM - Software Distribution Service 3.0
RP91: 12/22/2009 8:22:29 AM - Avg8 Update
RP92: 12/22/2009 12:12:16 PM - Installed DirectX
RP93: 12/23/2009 3:00:31 AM - Software Distribution Service 3.0
RP94: 12/23/2009 8:15:43 AM - Printer Driver Microsoft XPS Document Writer Installed
RP95: 12/23/2009 1:04:47 PM - Software Distribution Service 3.0
RP96: 12/23/2009 8:44:28 PM - Software Distribution Service 3.0
RP97: 12/23/2009 9:45:33 PM - Software Distribution Service 3.0
RP98: 12/24/2009 4:52:50 PM - Installed DirectX
RP99: 12/24/2009 4:53:46 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP100: 12/24/2009 8:50:58 PM - Software Distribution Service 3.0
RP101: 12/26/2009 1:35:15 AM - System Checkpoint
RP102: 12/26/2009 3:40:51 PM - Installed Batman: Arkham Asylum
RP103: 12/26/2009 4:55:12 PM - Installed DirectX
RP104: 12/27/2009 7:08:57 PM - System Checkpoint
RP105: 12/28/2009 3:26:15 PM - Software Distribution Service 3.0
RP106: 12/29/2009 4:08:56 PM - System Checkpoint
RP107: 12/30/2009 2:56:07 PM - Software Distribution Service 3.0
RP108: 12/31/2009 9:46:04 AM - Avg8 Update
RP109: 12/31/2009 9:02:48 PM - Installed DirectX
RP110: 1/2/2010 3:13:41 AM - System Checkpoint
RP111: 1/3/2010 3:29:19 AM - System Checkpoint
RP112: 1/3/2010 2:54:28 PM - Software Distribution Service 3.0
RP113: 1/4/2010 4:29:52 PM - System Checkpoint
RP114: 1/5/2010 3:34:40 PM - Software Distribution Service 3.0
RP115: 1/6/2010 4:27:53 PM - System Checkpoint
RP116: 1/7/2010 4:49:32 PM - System Checkpoint
RP117: 1/8/2010 5:36:27 PM - System Checkpoint
RP118: 1/9/2010 3:44:27 PM - Software Distribution Service 3.0
RP119: 1/10/2010 4:36:10 PM - System Checkpoint
RP120: 1/11/2010 5:36:11 PM - System Checkpoint
RP121: 1/11/2010 8:19:08 PM - Installed Sony Vegas Pro 8.0
RP122: 1/11/2010 8:54:13 PM - Installed QuickTime
RP123: 1/11/2010 9:19:59 PM - Removed QuickTime
RP124: 1/11/2010 9:23:31 PM - Installed QuickTime
RP125: 1/12/2010 1:10:35 AM - Software Distribution Service 3.0
RP126: 1/13/2010 1:47:36 AM - System Checkpoint
RP127: 1/13/2010 3:00:26 AM - Software Distribution Service 3.0
RP128: 1/13/2010 6:07:26 AM - Software Distribution Service 3.0
RP129: 1/14/2010 6:34:01 AM - System Checkpoint
RP130: 1/14/2010 10:57:46 PM - Removed Batman: Arkham Asylum
RP131: 1/18/2010 4:13:45 PM - Avg8 Update
RP132: 1/18/2010 4:27:39 PM - Software Distribution Service 3.0
RP133: 1/19/2010 3:02:37 PM - Software Distribution Service 3.0
RP134: 1/20/2010 3:00:25 AM - Software Distribution Service 3.0
RP135: 1/21/2010 3:52:40 AM - System Checkpoint
RP136: 1/22/2010 2:02:17 AM - Software Distribution Service 3.0
RP137: 1/22/2010 7:03:05 AM - Software Distribution Service 3.0
RP138: 1/23/2010 7:22:04 AM - System Checkpoint
RP139: 1/24/2010 8:22:10 AM - System Checkpoint
RP140: 1/24/2010 3:14:32 PM - Installed DirectX
RP141: 1/25/2010 6:52:54 PM - System Checkpoint
RP142: 1/26/2010 8:44:21 AM - Avg8 Update
RP143: 1/27/2010 9:21:57 AM - System Checkpoint
RP144: 1/28/2010 3:50:17 PM - Software Distribution Service 3.0
RP145: 1/29/2010 4:42:53 PM - System Checkpoint
RP146: 1/30/2010 5:42:54 PM - System Checkpoint
RP147: 1/31/2010 3:27:52 PM - Software Distribution Service 3.0
RP148: 2/1/2010 6:54:01 PM - System Checkpoint
RP149: 2/2/2010 10:47:34 PM - System Checkpoint
RP150: 2/4/2010 12:28:02 AM - System Checkpoint
RP151: 2/5/2010 3:32:28 AM - System Checkpoint
RP152: 2/6/2010 4:26:17 AM - System Checkpoint
RP153: 2/6/2010 1:33:47 PM - Software Distribution Service 3.0
RP154: 2/7/2010 6:31:46 PM - System Checkpoint
RP155: 2/8/2010 7:24:21 PM - System Checkpoint
RP156: 2/9/2010 2:59:38 PM - Software Distribution Service 3.0
RP157: 2/9/2010 9:54:31 PM - Software Distribution Service 3.0
RP158: 2/11/2010 1:20:32 AM - System Checkpoint
RP159: 2/12/2010 1:24:46 AM - System Checkpoint
RP160: 2/16/2010 3:00:28 AM - System Checkpoint
RP161: 2/16/2010 3:10:10 AM - Software Distribution Service 3.0
RP162: 2/17/2010 3:00:26 AM - Software Distribution Service 3.0
RP163: 2/18/2010 3:56:45 AM - System Checkpoint
RP164: 2/19/2010 4:00:34 AM - System Checkpoint
RP165: 2/19/2010 6:18:33 AM - Software Distribution Service 3.0
RP166: 2/20/2010 6:49:04 AM - System Checkpoint
RP167: 2/20/2010 2:41:49 PM - Software Distribution Service 3.0
RP168: 2/21/2010 3:41:31 PM - System Checkpoint
RP169: 2/22/2010 12:42:18 AM - Software Distribution Service 3.0
RP170: 2/23/2010 1:40:38 AM - System Checkpoint
RP171: 2/24/2010 3:46:52 AM - System Checkpoint
RP172: 2/24/2010 6:03:35 PM - Software Distribution Service 3.0
RP173: 2/24/2010 6:38:00 PM - Software Distribution Service 3.0
RP174: 2/25/2010 7:43:07 PM - System Checkpoint
RP175: 2/26/2010 8:34:41 PM - System Checkpoint
RP176: 2/26/2010 11:15:16 PM - Installed Batman: Arkham Asylum
RP177: 2/27/2010 12:27:27 AM - Installed DirectX
RP178: 2/28/2010 12:41:25 AM - System Checkpoint
RP179: 2/28/2010 3:00:30 AM - Software Distribution Service 3.0
RP180: 3/1/2010 3:00:30 AM - Software Distribution Service 3.0
RP181: 3/2/2010 3:32:31 AM - System Checkpoint

==== Installed Programs ======================

µTorrent
7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
AIM 7
Apple Application Support
Apple Software Update
AutoUpdate
AVG Free 9.0
Batman: Arkham Asylum
Borderlands
Broadcom 802.11 Network Adapter
BufferChm
CCleaner
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Destinations
DeviceFunctionQFolder
DivX
DivX Web Player
Download Updater (AOL LLC)
Dual-Core Optimizer
Enhanced Multimedia Keyboard Solution
eSupportQFolder
FullDPAppQFolder
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Boot Optimizer
HP Deskjet 5400 series
HP DigitalMedia Archive
HP DVD Play 2.1
HP Image Zone Express
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Solution Center & Imaging Support Tools 5.0
HP Update
HP Web Helper
HPDeskjet5400Series
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
ImgBurn
InstantShareDevices
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 16
LightScribe 1.4.105.1
Linksys Wireless-N PCI Adapter
Malwarebytes' Anti-Malware
Mass Effect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Away Mode
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.

MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
NVIDIA PhysX
OpenOffice.org 3.1
OptionalContentQFolder
Otto
PC-Doctor 5 for Windows
PeerGuardian 2.0
PhotoGallery
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickPar 0.9
QuickTime
RandMap
RapidCRC 0.6.1
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SkinsHP1
SlideShow
SlideShowMusic
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Sony Vegas Pro 8.0
Spybot - Search & Destroy
Status
System Requirements Lab
TrayApp
Tropico 3 1.00
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.3
WebFldrs XP
WebReg
Winamp
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Yume Nikki 0.10 English v3
ZoneAlarm

==== Event Viewer Messages From Past Week ========

3/2/2010 5:51:04 PM, error: System Error [1003] - Error code 10000050, parameter1 e5346000, parameter2 00000000, parameter3 af5c7c3e, parameter4 00000001.
3/2/2010 4:45:08 PM, error: System Error [1003] - Error code 10000050, parameter1 e86aa000, parameter2 00000000, parameter3 8b382c3e, parameter4 00000001.
3/2/2010 2:12:03 PM, error: Service Control Manager [7034] - The Broadcom Wireless LAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
3/2/2010 2:08:30 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/2/2010 2:08:30 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/1/2010 6:26:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
2/28/2010 5:53:58 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WMP300NSvc service.
2/27/2010 9:37:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
2/27/2010 9:37:56 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

cldmafia · « **Reply #10 on:** March 02, 2010, 07:40:58 PM »

I tried following the GMER instructions and run it, but it seems to never finish. I'll run it for a long time but all it'll do is stop on svchost or some other file and never progress. My harddrive light won't blink or anything. My computer slows down massively while running/after it has stopped running, it'll freeze, and sometimes crash all while stopping all other programs running.

Am I doing something wrong or does it just take a really long time?

evilfantasy · « **Reply #11 on:** March 03, 2010, 09:27:36 AM »

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with any fixes we make. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

cldmafia · « **Reply #12 on:** March 03, 2010, 06:19:29 PM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/03/03 17:06
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD591000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADC6000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xACF61000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA4C4000   Size: 81920   File Visible: No   Signed: -
Status: -

SSDT
-------------------
#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2553fc0

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2550c80

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256b170

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2554580

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2568900

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2568b10

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256cb10

#: 056   Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2554670

#: 062   Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2551210

#: 063   Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256b9f0

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256b7a0

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2568280

#: 098   Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256bf10

#: 099   Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256bf90

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2551070

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256a180

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2569f40

#: 192   Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256c6f0

#: 193   Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256c150

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2553be0

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256c540

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2554190

#: 224   Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2551440

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb256b4e0

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2569200

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb2569080

==EOF==

evilfantasy · « **Reply #13 on:** March 03, 2010, 06:54:55 PM »

Looks fine. How is the computer running now?

cldmafia · « **Reply #14 on:** March 03, 2010, 07:04:49 PM »

My AVG hasn't been detecting anything and everything seems okay, but I don't really understand what's changed.

In any case, thank you a lot for your help! You're a proverbial life saver.

Oh one more thing.

It's okay to delete all the stuff that I downloaded and all those logs?

Computer Hope Forum

News:

Author Topic: Atapi.sys and other stuff (Read 32246 times)

cldmafia

Atapi.sys and other stuff

Geek-9pm

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff

BC_Programmer

Re: Atapi.sys and other stuff

evilfantasy

Re: Atapi.sys and other stuff

evilfantasy

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff

evilfantasy

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff

evilfantasy

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff

evilfantasy

Re: Atapi.sys and other stuff

cldmafia

Re: Atapi.sys and other stuff