atapi.sys infected with rootkit

[Stillborn]

Subject says it all. I saw a thread where this was fixed but it contained instructions for that persons pc specifically. If someone could help me I'd be forever happy.

AVG 9.0.707 with database 207.14.65/2503 (updated today) finds one infection...

"C:\Windows\System32\drivers\atapi.sys";"Trojan horse Rootkit-Pakes.U";"Object is white-listed (critical/system file that should not be removed)"

VirusTotal.com scan of that file url here...
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=59EE877C50775149547100E34977E000F3151D00' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=59EE877C50775149547100E34977E000F3151D00[/url]

[Stillborn]

whoops, thought that was the URL for my scan, not an ad...

http://www.virustotal.com/analisis/9816df12a64e8050142f41205d2b0ba5408c060f5ae2d8bd437274a57f4910a6-1258247996

sorry for the bump

[evilfantasy]

Welcome to CH.

Please download SystemLook from one of the links below and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

• Double-click SystemLook.exe to run it.
  
• Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
*atapi.sys

• Click the Look button to start the scan.
  
• Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
  
• When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[Stillborn]

Thanks for the quick reply 

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:51 on 14/11/2009 by Stillborn (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 8DF34C0DB2C16473A7BA722860F088CB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

[evilfantasy]

That looks fine so we need to gather some more information.

Do another SystemLook scan only use this as the input.

Code: [Select]

:filefind
atapi.sys
Next run DDS and post the 2 logs it creates also.

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[Stillborn]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:25 on 14/11/2009 by Stillborn (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 8DF34C0DB2C16473A7BA722860F088CB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-





DDS (Ver_09-10-26.01) - NTFSx86 
Run by Stillborn at 21:26:43.57 on Sat 11/14/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2038.1075 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\sppsvc.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Stillborn\Desktop\SystemLook.exe
C:\WINDOWS\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Stillborn\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {7F36C277-8A6E-4765-882E-A47A069EB5E8} = 156.154.70.22,156.154.71.22
TCP: {F1614A73-6CA9-4886-8059-17CFF70F595D} = 156.154.70.22,156.154.71.22
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\stillb~1\appdata\roaming\mozilla\firefox\profiles\h8885fj1.default\
FF - prefs.js: browser.startup.homepage - myspace.com | facebook.com | voice.google.com | wave.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-13 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-13 360584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-14 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-14 29520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-13 285392]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-8-3 9344]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 utizmjqx;AVZ Kernel Driver;c:\windows\system32\drivers\utizmjqx.sys [2009-11-14 7168]

=============== Created Last 30 ================

2009-11-15 02:09:01   7168   ----a-w-   c:\windows\system32\drivers\utizmjqx.sys
2009-11-15 02:08:25   0   d-----w-   c:\programdata\is-V3A02
2009-11-15 01:44:48   0   d-s---w-   C:\ComboFix
2009-11-14 23:22:58   98816   ----a-w-   c:\windows\sed.exe
2009-11-14 23:22:58   77312   ----a-w-   c:\windows\MBR.exe
2009-11-14 23:22:58   260608   ----a-w-   c:\windows\PEV.exe
2009-11-14 23:22:58   161792   ----a-w-   c:\windows\SWREG.exe
2009-11-14 22:39:02   0   d-----w-   c:\programdata\Comodo
2009-11-14 22:39:00   29520   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2009-11-14 22:39:00   179792   ----a-w-   c:\windows\system32\guard32.dll
2009-11-14 22:38:59   128888   ----a-w-   c:\windows\system32\drivers\cmdguard.sys
2009-11-14 22:38:46   0   d-----w-   c:\program files\COMODO
2009-11-14 21:28:00   0   d-----w-   c:\windows\pss
2009-11-14 19:20:02   0   ---ha-w-   c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-14 10:40:40   0   d-----w-   c:\users\stillborn\Tracing
2009-11-14 10:38:15   0   d-----w-   c:\program files\Microsoft Office Outlook Connector
2009-11-14 10:37:30   3426072   ----a-w-   c:\windows\system32\d3dx9_32.dll
2009-11-14 10:37:26   20   ----a-w-   c:\windows\Àö¥
2009-11-14 10:37:26   0   d-----w-   c:\program files\Microsoft SQL Server Compact Edition
2009-11-14 10:36:46   0   d-----w-   c:\program files\Windows Live SkyDrive
2009-11-14 10:29:28   0   d-----w-   c:\program files\Unlocker
2009-11-14 10:22:42   0   d-----w-   c:\program files\common files\Windows Live
2009-11-14 10:10:36   0   d-----w-   c:\program files\Microsoft
2009-11-14 10:10:12   0   d-----w-   c:\program files\MSXML 4.0
2009-11-14 09:26:38   0   dc-h--w-   c:\programdata\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-11-14 09:24:22   0   dc-h--w-   c:\programdata\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-11-14 09:24:04   0   d-----w-   c:\programdata\DriverScanner
2009-11-14 09:24:04   0   d-----w-   c:\program files\Uniblue DriverScanner 2009
2009-11-14 06:59:16   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-11-14 06:59:13   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-11-14 06:59:04   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-11-14 06:59:03   0   d-----w-   c:\windows\system32\drivers\Avg
2009-11-14 06:58:37   0   d-----w-   c:\program files\AVG
2009-11-14 06:58:34   0   d-----w-   c:\programdata\avg9
2009-11-14 06:24:42   0   d-----w-   c:\users\stillb~1\appdata\roaming\Foxit
2009-11-14 06:24:41   0   d-----w-   c:\program files\Foxit Software
2009-11-14 05:29:42   0   d-----w-   c:\users\stillb~1\appdata\roaming\BitDefender
2009-11-14 05:29:41   0   d-----w-   c:\programdata\BitDefender
2009-11-14 05:29:41   0   d-----w-   c:\program files\BitDefender
2009-11-14 05:26:54   0   d-----w-   c:\program files\common files\BitDefender
2009-11-13 21:18:22   32656   ----a-w-   c:\windows\system32\msonpmon.dll
2009-11-13 21:17:25   0   d-----w-   c:\program files\uTorrent
2009-11-13 21:17:17   0   d-----w-   c:\users\stillb~1\appdata\roaming\uTorrent
2009-11-13 21:14:38   0   d-----w-   c:\users\stillb~1\appdata\roaming\BitTorrent
2009-11-13 21:12:54   0   d-----w-   c:\windows\PCHEALTH
2009-11-13 21:10:47   0   d-----w-   c:\program files\Microsoft Visual Studio 8
2009-11-13 21:09:44   0   d-----w-   c:\programdata\Microsoft Help
2009-11-13 20:48:56   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-13 20:48:56   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-11-13 20:48:25   0   d-----w-   c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 20:48:25   0   d-----w-   c:\program files\iTunes
2009-11-13 20:48:25   0   d-----w-   c:\program files\iPod
2009-11-13 16:58:57   257024   ----a-w-   c:\windows\system32\msv1_0.dll
2009-11-13 16:38:35   398336   ----a-w-   c:\windows\system32\TVWizudlg.exe
2009-11-13 16:38:35   140288   ----a-w-   c:\windows\system32\igfxtvcx.dll
2009-11-13 16:38:35   121232   ----a-w-   c:\windows\system32\IScrNB.bmp
2009-11-13 16:38:35   0   d-----w-   c:\windows\system32\Lang
2009-11-13 16:13:33   0   d-----w-   c:\program files\K-Lite Codec Pack
2009-11-13 16:12:21   0   d-----w-   c:\program files\Ask.com
2009-11-13 16:11:27   0   d-----w-   c:\program files\BitTorrent
2009-11-13 15:57:39   0   d-----w-   c:\programdata\Ahead
2009-11-13 15:54:32   0   d-----w-   c:\programdata\Nero
2009-11-13 15:54:32   0   d-----w-   c:\program files\Nero
2009-11-13 15:43:58   0   d-----w-   c:\users\stillb~1\appdata\roaming\Malwarebytes
2009-11-13 15:43:55   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-13 15:43:53   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 15:43:52   0   d-----w-   c:\programdata\Malwarebytes
2009-11-13 15:43:52   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-11-13 15:40:16   0   dc-h--w-   c:\programdata\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-11-13 15:39:40   0   dc-h--w-   c:\programdata\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2009-11-13 15:39:00   0   d-----w-   c:\users\stillb~1\appdata\roaming\Uniblue
2009-11-13 15:39:00   0   d-----w-   c:\program files\Uniblue
2009-11-13 15:37:03   0   d-----w-   c:\program files\Audacity
2009-11-13 15:35:52   0   d-----w-   c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-11-13 15:34:39   0   d-----w-   c:\program files\Bonjour
2009-11-13 15:33:53   0   d-----w-   c:\programdata\Apple Computer
2009-11-13 15:33:17   0   d-----w-   c:\users\stillb~1\appdata\roaming\mIRC
2009-11-13 15:32:40   0   d-----w-   c:\programdata\Apple
2009-11-13 15:30:10   0   d-----w-   c:\programdata\Yahoo! Companion
2009-11-13 15:28:56   0   d-----w-   c:\programdata\Yahoo!
2009-11-13 15:28:49   0   d-----w-   c:\program files\Yahoo!
2009-11-13 15:26:43   0   d-----w-   c:\programdata\PlotSoft
2009-11-13 15:26:43   0   d-----w-   c:\program files\PlotSoft
2009-11-13 15:25:46   0   d-sh--w-   c:\windows\Installer
2009-11-13 15:25:08   0   d-----w-   c:\program files\WinSCP
2009-11-13 15:23:43   0   d-----w-   c:\program files\PowerISO
2009-11-13 15:13:18   713888   ----a-w-   c:\windows\system32\PerfStringBackup.INI
2009-11-13 15:12:35   0   d-----w-   c:\windows\system32\wbem\Performance
2009-11-13 15:11:07   997912   ----a-w-   c:\windows\system32\igxpun.exe
2009-11-13 15:11:07   0   d-----w-   c:\windows\system32\x64
2009-11-13 14:49:41   195456   ------w-   c:\windows\system32\MpSigStub.exe
2009-11-13 14:29:12   0   d-----w-   c:\windows\Panther
2009-11-03 22:50:06   0   d-----w-   C:\$AVG
2009-10-29 16:07:36   0   d-----w-   C:\sk
2009-10-29 16:05:51   0   d-----w-   C:\con
2009-10-20 00:04:00   72200   ----a-w-   c:\windows\system32\drivers\BdfNdisf6.sys

==================== Find3M  ====================

2009-10-13 18:00:00   85504   ----a-w-   c:\windows\system32\ff_vfw.dll
2009-10-09 10:37:44   1096704   ----a-w-   c:\windows\system32\drivers\athr.sys
2009-10-02 04:06:59   728648   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2009-09-03 07:04:15   1320960   ----a-w-   c:\windows\system32\CertEnroll.dll
2009-08-29 06:57:31   34816   ----a-w-   c:\windows\system32\msasn1.dll
2009-08-29 06:54:52   12625408   ----a-w-   c:\windows\system32\wmploc.DLL
2009-08-19 07:20:32   442920   ----a-w-   c:\windows\system32\winresume.exe
2009-08-19 07:20:31   507568   ----a-w-   c:\windows\system32\winload.exe
2009-08-18 07:33:52   1193832   ----a-w-   c:\windows\system32\FM20.DLL
2009-07-14 04:56:42   31548   ----a-w-   c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42   31548   ----a-w-   c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42   291294   ----a-w-   c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42   291294   ----a-w-   c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57   174   --sha-w-   c:\program files\desktop.ini
2009-07-14 00:34:40   291294   ----a-w-   c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40   291294   ----a-w-   c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38   31548   ----a-w-   c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38   31548   ----a-w-   c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35   9633792   --sha-r-   c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:27:08.35 ===============








UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/13/2009 7:08:16 AM
System Uptime: 11/14/2009 8:06:36 PM (1 hours ago)

Motherboard: Sony Corporation |  | VAIO
Processor: Intel(R) Pentium(R) Dual  CPU  T2330  @ 1.60GHz | N/A | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 66.027 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 0 GiB total, 0.01 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_902D104D&REV_00\4&23979A68&0&1AF0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_902D104D&REV_00\4&23979A68&0&1AF0
Service:

==== System Restore Points ===================

RP12: 11/13/2009 1:07:44 PM - Installed Microsoft Office Enterprise 2007
RP13: 11/13/2009 9:28:57 PM - Installed BitDefender Internet Security 2010
RP14: 11/13/2009 10:46:30 PM - Removed BitDefender Internet Security 2010
RP15: 11/13/2009 10:58:23 PM - Installed AVG Free 9.0
RP17: 11/14/2009 1:23:31 AM - Installed Uniblue DriverScanner v1.0
RP18: 11/14/2009 1:37:42 AM - Uniblue RegistryBooster 2009
RP19: 11/14/2009 2:09:02 AM - Windows Update
RP20: 11/14/2009 8:54:06 AM - Windows Update
RP21: 11/14/2009 2:42:26 PM - Device Driver Package Install: COMODO Network Service
RP22: 11/14/2009 5:43:58 PM - Windows Update
RP24: 11/14/2009 5:47:06 PM - Windows Update

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
AVG Free 9.0
Bonjour
COMODO Internet Security
FLV Player 2.0 (build 25)
Foxit Reader
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
iTunes
K-Lite Mega Codec Pack 5.2.0
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIRC
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.23)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
neroxml
PDFill PDF Editor with FREE PDF Writer and Tools
PowerISO
QuickTime
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Uniblue DriverScanner 2009
Uniblue PowerSuite 2009
Uniblue RegistryBooster 2009
Uniblue SpeedUpMyPC 2009
Unlocker 1.8.8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
WinRAR archiver
WinSCP 4.1.9
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/14/2009 8:20:53 PM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for Start with the following error:  Access is denied.
11/14/2009 6:07:48 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:47 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/14/2009 6:07:47 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/14/2009 6:07:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/14/2009 6:07:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/14/2009 6:07:44 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/14/2009 6:07:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/14/2009 6:07:26 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx86 AvgMfx86 AvgTdiX cmdGuard cmdHlp DfsC discache inspect NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:00:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
11/14/2009 5:59:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error:  An instance of the service is already running.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7034]  - The Application Information service terminated unexpectedly.  It has done this 1 time(s).
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Windows Update service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The User Profile Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The IP Helper service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Group Policy Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Extensible Authentication Protocol service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Application Experience service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:49:26 PM, Error: Microsoft-Windows-WMPNSS-Service [14332]  - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070422'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Microsoft Office Word 2007 (KB974561).
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Microsoft Office Outlook 2007 (KB969907).
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB973704).
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Publisher 2007 (KB969693).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706be: Security Update for Microsoft Office Word 2007 (KB969604).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB974234).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB972581).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB969613).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB969559).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Visual C++ 2008 Redistributable Package (KB973924).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft PowerPoint 2007 (KB957789).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Visio Viewer 2007 (KB973709).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Outlook 2007 (KB972363).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Excel 2007 (KB973593).
11/14/2009 3:36:22 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
11/14/2009 12:37:24 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 5 time(s).
11/14/2009 12:18:57 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 4 time(s).
11/14/2009 12:13:35 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 3 time(s).
11/14/2009 12:08:38 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Error Reporting Service service, but this action failed with the following error:  An instance of the service is already running.
11/14/2009 12:03:38 PM, Error: Service Control Manager [7031]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
11/14/2009 11:57:46 AM, Error: Service Control Manager [7031]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 11:55:34 AM, Error: Schannel [36888]  - The following fatal alert was generated: 10. The internal error state is 10.
11/14/2009 1:36:20 PM, Error: Service Control Manager [7023]  - The Superfetch service terminated with the following error:  The data is invalid.
11/14/2009 1:36:18 PM, Error: Service Control Manager [7023]  - The Function Discovery Provider Host service terminated with the following error:  %%-2147467243
11/14/2009 1:36:18 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  %%-2147467243
11/14/2009 1:36:17 PM, Error: Service Control Manager [7024]  - The Computer Browser service terminated with service-specific error The service has not been started..
11/14/2009 1:36:17 PM, Error: Service Control Manager [7023]  - The Server service terminated with the following error:  The service has not been started.
11/14/2009 1:36:17 PM, Error: BROWSER [8017]  - The browser has failed to start because the dependent service LanmanServer had invalid service status 3. Status             Meaning   1              Service Stopped    2              Start Pending    3              Stop Pending    4              Running    5              Continue Pending    6              Pause Pending    7              Paused
11/14/2009 1:36:09 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Power service, but this action failed with the following error:  A system shutdown has already been scheduled.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error:  A system shutdown has already been scheduled.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7031]  - The Power service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7031]  - The Plug and Play service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7031]  - The DCOM Server Process Launcher service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/14/2009 1:32:32 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf
11/14/2009 1:25:37 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 9 time(s).
11/14/2009 1:20:26 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 8 time(s).
11/14/2009 1:08:33 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 7 time(s).
11/14/2009 1:00:01 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 6 time(s).
11/13/2009 12:47:38 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error:  An instance of the service is already running.
11/13/2009 12:46:37 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/13/2009 12:46:11 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

[evilfantasy]

I see you installed ComboFix. I need that log please. It can be found in C:\combofix.txt

Also please scan this file at VirusTotal and post the link to the results back here.

Code: [Select]

c:\windows\system32\drivers\utizmjqx.sys
After that uninstall:

• Ask Toolbar

[Stillborn]

I didn't run combofix. When I tried to run it I got a warning that it should not be run on a live machine since it was still beta for Win 7. Is it save to run??

 Good find on that other .sys, btw, AVG nor Kapersky caught it...
http://www.virustotal.com/analisis/7ae9aae77884ac0baa2f8168b3ed4de0c0c9834a42d8e5a775f47a2c66cec237-1258253811

As for Ask Toolbar, I noticed it when I posted my previous post. I generally un-tick all toolbars when I'm installing something. Looks like I was in a hurry on that one lol

[evilfantasy]

I got a warning that it should not be run on a live machine since it was still beta for Win 7. Is it save to run??

Windows 7 is not in Beta any more. It's gone to retail level and the Beta's are no longer supported. You need to get a licensed version of Windows installed which means reformat and reinstalling which will remove any malware in the process. You can try running it but the result might be a broken OS. Your choice.

[Stillborn]

No, I have windows 7 final. I reformatted it yesterday morning from beta and in the process of getting some software I picked up the virus.

Combofix gives me the warning.

http://i34.tinypic.com/1z705s2.jpg

[evilfantasy]

This is a 64bit machine?

[Stillborn]

it's 32bit

[evilfantasy]

OK let's try a different approach.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish. If you can't tell when it's finished look for a file in C: named atapi.sys.



Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
c:\windows\system32\drivers\utizmjqx.sys

Files to move:
c:\atapi.sys | C:\Windows\System32\drivers\atapi.sys

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

[Stillborn]

When I ran the batch cmd would flash and go away, but atapi.sys would not be in C:\. Since I couldn't see the error I ran the copy command in CMD itself instead of from the .bat, access was denied. I ran an elevated cmd and used the copy command, it copied the file fine. I then ran The Avenger...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\utizmjqx.sys" deleted successfully.
File move operation "c:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished!  Terminate.

[evilfantasy]

Glad you figured it out!

That should have replaced the infected file.

I am concerned about this.

2009-11-15 02:08:25   0   d-----w-   c:\programdata\is-V3A02

It was created 34 seconds before the utizmjqx.sys file was so might also be malware. I think it's an empty folder and if so then I would delete it.

Also run a good online scanner to make sure nothing else is hiding.

First run CCleaner. Download CCleaner Slim and save it to your desktop.
When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.
Complete the installation then:

• Double-click the CCleaner shortcut on the desktop to start the program.
  
• Click on the Options block on the left, then choose Cookies.
  
  • Under Cookies to Delete, highlight any cookies you would like to retain permanently
    
  • Click the right arrow > to move them to the Cookies to Keep window.
• Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
  
• Click Cleaner on the left then Run Cleaner on the right to run the program.
  
• Important: Make sure that ALL browser windows are closed before selecting Run Cleaner
  
• Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry.
  
• Exit CCleaner after it has completed its process.

Note CCleaner is a 100% free tool. I suggest keeping it and running it regularly to keep your computer running smooth.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log