Computer Hope
Software => Computer viruses and spyware => Topic started by: gange on February 20, 2010, 10:15:02 AM
-
received a warning from avg that atapi.sys had a trojan horse rootkit agent EF
this was not found by malwarebyte. checked http://virusscan.jotti.org/ (http://virusscan.jotti.org/) and found this file had several infections.
now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd )
or is their an easier way to replace this file using combofix (already used this to clean file but still infected).
any help greatly appreciated
-
now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd )
DO NOT delete it! Your computer will no longer boot.
If you already have ComboFix be sure to delete it and download a new copy.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
thanks for reply
here is combofix log (had already downloaded version from where you suggested earlier today)
ComboFix 10-02-19.04 - Owner 0-Feb-2010 15:25:29.1.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\BITS
c:\documents and settings\Owner\Application Data\BITS\BITS.ini
c:\documents and settings\Owner\Application Data\BITS\DHTTable.dat
c:\documents and settings\Owner\Application Data\BITS\pl.dat
c:\documents and settings\Owner\Application Data\BITS\ProxyList.ini
c:\documents and settings\Owner\Application Data\FlashGetBHO
c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
c:\documents and settings\Owner\Start Menu\Programs\Mafia
C:\Documents
C:\System
c:\windows\Downloaded Program Files\dlhelper.dll
c:\windows\Mafia
c:\windows\struct~.ini
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\system32\secustat.dat
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NET_MESSAGE_SERVICE
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.
2010-02-20 10:14 . 2010-02-20 10:14 -------- d-----w- C:\Team17
2010-02-16 23:05 . 2010-02-17 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 23:05 . 2010-02-17 00:14 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-08 23:56 . 2010-02-08 23:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-08 23:24 . 2010-02-08 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 20:54 . 2010-02-09 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 13:45 . 2010-02-08 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-03 13:31 . 2010-02-03 13:32 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 15:10 . 2009-11-11 09:40 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-20 10:14 . 2003-01-01 10:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 11:50 . 2007-10-01 13:18 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-02-16 23:07 . 2006-08-26 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Swift Sound
2010-02-13 13:12 . 2004-04-22 17:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-06 19:46 . 2009-12-13 10:19 -------- d-----w- c:\program files\The KMPlayer
2010-02-03 16:51 . 2003-01-01 10:05 -------- d-----w- c:\program files\HP
2010-02-03 13:31 . 2003-01-01 10:05 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-03 13:21 . 2004-04-23 07:27 55176 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-02-06 17:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-27 14:17 . 2009-11-27 14:17 134072 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 13:52 . 2009-11-27 13:52 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2006-02-21 14:59 . 2006-02-21 14:59 524300 -c--a-w- c:\program files\position.bin
2005-02-25 20:21 . 2005-02-25 20:21 1179648 -c--a-w- c:\program files\book.bin
2004-05-06 12:11 . 2005-02-07 10:36 777 -c--a-w- c:\program files\trial_setup.ini
2004-04-23 14:22 . 2004-04-23 14:22 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-06-11 13:14 . 2005-03-24 10:58 56 -csh--r- c:\windows\system32\71E772F4EB.sys
2005-07-14 18:31 . 2006-05-24 16:37 27648 -csha-w- c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2006-05-08 17:07 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 -csha-r- c:\windows\system32\cygz.dll
2006-08-04 08:30 . 2004-08-13 21:52 13146 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . B0FBED8C149D3D9E08962A8E8E864F79 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-09-23 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtUninstallQ331958$\atapi.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-08-19 . DE891AD282E856ACFD40990094A63B6F . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-10 22:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TudouVAStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
2003-01-01 11:13 159744 -c--a-w- c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:02 61440 ----a-w- c:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2004-01-28 08:19 159744 -c--a-w- c:\program files\Saitek\Software\Profiler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 -c--a-w- c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2004-01-28 08:19 98304 -c--a-w- c:\program files\Saitek\Software\SaiSmart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:43 83608 -c--a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UserAccess7"=2 (0x2)
"MDM"=2 (0x2)
"Net message Service"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
"ctfmon.exe"=c:\windows\system32\CTFMON.EXE
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"AlcxMonitor"=ALCXMNTR.EXE
"HPHmon05"=c:\windows\System32\hphmon05.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7354:TCP"= 7354:TCP:ppLive
"6461:UDP"= 6461:UDP:ppLive
"21780:TCP"= 21780:TCP:BitComet 21780 TCP
"21780:UDP"= 21780:UDP:BitComet 21780 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?]
S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]
2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]
2009-04-08 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-01-01 00:12]
2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qgb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\www
Trusted Zone: barclaycard.co.uk\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: capitalfm.com\www
Trusted Zone: denness.net\tracker
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: mlb.com\mlb
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: Microsoft XML Parser for Java
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
.
- - - - ORPHANS REMOVED - - - -
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-goxtRTinQ - setrsptb.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-xFEj33O - shlhupnp.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 15:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys sprz.sys >>UNKNOWN [0x82EA8938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf833dcb8
\Driver\atapi -> prosync1.sys @ 0xf89a76c1
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
"HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:00000056
"WindowHeight"=dword:0000026d
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:0000004a
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(896)
c:\windows\System32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2010-02-20 15:48:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 15:48
Pre-Run: 31,553,204,224 bytes free
Post-Run: 31,483,396,096 bytes free
- - End Of File - - C3400B7FC6FEF597D794892895B05586
-
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and logs posted for each one)
* Copy the file path in the below Code box:
c:\windows\system32\drivers\xrhdbctp.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
Also scan this file and post the link to the results.
c:\windows\system32\drivers\etqmhlnl.sys
----------
Download GMER Rootkit Detector (http://majorgeeks.com/GMER_d5198.html) and save it your desktop.
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.
-
tried doing what u suggested but on that website it just says that ive specified one or more files that could not be found.
those two files dont exist anymore - have no idea why
searching them only finds C:\WINDOWS\system32\MpEngineStore\RebootActions\xrhdbctp.dat - did a check on this filepath - http://virusscan.jotti.org/en-GB/scanresult/90cfb4f593083172c1c9abf7cb5d557ebb7c7dd7
and the second one is exactly the same C:\WINDOWS\system32\MpEngineStore\RebootActions\etqmhlnl.dat
- http://virusscan.jotti.org/en-GB/scanresult/237b4d2126087569093d75d59bfbed8e07d3ece1
both scans reveal nothing found
as for the GMER log -- have started scan - hopefully wont take much longer
will post log shortly
thanks for your help
its much appreciated!
-
How is the GMER scan coming?
Be sure to do this. Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
-
ok so while i was doing the gmer scan the power for the whole neighbourhood went out - great
now eventually here is the log
obvious issue with atapi.sys which i.m still getting warnings about
hope you can help (will be offline for a few hours while i get some sleep (2am in uk)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 01:46:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgtdapoc.sys
---- System - GMER 1.0.15 ----
SSDT spit.sys ZwCreateKey [0xF837E0E0]
SSDT spit.sys ZwEnumerateKey [0xF839CCA4]
SSDT spit.sys ZwEnumerateValueKey [0xF839D032]
SSDT spit.sys ZwOpenKey [0xF837E0C0]
SSDT spit.sys ZwQueryKey [0xF839D10A]
SSDT spit.sys ZwQueryValueKey [0xF839CF8A]
SSDT spit.sys ZwSetValueKey [0xF839D19C]
INT 0x62 ? 82EF6BF8
INT 0x82 ? 82EF6BF8
INT 0x83 ? 82C4CBF8
INT 0xA4 ? 82C4CBF8
INT 0xB4 ? 82C4CBF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 169 804E27C5 3 Bytes [CC, 39, F8] {INT 3 ; CMP EAX, EDI}
? spit.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF83057A4]
.text USBPORT.SYS!DllUnload F78588AC 5 Bytes JMP 82C4C1D8
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82EF82D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F83AFC4C] spit.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F83AFCA0] spit.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82C4C2D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F838EE9C] spit.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 82EF51F8
Device \FileSystem\Fastfat \FatCdrom 82C041F8
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{B9CCBD70-9E0C-484E-9FF4-5963A29B4F59} 82B16500
Device \Driver\usbuhci \Device\USBPDO-0 82C4B1F8
Device \Driver\usbuhci \Device\USBPDO-1 82C4B1F8
Device \Driver\usbuhci \Device\USBPDO-2 82C4B1F8
Device \Driver\usbehci \Device\USBPDO-3 82C29500
Device \Driver\NetBT \Device\NetBT_Tcpip_{FD9B5674-C527-4B71-ABEA-C86624BE26AD} 82B16500
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\prodrv06 \Device\ProDrv06 E1D06008
Device \Driver\Ftdisk \Device\HarddiskVolume1 82E891F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82E891F8
Device \Driver\Cdrom \Device\CdRom0 82B431F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1008360
Device \Driver\NetBT \Device\NetBt_Wins_Export 82B16500
Device \Driver\NetBT \Device\NetbiosSmb 82B16500
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 82C4B1F8
Device \Driver\usbuhci \Device\USBFDO-1 82C4B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 829581F8
Device \Driver\usbuhci \Device\USBFDO-2 82C4B1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 829581F8
Device \Driver\usbehci \Device\USBFDO-3 82C29500
Device \Driver\Ftdisk \Device\FtControl 82E891F8
Device \FileSystem\Fastfat \Fat 82C041F8
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 823DB1F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x00 0x6B 0x85 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x00 0x6B 0x85 ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
-
hope you can help (will be offline for a few hours while i get some sleep (2am in uk)
No worries. Get some rest so you can have a clear head. I'll be around whenever you get back to it.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
FCopy::
c:\windows\$NtServicePackUninstall$\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://img249.imageshack.us/img249/1218/cfscript1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
=----------
RootRepeal - Rootkit Detector
* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
----------
Next post please add:
- New ComboFix log
- RootRepeal log
-
ok so the atapi.sys file seems to be clean now after that combo fix
tried doing the rootrepeal exactly as you showed but grey block comes up saying please wait, initializing - this stays the same for over 20 mins (i gave up) page file maxxes out and cpu usage is 100% for all this time - so maybe i need to be more patient but it seemed unneccessary to hog so much resources for all that time (could have gone on forever)
i hope you can tell me if there's anything else i can do as an alternative, and whether the combofix log below shows up any other problems.
thanks again.
ComboFix 10-02-19.04 - Owner 1-Feb-2010 9:37.2.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys
c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.
2010-02-21 09:27 . 2004-08-04 05:00 95360 ----a-w- C:\atapi.sys
2010-02-20 16:06 . 2010-02-20 16:06 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG9
2010-02-20 10:14 . 2010-02-20 10:14 -------- d-----w- C:\Team17
2010-02-16 23:05 . 2010-02-17 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 23:05 . 2010-02-17 00:14 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-08 23:56 . 2010-02-08 23:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-08 23:24 . 2010-02-08 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 20:54 . 2010-02-09 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 13:45 . 2010-02-08 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-03 13:31 . 2010-02-03 13:32 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 19:03 . 2009-11-11 09:40 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-20 10:14 . 2003-01-01 10:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 11:50 . 2007-10-01 13:18 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-02-16 23:07 . 2006-08-26 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Swift Sound
2010-02-13 13:12 . 2004-04-22 17:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-06 19:46 . 2009-12-13 10:19 -------- d-----w- c:\program files\The KMPlayer
2010-02-03 16:51 . 2003-01-01 10:05 -------- d-----w- c:\program files\HP
2010-02-03 13:31 . 2003-01-01 10:05 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-03 13:21 . 2004-04-23 07:27 55176 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-02-06 17:05 916480 ------w- c:\windows\system32\wininet.dll
2009-11-27 14:17 . 2009-11-27 14:17 134072 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 13:52 . 2009-11-27 13:52 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2006-02-21 14:59 . 2006-02-21 14:59 524300 -c--a-w- c:\program files\position.bin
2005-02-25 20:21 . 2005-02-25 20:21 1179648 -c--a-w- c:\program files\book.bin
2004-05-06 12:11 . 2005-02-07 10:36 777 -c--a-w- c:\program files\trial_setup.ini
2004-04-23 14:22 . 2004-04-23 14:22 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-06-11 13:14 . 2005-03-24 10:58 56 -csh--r- c:\windows\system32\71E772F4EB.sys
2005-07-14 18:31 . 2006-05-24 16:37 27648 -csha-w- c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2006-05-08 17:07 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 -csha-r- c:\windows\system32\cygz.dll
2006-08-04 08:30 . 2004-08-13 21:52 13146 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-10 22:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
2003-01-01 11:13 159744 -c--a-w- c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:02 61440 ----a-w- c:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2004-01-28 08:19 159744 -c--a-w- c:\program files\Saitek\Software\Profiler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 -c--a-w- c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2004-01-28 08:19 98304 -c--a-w- c:\program files\Saitek\Software\SaiSmart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:43 83608 -c--a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UserAccess7"=2 (0x2)
"MDM"=2 (0x2)
"Net message Service"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
"ctfmon.exe"=c:\windows\system32\CTFMON.EXE
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"AlcxMonitor"=ALCXMNTR.EXE
"HPHmon05"=c:\windows\System32\hphmon05.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7354:TCP"= 7354:TCP:ppLive
"6461:UDP"= 6461:UDP:ppLive
"21780:TCP"= 21780:TCP:BitComet 21780 TCP
"21780:UDP"= 21780:UDP:BitComet 21780 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?]
S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]
2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]
2009-04-08 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-01-01 00:12]
2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qgb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\www
Trusted Zone: barclaycard.co.uk\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: capitalfm.com\www
Trusted Zone: denness.net\tracker
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: mlb.com\mlb
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: Microsoft XML Parser for Java
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 09:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82EF61F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf833dcb8
\Driver\atapi -> prosync1.sys @ 0xf89a76c1
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
"HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:00000056
"WindowHeight"=dword:0000026d
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:0000004a
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(576)
c:\windows\System32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2010-02-21 09:57:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 09:57
ComboFix2.txt 2010-02-20 15:48
Pre-Run: 31,761,469,440 bytes free
Post-Run: 31,720,009,728 bytes free
- - End Of File - - 7325B3571794845FC4525A152B369C4A
-
I left something out of the fix. Sorry...
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Driver::
etqmhlnl
xrhdbctp
DDS::
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\www
Trusted Zone: barclaycard.co.uk\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: capitalfm.com\www
Trusted Zone: denness.net\tracker
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: mlb.com\mlb
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://img249.imageshack.us/img249/1218/cfscript1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
ok so here is the latest combofix log-
ComboFix 10-02-19.04 - Owner 1-Feb-2010 19:17:47.3.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_etqmhlnl
-------\Service_xrhdbctp
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.
2010-02-21 10:12 . 2010-02-21 10:13 -------- d-----w- C:\RootRepeal
2010-02-21 09:27 . 2004-08-04 05:00 95360 ----a-w- C:\atapi.sys
2010-02-20 16:06 . 2010-02-20 16:06 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG9
2010-02-20 10:14 . 2010-02-20 10:14 -------- d-----w- C:\Team17
2010-02-16 23:05 . 2010-02-17 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 23:05 . 2010-02-17 00:14 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-08 23:56 . 2010-02-08 23:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-02-08 23:24 . 2010-02-08 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 22:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 22:20 . 2010-02-08 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 20:54 . 2010-02-09 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 13:45 . 2010-02-08 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-03 13:31 . 2010-02-03 13:32 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 19:08 . 2009-11-11 09:40 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-20 10:14 . 2003-01-01 10:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 11:50 . 2007-10-01 13:18 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-02-16 23:07 . 2006-08-26 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Swift Sound
2010-02-13 13:12 . 2004-04-22 17:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-06 19:46 . 2009-12-13 10:19 -------- d-----w- c:\program files\The KMPlayer
2010-02-03 16:51 . 2003-01-01 10:05 -------- d-----w- c:\program files\HP
2010-02-03 13:31 . 2003-01-01 10:05 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-03 13:21 . 2004-04-23 07:27 55176 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2003-01-01 15:41 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-02-06 17:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2003-01-01 22:38 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-01-01 22:37 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2003-01-01 22:38 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 08:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2003-01-01 15:40 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2003-05-30 16:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2003-01-01 09:32 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2003-01-01 22:38 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-01-01 22:38 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2003-01-01 22:36 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-18 05:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 14:17 . 2009-11-27 14:17 134072 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 13:52 . 2009-11-27 13:52 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2006-02-21 14:59 . 2006-02-21 14:59 524300 -c--a-w- c:\program files\position.bin
2005-02-25 20:21 . 2005-02-25 20:21 1179648 -c--a-w- c:\program files\book.bin
2004-05-06 12:11 . 2005-02-07 10:36 777 -c--a-w- c:\program files\trial_setup.ini
2004-04-23 14:22 . 2004-04-23 14:22 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-06-11 13:14 . 2005-03-24 10:58 56 -csh--r- c:\windows\system32\71E772F4EB.sys
2005-07-14 18:31 . 2006-05-24 16:37 27648 -csha-w- c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 . 2006-05-08 17:07 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 -csha-r- c:\windows\system32\cygz.dll
2006-08-04 08:30 . 2004-08-13 21:52 13146 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to avgtray.exe.lnk - c:\program files\AVG\AVG9\avgtray.exe [2009-11-10 2033432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-10 22:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
2003-01-01 11:13 159744 -c--a-w- c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:02 61440 ----a-w- c:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2004-01-28 08:19 159744 -c--a-w- c:\program files\Saitek\Software\Profiler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 -c--a-w- c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2004-01-28 08:19 98304 -c--a-w- c:\program files\Saitek\Software\SaiSmart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:43 83608 -c--a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UserAccess7"=2 (0x2)
"MDM"=2 (0x2)
"Net message Service"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
"ctfmon.exe"=c:\windows\system32\CTFMON.EXE
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"AlcxMonitor"=ALCXMNTR.EXE
"HPHmon05"=c:\windows\System32\hphmon05.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7354:TCP"= 7354:TCP:ppLive
"6461:UDP"= 6461:UDP:ppLive
"21780:TCP"= 21780:TCP:BitComet 21780 TCP
"21780:UDP"= 21780:UDP:BitComet 21780 UDP
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]
2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]
2009-04-08 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-01-01 00:12]
2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qgb10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: Microsoft XML Parser for Java
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 19:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82E881F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf833dcb8
\Driver\atapi -> prosync1.sys @ 0xf89a76c1
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
"HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:00000056
"WindowHeight"=dword:0000026d
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:0000004a
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1360)
c:\windows\System32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1048)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2010-02-21 19:37:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 19:37
ComboFix2.txt 2010-02-21 09:57
ComboFix3.txt 2010-02-20 15:48
Pre-Run: 29,495,021,568 bytes free
Post-Run: 29,456,936,960 bytes free
- - End Of File - - 7DAE080EA2C29390E10A5EC440EFD8CC
-
Hopefully we are about done.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
-
this is the esetscan log
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus deleted - quarantined
so i checked the box to have eset remove this quarantined file
the uninstall combofix didnt seem to get rid off qoobox so i guess i should just delete the qoobox folder
is there anything else i need to do
thanks again for the help
-
Yes you can delete the qoobox folder manually. It isn't removed automatically like the other files are.
Final suggestions.
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page (http://www.microsoft.com/windows/ie/).
----------
I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html).
* Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.