infected System32\atapi.sys file. AVG need some help.

[Zack]

Hello.
My name is Zack, and I have an infected computer +)

The problem seems to be that AVG is either correctly or incorrectly diagnosing my computer as being infected via the atapi.sys file.

Usually I am able to take care of these problems myself, but I lack the deeper understanding of computer coding to take manual action without a guide.

I have searched your forums and found what appears to be a near identical problem.
The topic is here http://www.computerhope.com/forum/index.php?topic=94511.0

I have run Malware and the Combo fix programs, here are their logs.

Malwarebytes' Anti-Malware 1.44
Database version: 3523
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/13/2010 4:02:16 PM
mbam-log-2010-02-13 (16-02-16).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 386379
Time elapsed: 1 hour(s), 55 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------

ComboFix 10-02-12.01 - Zack Newbold 02/13/2010  16:42:51.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.818 [GMT -7:00]
Running from: c:\documents and settings\Zack Newbold\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
C:\s
C:\smp.bat
c:\windows\system32\18467.exe
c:\windows\system32\tmp.reg
c:\windows\system32\warning.html

.
(((((((((((((((((((((((((   Files Created from 2010-01-13 to 2010-02-13  )))))))))))))))))))))))))))))))
.

2010-01-30 22:56 . 2010-01-30 22:56   --------   d-----w-   C:\WTablet
2010-01-20 04:36 . 2010-01-20 04:51   --------   d-----w-   c:\documents and settings\Zack Newbold\Local Settings\Application Data\V-Safe 100
2010-01-19 06:50 . 2010-01-19 06:50   1260800   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-17 20:31 . 2009-03-09 18:34   971776   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2010-01-17 03:42 . 2010-01-17 03:42   1794376   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Move Networks\MoveMediaPlayerWin_071701000008.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 22:09 . 2010-01-14 07:04   0   ----a-w-   c:\documents and settings\Zack Newbold\Local Settings\Application Data\prvlcl.dat
2010-02-13 20:31 . 2008-12-22 21:59   7   ----a-w-   c:\windows\sbacknt.bin
2010-02-13 20:31 . 2008-07-09 05:18   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\WTablet
2010-02-13 20:23 . 2008-07-09 07:11   --------   d-----w-   c:\documents and settings\LocalService\Application Data\WTablet
2010-02-06 03:05 . 2009-10-05 17:19   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\Skype
2010-02-05 23:18 . 2009-10-05 17:21   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\skypePM
2010-02-03 21:52 . 2006-01-30 20:23   --------   d-----w-   c:\program files\Downloads
2010-02-03 04:29 . 2010-01-13 01:19   --------   d-----w-   c:\program files\Cryptic Studios
2010-02-02 18:22 . 2007-10-04 06:41   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\uTorrent
2010-01-29 03:56 . 2007-12-01 06:22   --------   d-----w-   c:\program files\Zune
2010-01-28 06:02 . 2006-02-19 06:39   --------   d-----w-   c:\program files\Activision
2010-01-19 06:50 . 2010-01-06 19:05   3777280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-17 03:43 . 2007-10-04 06:30   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\Move Networks
2010-01-13 01:28 . 2010-01-12 01:41   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\IGN_DLM
2010-01-12 01:40 . 2010-01-12 01:40   --------   d-----w-   c:\program files\Download Manager
2010-01-12 01:27 . 2010-01-12 01:26   --------   d-----w-   c:\program files\StarTrek Online
2010-01-10 07:46 . 2009-03-31 19:47   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-01-09 00:05 . 2010-01-08 02:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-09 00:05 . 2010-01-09 00:05   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-09 00:02 . 2007-12-04 06:45   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-08 02:41 . 2010-01-08 02:41   --------   d-----w-   c:\documents and settings\Zack Newbold\Application Data\Malwarebytes
2010-01-08 02:41 . 2010-01-08 02:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-07 23:37 . 2009-11-05 08:45   79488   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-07 23:07 . 2010-01-08 02:41   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2010-01-08 02:41   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-07 21:38 . 2010-01-07 21:38   447216   ----a-w-   c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 21:38 . 2010-01-07 21:38   58592   ----a-w-   c:\windows\system32\ZuneBusEnum.exe
2010-01-07 21:22 . 2009-09-02 06:28   40832   ----a-w-   c:\windows\system32\drivers\zumbus.sys
2010-01-07 18:55 . 2010-01-07 18:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-01-07 18:00 . 2009-12-07 21:21   --------   d-----w-   c:\program files\Steam
2010-01-06 18:56 . 2009-04-01 04:07   --------   d-----w-   c:\program files\AVG
2010-01-06 18:56 . 2009-04-01 04:07   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-06 18:56 . 2009-04-01 04:07   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-06 18:56 . 2009-04-01 04:07   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-06 18:55 . 2009-04-01 04:07   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-12-16 21:42 . 2010-01-07 07:57   872960   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 21:42 . 2010-01-07 07:57   43008   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 21:42 . 2010-01-07 07:57   340480   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 21:41 . 2010-01-07 07:57   346624   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-07 01:02 . 2009-12-07 01:02   965344   ----a-w-   c:\documents and settings\Zack Newbold\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2008-02-29 19:40 . 2008-02-29 19:40   423736   ----a-w-   c:\program files\avgarkt-setup-1.1.0.42.exe
2006-03-10 00:22 . 2006-03-10 00:21   692014058   ----a-w-   c:\program files\Poser6E_W_app.zip
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 19:40 . 92EE84D93035566F9EF1E244CEB9BC12 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 04:08   279944   ----a-w-   c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"Google Update"="c:\documents and settings\Zack Newbold\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-14 133104]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 131072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 136600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Zack Newbold\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-11-15 423248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\802.11 Wireless LAN\802.11g USB 2.0 WLAN Dongle\WlanCU.exe [2007-8-29 606208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-06 18:55   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Activision\\Sfc3\\SFC3.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\z Clean\\WOWEx_Blizcon-downloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/31/2009 9:07 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/31/2009 9:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/7/2010 11:55 AM 285392]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [11/24/2008 1:20 AM 14976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [7/8/2008 10:18 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/1/2007 3:35 PM 24652]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [9/10/2009 1:27 PM 215040]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
S3 Flis18mwns;Flis18mwns;c:\windows\system32\keystone.exe [2/18/2009 1:44 PM 436768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-854245398-725345543-1004Core.job
- c:\documents and settings\Zack Newbold\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 06:32]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-854245398-725345543-1004UA.job
- c:\documents and settings\Zack Newbold\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 06:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=101676&l=dis
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Search - ?p=ZNxdm414DQUS
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
FF - ProfilePath - c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1231307&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
FF - component: c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Zack Newbold\Application Data\Mozilla\Firefox\Profiles\jo5nazo0.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Zack Newbold\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{C94E154B-1459-4A47-966B-4B843BEFC7DB} - c:\program files\AskSearch\bin\DefaultSearch.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Plazmic CDK 4.2.2 for BlackBerry - c:\program files\Plazmic CDK 4.2.2\Uninstall Plazmic CDK 4.2.2 for BlackBerry\Uninstall Plazmic CDK 4.2.2
AddRemove-ShipEdit - c:\program files\taldren software inc\tools and such\Uninst.isu
AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - c:\program files\Corel\Corel Painter Essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-13  16:57:20
ComboFix-quarantined-files.txt  2010-02-13 23:57

Pre-Run: 21,284,114,432 bytes free
Post-Run: 22,785,761,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 86A8459A3CB406B4A3735681A4980E68

-------------------------------------------------------------------------------

Thank you for any assistance you are able to offer me in advance.
Please let me know if there is any additional information that you require from me.

[evilfantasy]

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
atapi.sys

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

----------

Please go to Start > Run and copy/paste the following blue text, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[Zack]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:18 on 13/02/2010 by Zack Newbold (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys   -----c 95360 bytes   [01:57 11/05/2008]   [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys   ------ 96512 bytes   [18:40 13/04/2008]   [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys   --a--c 96512 bytes   [12:00 04/08/2004]   [19:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys   --a--- 96512 bytes   [12:00 04/08/2004]   [19:40 13/04/2008] 92EE84D93035566F9EF1E244CEB9BC12

-=End Of File=-

[evilfantasy]

The Add-Remove Programs.txt?

[Zack]

The Add-Remove Programs.txt?

Sorry I missed that part of your post.

µTorrent
7-Zip 4.65
802.11g Wireless LAN
802.11g Wireless LAN Adapter
802.11g Wireless USB 2.0 Adapter HW.14
Adabas D 13.01.00
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AIM 6
AIM Toolbar 5.0
Alarm Clock v1.0
All To MP3 Converter 1.6
Amazon MP3 Downloader 1.0.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 6
ArcSoft Print Creations
Ask Toolbar
AutoUpdate
AV Music Morpher
AVG Anti-Rootkit Free
AVG Free 9.0
BlackBerry Desktop Software 4.3
BlackBerry Email and MDS Services Simulators 4.1.2
BlackBerry JDE 4.2.0
BlackBerry JDE 4.3.0
Bonjour
BPS MP3-WAV Converter version 5.0.0.0
Bryce 5.5a DEMO
CD/DVD-ROM Generator 1.20
CDisplay 1.8
character studio 4.2
Character Studio Tutorial Files
Company of Heroes
Company of Heroes - FAKEMSI
CompuApps SwissKnife V3
Corel Painter Essentials 3
Critical Update for Windows Media Player 11 (KB959772)
Cucusoft DVD to Zune Converter 6.02
Curse Client
Dawn of War - Soulstorm
DAZ|Studio BETA 0.9.21.2
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Download Manager 2.3.10
Dragon Age: Origins Character Creator
EA Download Manager
EPSON CX8400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX8400 Series Scanner Driver Update
EzINI
FireSoul's OP+ Shiplist 4.0 (remove only)
First Step Guide
FrostWire 4.18.1
Galactic Civilizations II
Gimp 2.6.1
Google Chrome
Google Earth
Google SketchUp
Google SketchUp 7
Google Toolbar for Firefox
Google Video Player
GridMagic 3.3
Guitar Hero Explorer
Heroes of Might and Magic V
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
ImageMixer VCD2
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LS_HSI
Magic DVD Ripper V5.0.1
Malwarebytes' Anti-Malware
Max Media Creator
MaxDrive PS2
Media Player Classic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Mobipocket Reader 6.2
Mozilla Firefox (3.5.7)
MP3 Player Utilities 3.68
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
MusEdit
MySpaceIM
Nero Suite
nik Color Efex Pro 2.0 GE
Nostromo Array Programming Software
NVDVD
NVIDIA Drivers
NVIDIA nTune
NVIDIA PhysX
NvMixer
Ogre
Orb
Panda ActiveScan
Panda ActiveScan 2.0
PCFriendly
Pcsx2 0.9.6
Pen Tablet
Picture Package
Plazmic CDK 4.2.2 for BlackBerry
Poser 6
Poser 6 Demo
PremiumSoft Navicat 8.0 for MySQL
QuickTime
REA's TESTware for the CLEP General Subject Exams
Roxio Media Manager
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
ShipEdit
Skype web features
Skype™ 4.1
Sony USB Driver
Spybot - Search & Destroy
Star Trek Online
Star Trek Starfleet Command III
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Starcraft
StarOffice 8
Steam
System Requirements Lab
System47 Screen Saver
Tattoo
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
Tortun 0.8
Uniblue RegistryBooster 2
Uniblue System Tweaker
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB MP3 Player WIN98 Drivers
Vampire - The Masquerade Bloodlines
Ventrilo Client
Ventrilo Server
Viewpoint Media Player
VirtuaGirl HD
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
Wings 3D 0.99.53
WinRAR archiver
WinZip
X3D Controller 2.5
X3DTVGateway
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
YOUNTEL-UMS Driver Install 1.0
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)

[evilfantasy]

Go to Add or Remove Programs and uninstall:

• Ask Toolbar
• Viewpoint Media Player

.

----------

Your Java is out of date.
 
Older versions have vulnerabilities that malicious sites can use to infect your system.
 
First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.
 
Remove the old version(s)
 
Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

----------

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\drivers\atapi.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.


Also scan this file and post the link to the results.

Code: [Select]

c:\windows\system32\dllcache\atapi.sys

[Zack]

Here is the link for the first directory (c:\windows\system32\drivers\atapi.sys)
http://virusscan.jotti.org/en/scanresult/24029f1dc5cace8a465b3be925ad29153bad7ecf

And for the second:
http://virusscan.jotti.org/en/scanresult/778b0f3c85eda0f8d53e14a5b02728766f06cb70/6bdf41371965a94bb2b346c954953a0ac834d90a

[evilfantasy]

Download TDSSKiller and save it to your desktop.

* Right click on the file and choose extract all extract the file to your desktop then run it.
* Once completed it will create a log in your C:\ drive with a name similar to 'TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt'.
* Please post the contents of that log.

----------

Also scan the c:\windows\system32\drivers\atapi.sys file again at Jotti and post the link to the results.

[Zack]

19:40:47:694 0352   TDSS rootkit removing tool 2.2.3 Feb  4 2010 14:34:00
19:40:47:694 0352   ================================================================================
19:40:47:694 0352   SystemInfo:

19:40:47:694 0352   OS Version: 5.1.2600 ServicePack: 3.0
19:40:47:694 0352   Product type: Workstation
19:40:47:694 0352   ComputerName: ZACK-75C2A80744
19:40:47:694 0352   UserName: Zack Newbold
19:40:47:694 0352   Windows directory: C:\WINDOWS
19:40:47:694 0352   Processor architecture: Intel x86
19:40:47:694 0352   Number of processors: 1
19:40:47:694 0352   Page size: 0x1000
19:40:47:694 0352   Boot type: Normal boot
19:40:47:694 0352   ================================================================================
19:40:47:694 0352   UnloadDriverW: NtUnloadDriver error 2
19:40:47:694 0352   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:40:47:694 0352   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:40:47:741 0352   UtilityInit: KLMD drop and load success
19:40:47:741 0352   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
19:40:47:741 0352   UtilityInit: KLMD open success
19:40:47:741 0352   UtilityInit: Initialize success
19:40:47:741 0352   
19:40:47:741 0352   Scanning   Services ...
19:40:47:741 0352   CreateRegParser: Registry parser init started
19:40:47:741 0352   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
19:40:47:741 0352   CreateRegParser: DisableWow64Redirection error
19:40:47:741 0352   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:40:47:741 0352   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
19:40:47:741 0352   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:40:47:741 0352   wfopen_ex: Trying to KLMD file open
19:40:47:741 0352   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
19:40:47:741 0352   wfopen_ex: File opened ok (Flags 2)
19:40:47:741 0352   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384AF8
19:40:47:741 0352   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:40:47:741 0352   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
19:40:47:741 0352   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:40:47:741 0352   wfopen_ex: Trying to KLMD file open
19:40:47:741 0352   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
19:40:47:741 0352   wfopen_ex: File opened ok (Flags 2)
19:40:47:741 0352   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384BA0
19:40:47:741 0352   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
19:40:47:741 0352   CreateRegParser: EnableWow64Redirection error
19:40:47:741 0352   CreateRegParser: RegParser init completed
19:40:48:241 0352   GetAdvancedServicesInfo: Raw services enum returned 357 services
19:40:48:241 0352   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:40:48:241 0352   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:40:48:241 0352   
19:40:48:241 0352   Scanning   Kernel memory ...
19:40:48:241 0352   KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:40:48:241 0352   DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8F187A08
19:40:48:241 0352   DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
19:40:48:241 0352   
19:40:48:241 0352   DetectCureTDL3: DEVICE_OBJECT: 8F178620
19:40:48:241 0352   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8F178620
19:40:48:241 0352   KLMD_ReadMem: Trying to ReadMemory 0x8F178620[0x38]
19:40:48:241 0352   DetectCureTDL3: DRIVER_OBJECT: 8F187A08
19:40:48:241 0352   KLMD_ReadMem: Trying to ReadMemory 0x8F187A08[0xA8]
19:40:48:241 0352   KLMD_ReadMem: Trying to ReadMemory 0xE684B640[0x18]
19:40:48:241 0352   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:40:48:241 0352   DetectCureTDL3: IrpHandler (0) addr: B80FEBB0
19:40:48:241 0352   DetectCureTDL3: IrpHandler (1) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (2) addr: B80FEBB0
19:40:48:241 0352   DetectCureTDL3: IrpHandler (3) addr: B80F8D1F
19:40:48:241 0352   DetectCureTDL3: IrpHandler (4) addr: B80F8D1F
19:40:48:241 0352   DetectCureTDL3: IrpHandler (5) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (6) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (7) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler ( addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (9) addr: B80F92E2
19:40:48:241 0352   DetectCureTDL3: IrpHandler (10) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (11) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (12) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (13) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (14) addr: B80F93BB
19:40:48:241 0352   DetectCureTDL3: IrpHandler (15) addr: B80FCF28
19:40:48:241 0352   DetectCureTDL3: IrpHandler (16) addr: B80F92E2
19:40:48:241 0352   DetectCureTDL3: IrpHandler (17) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (18) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (19) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (20) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (21) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (22) addr: B80FAC82
19:40:48:241 0352   DetectCureTDL3: IrpHandler (23) addr: B80FF99E
19:40:48:241 0352   DetectCureTDL3: IrpHandler (24) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (25) addr: 804F355A
19:40:48:241 0352   DetectCureTDL3: IrpHandler (26) addr: 804F355A
19:40:48:241 0352   TDL3_FileDetect: Processing driver: Disk
19:40:48:241 0352   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:40:48:241 0352   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:40:48:257 0352   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:40:48:257 0352   
19:40:48:257 0352   DetectCureTDL3: DEVICE_OBJECT: 8F183AB8
19:40:48:257 0352   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8F183AB8
19:40:48:257 0352   DetectCureTDL3: DEVICE_OBJECT: 8F17D198
19:40:48:257 0352   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8F17D198
19:40:48:257 0352   DetectCureTDL3: DEVICE_OBJECT: 8F1D8940
19:40:48:257 0352   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8F1D8940
19:40:48:257 0352   KLMD_ReadMem: Trying to ReadMemory 0x8F1D8940[0x38]
19:40:48:257 0352   DetectCureTDL3: DRIVER_OBJECT: 8F17D9F8
19:40:48:257 0352   KLMD_ReadMem: Trying to ReadMemory 0x8F17D9F8[0xA8]
19:40:48:257 0352   KLMD_ReadMem: Trying to ReadMemory 0xE6844D60[0x1A]
19:40:48:257 0352   DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:40:48:257 0352   DetectCureTDL3: IrpHandler (0) addr: B7F3B6F2
19:40:48:257 0352   DetectCureTDL3: IrpHandler (1) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (2) addr: B7F3B6F2
19:40:48:257 0352   DetectCureTDL3: IrpHandler (3) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (4) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (5) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (6) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (7) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler ( addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (9) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (10) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (11) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (12) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (13) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (14) addr: 8F10F8B0
19:40:48:257 0352   DetectCureTDL3: IrpHandler (15) addr: B80C98B4
19:40:48:257 0352   DetectCureTDL3: IrpHandler (16) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (17) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (18) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (19) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (20) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (21) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (22) addr: B7F3B73C
19:40:48:257 0352   DetectCureTDL3: IrpHandler (23) addr: B7F42336
19:40:48:257 0352   DetectCureTDL3: IrpHandler (24) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (25) addr: 804F355A
19:40:48:257 0352   DetectCureTDL3: IrpHandler (26) addr: 804F355A
19:40:48:257 0352   KLMD_ReadMem: Trying to ReadMemory 0xB7F38864[0x400]
19:40:48:257 0352   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:40:48:257 0352   TDL3_FileDetect: Processing driver: atapi
19:40:48:257 0352   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:40:48:257 0352   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
19:40:48:272 0352   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
19:40:48:272 0352   File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 19:40:48:272 0352   TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:40:48:272 0352   ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
19:40:48:288 0352   CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
19:40:48:351 0352   CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
19:40:48:366 0352   CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
19:40:48:444 0352   CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
19:40:48:460 0352   CabinetCallback: File extracted successfully: C:\DOCUME~1\ZACKNE~1\LOCALS~1\Temp\bckA9.tmp
19:40:48:460 0352   ValidateDriverFile: Stage 1 passed
19:40:48:460 0352   ValidateDriverFile: Stage 2 passed
19:40:48:601 0352   DigitalSignVerifyByHandle: Embedded DS result: 800B0100
19:40:49:257 0352   DigitalSignVerifyByHandle: Cat DS result: 00000000
19:40:49:257 0352   ValidateDriverFile: Stage 3 passed
19:40:49:257 0352   CabinetCallback: File validated successfully, restore information prepared
19:40:49:257 0352   FindDriverFileBackup: Backup copy found in cab-file
19:40:49:257 0352   TDL3_FileCure: Backup copy found, using it..
19:40:49:257 0352   TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskAA.tmp
19:40:49:288 0352   TDL3_FileCure: New / Old Image paths: (system32\drivers\tskAA.tmp, system32\drivers\atapi.sys)
19:40:49:288 0352   TDL3_FileCure: KLMD jobs schedule success
19:40:49:288 0352   will be cured on next reboot
19:40:49:288 0352   UtilityBootReinit: Reboot required for cure complete..
19:40:49:288 0352   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
19:40:49:288 0352   UtilityBootReinit: KLMD drop success
19:40:49:288 0352   KLMD_ApplyPendList: Pending buffer(5D19_736, 608) dropped successfully
19:40:49:288 0352   UtilityBootReinit: Cure on reboot scheduled successfully
19:40:49:288 0352   
19:40:49:288 0352   Completed
19:40:49:288 0352   
19:40:49:288 0352   Results:
19:40:49:288 0352   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
19:40:49:288 0352   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
19:40:49:288 0352   File objects infected / cured / cured on reboot:   1 / 0 / 1
19:40:49:288 0352   
19:40:49:288 0352   UnloadDriverW: NtUnloadDriver error 1
19:40:49:288 0352   KLMD_Unload: UnloadDriverW(klmd21) error 1
19:40:49:288 0352   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:40:49:288 0352   UtilityDeinit: KLMD(ARK) unloaded successfully

---------------------------------------------------------------------

And the link to the new scan
http://virusscan.jotti.org/en/scanresult/24029f1dc5cace8a465b3be925ad29153bad7ecf/88ef8096fd233e3586d58a5e1a0cfb9a2980a784

[evilfantasy]

Try another scanner please.

Please go to VirusChief.com

1. Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\drivers\atapi.sys2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click Scan.
You will see a message:
ENG: It can take up to 1 minute before your scan starts, please wait!
GER: Es kann bis zu einer Minute dauern bis Ihr Scan startet, bitte warten!
5. Once the scan is complete, copy the text in the window under BB Code and paste it into the next post.

[Zack]

Here it is.

Antivir: Nothing found
ArcaVir: Nothing found
AVG: Nothing found
BitDefender: Nothing found
VirusBlokAda32: Rootkit.Win32.TDSL

VirusBuster: Nothing found

Report overview
Scanned by viruschief.com

-----------------------------------------------

As a side note, I have not yet restarted my computer.
The TDSSkiller program said it would be removed after a restart, but I wanted to run the results past you prior to restarting.  I'm sorry if I have caused additional work for you as the result of my actions.

[evilfantasy]

Restart and then scan it one more time at a different scanner. That only had one hit bit that's too many with this infection. We can replace the file to fix it but I would rather not if we don't need to.

Please go to NoVirusThanks.org - Multi-Engine Antivirus Scanner
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path from the Code Box into the Suspicious files to scan box on the top of the page.

Code: [Select]

c:\windows\system32\drivers\atapi.sys
2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Submit File button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait until you see: Status - Finished
5. Once the Scan is Finished scroll down and right click under the BB Code: box and choose Select All
6. Next, on your Keyboard press ctrl+C (both at the same time). This will copy the text of the report into the Clipboard.
7. Paste the contents of the Clipboard in your next reply. (Click once in the reply window and press ctrl+V)

[Zack]

File Info

Report date: 14.2.2010 at 4.09.05 (GMT 1)
File name: atapi.sys
File size: 96512 bytes
MD5 Hash: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 Hash: A719156E8AD67456556A02C34E762944234E7A4 4
Detection rate: 0 on 20
Status: CLEAN

Detections

a-squared - -
Avira AntiVir - -
Avast - -
AVG - -
BitDefender - -
ClamAV - -
Comodo - -
Dr.Web - -
F-PROT6 - -
G-Data - -
Ikarus T3 - -
Kaspersky - -
McAfee - -
NOD32 - -
Panda - -
Solo Antivirus - -
Sophos - -
TrendMicro - -
VBA32 - -
VirusBuster - -

Scan report generated by
NoVirusThanks.org


--------------------------

I am curious though, what is the intention of this program?
Or is there one.

I ran the scan on the other two sites again as well.
Both VirusChief and Jotti's malware scan showed no infections.

[evilfantasy]

That is what we were looking for.

I am curious though, what is the intention of this program?
Or is there one.

TDSSserv is a Rootkit. Rootkits in general are bad but this one is one of the worst to date. Luckily we have figured out how to deal with it and get it off of a computer.

The goal is to get the person infected to buy some fake antivirus or other form of goods online. You enter your credit card or bank account information to make the purchase and they steal whatever they can before you figure out what's going on. The business of writing and spreading malware is a multi-billion dollar a year underground profession. Many, many people fall into the trap.



If there are no more malware issues we can finish up now.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Zack]

Thank you very much evilfantasy.
It was a pleasure to work with you.

I will bookmark this site and recommend it to all my friends and family.

Hopefully that is the end of this problem, thanks again. +)

[evilfantasy]

Your welcome. Let us know if anything else comes up.

Safe surfing...