atapi.sys infected with rootkit

[Stillborn]

Subject says it all. I saw a thread where this was fixed but it contained instructions for that persons pc specifically. If someone could help me I'd be forever happy.

AVG 9.0.707 with database 207.14.65/2503 (updated today) finds one infection...

"C:\Windows\System32\drivers\atapi.sys";"Trojan horse Rootkit-Pakes.U";"Object is white-listed (critical/system file that should not be removed)"

VirusTotal.com scan of that file url here...
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=59EE877C50775149547100E34977E000F3151D00' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=59EE877C50775149547100E34977E000F3151D00[/url]

[Stillborn]

whoops, thought that was the URL for my scan, not an ad...

http://www.virustotal.com/analisis/9816df12a64e8050142f41205d2b0ba5408c060f5ae2d8bd437274a57f4910a6-1258247996

sorry for the bump

[evilfantasy]

Welcome to CH.

Please download SystemLook from one of the links below and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

• Double-click SystemLook.exe to run it.
  
• Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
*atapi.sys

• Click the Look button to start the scan.
  
• Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
  
• When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[Stillborn]

Thanks for the quick reply 

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:51 on 14/11/2009 by Stillborn (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 8DF34C0DB2C16473A7BA722860F088CB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

[evilfantasy]

That looks fine so we need to gather some more information.

Do another SystemLook scan only use this as the input.

Code: [Select]

:filefind
atapi.sys
Next run DDS and post the 2 logs it creates also.

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[Stillborn]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:25 on 14/11/2009 by Stillborn (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 8DF34C0DB2C16473A7BA722860F088CB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys   --a--- 21584 bytes   [23:11 13/07/2009]   [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-





DDS (Ver_09-10-26.01) - NTFSx86 
Run by Stillborn at 21:26:43.57 on Sat 11/14/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2038.1075 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\sppsvc.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Stillborn\Desktop\SystemLook.exe
C:\WINDOWS\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Stillborn\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {7F36C277-8A6E-4765-882E-A47A069EB5E8} = 156.154.70.22,156.154.71.22
TCP: {F1614A73-6CA9-4886-8059-17CFF70F595D} = 156.154.70.22,156.154.71.22
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\stillb~1\appdata\roaming\mozilla\firefox\profiles\h8885fj1.default\
FF - prefs.js: browser.startup.homepage - myspace.com | facebook.com | voice.google.com | wave.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-13 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-13 360584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-14 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-14 29520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-13 285392]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-8-3 9344]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 utizmjqx;AVZ Kernel Driver;c:\windows\system32\drivers\utizmjqx.sys [2009-11-14 7168]

=============== Created Last 30 ================

2009-11-15 02:09:01   7168   ----a-w-   c:\windows\system32\drivers\utizmjqx.sys
2009-11-15 02:08:25   0   d-----w-   c:\programdata\is-V3A02
2009-11-15 01:44:48   0   d-s---w-   C:\ComboFix
2009-11-14 23:22:58   98816   ----a-w-   c:\windows\sed.exe
2009-11-14 23:22:58   77312   ----a-w-   c:\windows\MBR.exe
2009-11-14 23:22:58   260608   ----a-w-   c:\windows\PEV.exe
2009-11-14 23:22:58   161792   ----a-w-   c:\windows\SWREG.exe
2009-11-14 22:39:02   0   d-----w-   c:\programdata\Comodo
2009-11-14 22:39:00   29520   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2009-11-14 22:39:00   179792   ----a-w-   c:\windows\system32\guard32.dll
2009-11-14 22:38:59   128888   ----a-w-   c:\windows\system32\drivers\cmdguard.sys
2009-11-14 22:38:46   0   d-----w-   c:\program files\COMODO
2009-11-14 21:28:00   0   d-----w-   c:\windows\pss
2009-11-14 19:20:02   0   ---ha-w-   c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-14 10:40:40   0   d-----w-   c:\users\stillborn\Tracing
2009-11-14 10:38:15   0   d-----w-   c:\program files\Microsoft Office Outlook Connector
2009-11-14 10:37:30   3426072   ----a-w-   c:\windows\system32\d3dx9_32.dll
2009-11-14 10:37:26   20   ----a-w-   c:\windows\Àö¥
2009-11-14 10:37:26   0   d-----w-   c:\program files\Microsoft SQL Server Compact Edition
2009-11-14 10:36:46   0   d-----w-   c:\program files\Windows Live SkyDrive
2009-11-14 10:29:28   0   d-----w-   c:\program files\Unlocker
2009-11-14 10:22:42   0   d-----w-   c:\program files\common files\Windows Live
2009-11-14 10:10:36   0   d-----w-   c:\program files\Microsoft
2009-11-14 10:10:12   0   d-----w-   c:\program files\MSXML 4.0
2009-11-14 09:26:38   0   dc-h--w-   c:\programdata\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-11-14 09:24:22   0   dc-h--w-   c:\programdata\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-11-14 09:24:04   0   d-----w-   c:\programdata\DriverScanner
2009-11-14 09:24:04   0   d-----w-   c:\program files\Uniblue DriverScanner 2009
2009-11-14 06:59:16   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-11-14 06:59:13   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-11-14 06:59:04   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-11-14 06:59:03   0   d-----w-   c:\windows\system32\drivers\Avg
2009-11-14 06:58:37   0   d-----w-   c:\program files\AVG
2009-11-14 06:58:34   0   d-----w-   c:\programdata\avg9
2009-11-14 06:24:42   0   d-----w-   c:\users\stillb~1\appdata\roaming\Foxit
2009-11-14 06:24:41   0   d-----w-   c:\program files\Foxit Software
2009-11-14 05:29:42   0   d-----w-   c:\users\stillb~1\appdata\roaming\BitDefender
2009-11-14 05:29:41   0   d-----w-   c:\programdata\BitDefender
2009-11-14 05:29:41   0   d-----w-   c:\program files\BitDefender
2009-11-14 05:26:54   0   d-----w-   c:\program files\common files\BitDefender
2009-11-13 21:18:22   32656   ----a-w-   c:\windows\system32\msonpmon.dll
2009-11-13 21:17:25   0   d-----w-   c:\program files\uTorrent
2009-11-13 21:17:17   0   d-----w-   c:\users\stillb~1\appdata\roaming\uTorrent
2009-11-13 21:14:38   0   d-----w-   c:\users\stillb~1\appdata\roaming\BitTorrent
2009-11-13 21:12:54   0   d-----w-   c:\windows\PCHEALTH
2009-11-13 21:10:47   0   d-----w-   c:\program files\Microsoft Visual Studio 8
2009-11-13 21:09:44   0   d-----w-   c:\programdata\Microsoft Help
2009-11-13 20:48:56   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-13 20:48:56   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-11-13 20:48:25   0   d-----w-   c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 20:48:25   0   d-----w-   c:\program files\iTunes
2009-11-13 20:48:25   0   d-----w-   c:\program files\iPod
2009-11-13 16:58:57   257024   ----a-w-   c:\windows\system32\msv1_0.dll
2009-11-13 16:38:35   398336   ----a-w-   c:\windows\system32\TVWizudlg.exe
2009-11-13 16:38:35   140288   ----a-w-   c:\windows\system32\igfxtvcx.dll
2009-11-13 16:38:35   121232   ----a-w-   c:\windows\system32\IScrNB.bmp
2009-11-13 16:38:35   0   d-----w-   c:\windows\system32\Lang
2009-11-13 16:13:33   0   d-----w-   c:\program files\K-Lite Codec Pack
2009-11-13 16:12:21   0   d-----w-   c:\program files\Ask.com
2009-11-13 16:11:27   0   d-----w-   c:\program files\BitTorrent
2009-11-13 15:57:39   0   d-----w-   c:\programdata\Ahead
2009-11-13 15:54:32   0   d-----w-   c:\programdata\Nero
2009-11-13 15:54:32   0   d-----w-   c:\program files\Nero
2009-11-13 15:43:58   0   d-----w-   c:\users\stillb~1\appdata\roaming\Malwarebytes
2009-11-13 15:43:55   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-13 15:43:53   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 15:43:52   0   d-----w-   c:\programdata\Malwarebytes
2009-11-13 15:43:52   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-11-13 15:40:16   0   dc-h--w-   c:\programdata\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-11-13 15:39:40   0   dc-h--w-   c:\programdata\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2009-11-13 15:39:00   0   d-----w-   c:\users\stillb~1\appdata\roaming\Uniblue
2009-11-13 15:39:00   0   d-----w-   c:\program files\Uniblue
2009-11-13 15:37:03   0   d-----w-   c:\program files\Audacity
2009-11-13 15:35:52   0   d-----w-   c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-11-13 15:34:39   0   d-----w-   c:\program files\Bonjour
2009-11-13 15:33:53   0   d-----w-   c:\programdata\Apple Computer
2009-11-13 15:33:17   0   d-----w-   c:\users\stillb~1\appdata\roaming\mIRC
2009-11-13 15:32:40   0   d-----w-   c:\programdata\Apple
2009-11-13 15:30:10   0   d-----w-   c:\programdata\Yahoo! Companion
2009-11-13 15:28:56   0   d-----w-   c:\programdata\Yahoo!
2009-11-13 15:28:49   0   d-----w-   c:\program files\Yahoo!
2009-11-13 15:26:43   0   d-----w-   c:\programdata\PlotSoft
2009-11-13 15:26:43   0   d-----w-   c:\program files\PlotSoft
2009-11-13 15:25:46   0   d-sh--w-   c:\windows\Installer
2009-11-13 15:25:08   0   d-----w-   c:\program files\WinSCP
2009-11-13 15:23:43   0   d-----w-   c:\program files\PowerISO
2009-11-13 15:13:18   713888   ----a-w-   c:\windows\system32\PerfStringBackup.INI
2009-11-13 15:12:35   0   d-----w-   c:\windows\system32\wbem\Performance
2009-11-13 15:11:07   997912   ----a-w-   c:\windows\system32\igxpun.exe
2009-11-13 15:11:07   0   d-----w-   c:\windows\system32\x64
2009-11-13 14:49:41   195456   ------w-   c:\windows\system32\MpSigStub.exe
2009-11-13 14:29:12   0   d-----w-   c:\windows\Panther
2009-11-03 22:50:06   0   d-----w-   C:\$AVG
2009-10-29 16:07:36   0   d-----w-   C:\sk
2009-10-29 16:05:51   0   d-----w-   C:\con
2009-10-20 00:04:00   72200   ----a-w-   c:\windows\system32\drivers\BdfNdisf6.sys

==================== Find3M  ====================

2009-10-13 18:00:00   85504   ----a-w-   c:\windows\system32\ff_vfw.dll
2009-10-09 10:37:44   1096704   ----a-w-   c:\windows\system32\drivers\athr.sys
2009-10-02 04:06:59   728648   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2009-09-03 07:04:15   1320960   ----a-w-   c:\windows\system32\CertEnroll.dll
2009-08-29 06:57:31   34816   ----a-w-   c:\windows\system32\msasn1.dll
2009-08-29 06:54:52   12625408   ----a-w-   c:\windows\system32\wmploc.DLL
2009-08-19 07:20:32   442920   ----a-w-   c:\windows\system32\winresume.exe
2009-08-19 07:20:31   507568   ----a-w-   c:\windows\system32\winload.exe
2009-08-18 07:33:52   1193832   ----a-w-   c:\windows\system32\FM20.DLL
2009-07-14 04:56:42   31548   ----a-w-   c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42   31548   ----a-w-   c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42   291294   ----a-w-   c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42   291294   ----a-w-   c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57   174   --sha-w-   c:\program files\desktop.ini
2009-07-14 00:34:40   291294   ----a-w-   c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40   291294   ----a-w-   c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38   31548   ----a-w-   c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38   31548   ----a-w-   c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35   9633792   --sha-r-   c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:27:08.35 ===============








UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/13/2009 7:08:16 AM
System Uptime: 11/14/2009 8:06:36 PM (1 hours ago)

Motherboard: Sony Corporation |  | VAIO
Processor: Intel(R) Pentium(R) Dual  CPU  T2330  @ 1.60GHz | N/A | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 66.027 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 0 GiB total, 0.01 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_902D104D&REV_00\4&23979A68&0&1AF0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_902D104D&REV_00\4&23979A68&0&1AF0
Service:

==== System Restore Points ===================

RP12: 11/13/2009 1:07:44 PM - Installed Microsoft Office Enterprise 2007
RP13: 11/13/2009 9:28:57 PM - Installed BitDefender Internet Security 2010
RP14: 11/13/2009 10:46:30 PM - Removed BitDefender Internet Security 2010
RP15: 11/13/2009 10:58:23 PM - Installed AVG Free 9.0
RP17: 11/14/2009 1:23:31 AM - Installed Uniblue DriverScanner v1.0
RP18: 11/14/2009 1:37:42 AM - Uniblue RegistryBooster 2009
RP19: 11/14/2009 2:09:02 AM - Windows Update
RP20: 11/14/2009 8:54:06 AM - Windows Update
RP21: 11/14/2009 2:42:26 PM - Device Driver Package Install: COMODO Network Service
RP22: 11/14/2009 5:43:58 PM - Windows Update
RP24: 11/14/2009 5:47:06 PM - Windows Update

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
AVG Free 9.0
Bonjour
COMODO Internet Security
FLV Player 2.0 (build 25)
Foxit Reader
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
iTunes
K-Lite Mega Codec Pack 5.2.0
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIRC
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.23)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
neroxml
PDFill PDF Editor with FREE PDF Writer and Tools
PowerISO
QuickTime
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Uniblue DriverScanner 2009
Uniblue PowerSuite 2009
Uniblue RegistryBooster 2009
Uniblue SpeedUpMyPC 2009
Unlocker 1.8.8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
WinRAR archiver
WinSCP 4.1.9
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/14/2009 8:20:53 PM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for Start with the following error:  Access is denied.
11/14/2009 6:07:48 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:47 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/14/2009 6:07:47 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/14/2009 6:07:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/14/2009 6:07:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/14/2009 6:07:44 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/14/2009 6:07:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/14/2009 6:07:26 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx86 AvgMfx86 AvgTdiX cmdGuard cmdHlp DfsC discache inspect NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:07:25 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2009 6:00:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
11/14/2009 5:59:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error:  An instance of the service is already running.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7034]  - The Application Information service terminated unexpectedly.  It has done this 1 time(s).
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Windows Update service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The User Profile Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The IP Helper service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Group Policy Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Extensible Authentication Protocol service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:58:49 PM, Error: Service Control Manager [7031]  - The Application Experience service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/14/2009 5:49:26 PM, Error: Microsoft-Windows-WMPNSS-Service [14332]  - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070422'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Microsoft Office Word 2007 (KB974561).
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Microsoft Office Outlook 2007 (KB969907).
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB973704).
11/14/2009 5:45:20 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Publisher 2007 (KB969693).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706be: Security Update for Microsoft Office Word 2007 (KB969604).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB974234).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB972581).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB969613).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for the 2007 Microsoft Office System (KB969559).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Visual C++ 2008 Redistributable Package (KB973924).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft PowerPoint 2007 (KB957789).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Visio Viewer 2007 (KB973709).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Outlook 2007 (KB972363).
11/14/2009 5:45:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Microsoft Office Excel 2007 (KB973593).
11/14/2009 3:36:22 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
11/14/2009 12:37:24 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 5 time(s).
11/14/2009 12:18:57 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 4 time(s).
11/14/2009 12:13:35 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 3 time(s).
11/14/2009 12:08:38 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Error Reporting Service service, but this action failed with the following error:  An instance of the service is already running.
11/14/2009 12:03:38 PM, Error: Service Control Manager [7031]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
11/14/2009 11:57:46 AM, Error: Service Control Manager [7031]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/14/2009 11:55:34 AM, Error: Schannel [36888]  - The following fatal alert was generated: 10. The internal error state is 10.
11/14/2009 1:36:20 PM, Error: Service Control Manager [7023]  - The Superfetch service terminated with the following error:  The data is invalid.
11/14/2009 1:36:18 PM, Error: Service Control Manager [7023]  - The Function Discovery Provider Host service terminated with the following error:  %%-2147467243
11/14/2009 1:36:18 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  %%-2147467243
11/14/2009 1:36:17 PM, Error: Service Control Manager [7024]  - The Computer Browser service terminated with service-specific error The service has not been started..
11/14/2009 1:36:17 PM, Error: Service Control Manager [7023]  - The Server service terminated with the following error:  The service has not been started.
11/14/2009 1:36:17 PM, Error: BROWSER [8017]  - The browser has failed to start because the dependent service LanmanServer had invalid service status 3. Status             Meaning   1              Service Stopped    2              Start Pending    3              Stop Pending    4              Running    5              Continue Pending    6              Pause Pending    7              Paused
11/14/2009 1:36:09 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Power service, but this action failed with the following error:  A system shutdown has already been scheduled.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error:  A system shutdown has already been scheduled.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7031]  - The Power service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7031]  - The Plug and Play service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/14/2009 1:36:09 PM, Error: Service Control Manager [7031]  - The DCOM Server Process Launcher service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/14/2009 1:32:32 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf
11/14/2009 1:25:37 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 9 time(s).
11/14/2009 1:20:26 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 8 time(s).
11/14/2009 1:08:33 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 7 time(s).
11/14/2009 1:00:01 PM, Error: Service Control Manager [7034]  - The Windows Error Reporting Service service terminated unexpectedly.  It has done this 6 time(s).
11/13/2009 12:47:38 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error:  An instance of the service is already running.
11/13/2009 12:46:37 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/13/2009 12:46:11 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

[evilfantasy]

I see you installed ComboFix. I need that log please. It can be found in C:\combofix.txt

Also please scan this file at VirusTotal and post the link to the results back here.

Code: [Select]

c:\windows\system32\drivers\utizmjqx.sys
After that uninstall:

• Ask Toolbar

[Stillborn]

I didn't run combofix. When I tried to run it I got a warning that it should not be run on a live machine since it was still beta for Win 7. Is it save to run??

 Good find on that other .sys, btw, AVG nor Kapersky caught it...
http://www.virustotal.com/analisis/7ae9aae77884ac0baa2f8168b3ed4de0c0c9834a42d8e5a775f47a2c66cec237-1258253811

As for Ask Toolbar, I noticed it when I posted my previous post. I generally un-tick all toolbars when I'm installing something. Looks like I was in a hurry on that one lol

[evilfantasy]

I got a warning that it should not be run on a live machine since it was still beta for Win 7. Is it save to run??

Windows 7 is not in Beta any more. It's gone to retail level and the Beta's are no longer supported. You need to get a licensed version of Windows installed which means reformat and reinstalling which will remove any malware in the process. You can try running it but the result might be a broken OS. Your choice.

[Stillborn]

No, I have windows 7 final. I reformatted it yesterday morning from beta and in the process of getting some software I picked up the virus.

Combofix gives me the warning.

http://i34.tinypic.com/1z705s2.jpg

[evilfantasy]

This is a 64bit machine?

[Stillborn]

it's 32bit

[evilfantasy]

OK let's try a different approach.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish. If you can't tell when it's finished look for a file in C: named atapi.sys.



Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
c:\windows\system32\drivers\utizmjqx.sys

Files to move:
c:\atapi.sys | C:\Windows\System32\drivers\atapi.sys

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

[Stillborn]

When I ran the batch cmd would flash and go away, but atapi.sys would not be in C:\. Since I couldn't see the error I ran the copy command in CMD itself instead of from the .bat, access was denied. I ran an elevated cmd and used the copy command, it copied the file fine. I then ran The Avenger...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\utizmjqx.sys" deleted successfully.
File move operation "c:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished!  Terminate.

[evilfantasy]

Glad you figured it out!

That should have replaced the infected file.

I am concerned about this.

2009-11-15 02:08:25   0   d-----w-   c:\programdata\is-V3A02

It was created 34 seconds before the utizmjqx.sys file was so might also be malware. I think it's an empty folder and if so then I would delete it.

Also run a good online scanner to make sure nothing else is hiding.

First run CCleaner. Download CCleaner Slim and save it to your desktop.
When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.
Complete the installation then:

• Double-click the CCleaner shortcut on the desktop to start the program.
  
• Click on the Options block on the left, then choose Cookies.
  
  • Under Cookies to Delete, highlight any cookies you would like to retain permanently
    
  • Click the right arrow > to move them to the Cookies to Keep window.
• Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
  
• Click Cleaner on the left then Run Cleaner on the right to run the program.
  
• Important: Make sure that ALL browser windows are closed before selecting Run Cleaner
  
• Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry.
  
• Exit CCleaner after it has completed its process.

Note CCleaner is a 100% free tool. I suggest keeping it and running it regularly to keep your computer running smooth.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Stillborn]

It was an empty folder which is gone now. I ran AVG and had it just can C:\Windows\System32\drivers\ and it came back clean. I also had VirusTotal scan the new atapi.sys which came back clean as well. I'm currently running MBAM and a full AVG scan and installing CCleaner. I'll also run an online scan after CCleaner is installed and ran and let you know, but as of right now seems like it's gone.

I have a question though. I obviously tried the ComboFix to try to replace atapi.sys and when I got the warning I decided to come here. My first instict after that though was to get into safe mode with command prompt and copy the files that way. Would it have worked? and if not would running a command prompt from a restore cd/flash drive and copying the file have worked?

[evilfantasy]

Yes you most likely could have copied it a number of ways. You just have to be very careful with that file. Without it Windows will not boot. Which is why AVG wouldn't remove it.

Hopefully nothing else will be found but since the other file that we deleted was there then you never know what else might come up. And as a precaution we should run a scanner that doesn't remove what it finds to be on the safe side.

Use Panda instead of ESET.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

[Stillborn]

;*****************************************************************************
ANALYSIS: 2009-11-15 02:48:51
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 3
;*****************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;====================================================================
AVG Anti-Virus Free                                                        Yes       Yes
;====================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;====================================================================
00020386  Application/MotherboardMonitor.A   HackTools           No        0         Yes            No           c:\program files\mirc\moo.dll
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\stillborn@atdmt[1].txt
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\stillborn@fastclick[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[email protected][2].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\[email protected][2].txt
00815304  mIRC/Gen                           Virus/Worm          No        0         Yes            No           c:\program files\mirc\backups\aliases.ini
00954094  Rootkit/Bagle.UV                   Virus/Worm          No        1         Yes            No           c:\avenger\utizmjqx.sys
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\avenger\atapi.sys
;====================================================================
SUSPECTS
Sent      Location
;====================================================================
No        c:\program files\mirc\backups\mirc.exe
No        c:\program files\mirc\mirc-keygen\keygen.exe
No        c:\users\stillborn\documents\utilities and installers\uniblue powersuite 2009\setup.exe
;====================================================================
VULNERABILITIES
Id        Severity       Description
;====================================================================

[evilfantasy]

Using cracks will get you infected every time...



Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
c:\program files\mirc
c:\avenger\utizmjqx.sys
c:\avenger\atapi.sys

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

[Stillborn]

The system required reboot so I wasn't able to copy the results and post them. I checked everything under the "files" list and they're all gone.

[evilfantasy]

Sounds good. Time to finish up.

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[chuckaes]

Had the same problem. Use Hitman Pro. Works fantastic to get rid of atapi. sys root....

[evilfantasy]

Hitman Pro can not fix this infection. In fact, there is no AV now that can do it. It takes specialized tools and/or knowledge of how to replace the infected file which is a legitimate Windows file and why the AV's can't fix it.

Kaspersky has developed a tool, TDSSKiller, that will clean and replace the infected atapi.sys file then clean the registry of the TDL3 rootkit. But TDL3 has evolved and that doesn't even work much of the time now. http://support.kaspersky.com/viruses/solutions?qid=208280684