InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : infected atapi.sys file? |
|
Answer» received a warning from avg that atapi.sys had a trojan horse rootkit agent EF now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd ) DO NOT delete it! Your computer will no longer boot. If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixthanks for reply here is combofix log (had already downloaded version from where you suggested earlier today) ComboFix 10-02-19.04 - Owner 0-Feb-2010 15:25:29.1.1 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Application Data\BITS c:\documents and settings\Owner\Application Data\BITS\BITS.ini c:\documents and settings\Owner\Application Data\BITS\DHTTable.dat c:\documents and settings\Owner\Application Data\BITS\pl.dat c:\documents and settings\Owner\Application Data\BITS\ProxyList.ini c:\documents and settings\Owner\Application Data\FlashGetBHO c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetBHO3.dll c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm c:\documents and settings\Owner\Start Menu\Programs\Mafia C:\Documents C:\System c:\windows\Downloaded Program Files\dlhelper.dll c:\windows\Mafia c:\windows\struct~.ini c:\windows\system32\18467.exe c:\windows\system32\6334.exe c:\windows\system32\iAlmcoin.dll c:\windows\system32\ps2.bat c:\windows\system32\secustat.dat D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NET_MESSAGE_SERVICE ((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 ))))))))))))))))))))))))))))))) . 2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound 2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert 2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software 2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-20 15:10 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information 2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent 2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound 2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe 2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer 2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP 2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard 2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 19:14 . 2004-02-06 17:05916480----a-w-c:\windows\system32\wininet.dll 2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys 2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin 2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin 2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini 2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys 2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys 2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll 2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll 2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll 2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys . ------- Sigcheck ------- [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys [-] 2008-04-13 18:40 . B0FBED8C149D3D9E08962A8E8E864F79 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys [-] 2003-09-23 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtUninstallQ331958$\atapi.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2006-08-19 . DE891AD282E856ACFD40990094A63B6F . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk] backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk] backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TudouVAStart HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton] 2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler] 2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart] 2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2007-04-16 15:28577536----a-w-c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "UserAccess7"=2 (0x2) "MDM"=2 (0x2) "Net message Service"=2 (0x2) "KService"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "WLSetupSvc"=3 (0x3) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe "ctfmon.exe"=c:\windows\system32\CTFMON.EXE "NVIEW"=rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect "AlcxMonitor"=ALCXMNTR.EXE "HPHmon05"=c:\windows\System32\hphmon05.exe "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Opera\\opera.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7354:TCP"= 7354:TCP:ppLive "6461:UDP"= 6461:UDP:ppLive "21780:TCP"= 21780:TCP:BitComet 21780 TCP "21780:UDP"= 21780:UDP:BitComet 21780 UDP "6881:TCP"= 6881:TCP:BitComet 6881 TCP "6881:UDP"= 6881:UDP:BitComet 6881 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392] R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656] R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936] R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456] S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?] S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704] S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2009-04-08 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2003-01-01 00:12] 2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com?o=15187&l=dis uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://srch-qgb10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Trusted Zone: apple.com\phobos Trusted Zone: apple.com\www Trusted Zone: barclaycard.co.uk\www Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com Trusted Zone: capitalfm.com\www Trusted Zone: denness.net\tracker Trusted Zone: is-software-download.com Trusted Zone: is-software-download25.com Trusted Zone: is10-soft-download.com Trusted Zone: mlb.com\mlb Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com DPF: Microsoft XML Parser for Java DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx . - - - - ORPHANS REMOVED - - - - BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) MSConfigStartUp-goxtRTinQ - setrsptb.exe MSConfigStartUp-Motive SmartBridge - c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe MSConfigStartUp-xFEj33O - shlhupnp.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-20 15:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys sprz.sys >>UNKNOWN [0x82EA8938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28 \Driver\ACPI -> ACPI.sys @ 0xf833dcb8 \Driver\atapi -> prosync1.sys @ 0xf89a76c1 IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008] "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games" "ShortlistDir"="" "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008" "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\" "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points" "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat" "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm" "Language"="English" "LoadLangDB"=dword:00000001 "CompressHistoryPoints"=dword:00000000 "HighlightedAttributes"=dword:00000000 "MinCondition"=dword:00000032 "SkinID"=dword:00000001 "LastUpdateCheck"=dword:00000000 "HighQualityGUI"=dword:00000001 "AutomaticallyUpdateCheck"=dword:00000001 "AdvancedGeneration"=dword:00000000 "TranslateStaffSkills"=dword:00000001 "TranslatePlayerSkills"=dword:00000001 "TranslatePositions"=dword:00000001 "ShowHistory"=dword:00000001 "WindowState"=dword:00000002 "Currency"=dword:00000056 "WindowHeight"=dword:0000026d "WindowWidth"=dword:000003fc "WindowLeft"=dword:00000002 "WindowTop"=dword:0000004a "UseProxy"=dword:00000000 "ProxyHost"="" "ProxyPort"="" "UseAuthentication"=dword:00000000 "UserName"="" "UserPassword"="" --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(896) c:\windows\System32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1432) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\windows\System32\Ati2evxx.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\System32\logon.scr . ************************************************************************** . Completion time: 2010-02-20 15:48:21 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-20 15:48 Pre-Run: 31,553,204,224 bytes free Post-Run: 31,483,396,096 bytes free - - End Of File - - C3400B7FC6FEF597D794892895B05586 Please go to Jotti's malware scan (If more than one file needs scanned they must be done separately and logs posted for each one) * Copy the file path in the below Code box: Code: [Select]c:\windows\system32\drivers\xrhdbctp.sys* At the upload site, click once inside the window next to Browse. * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. * Next click Submit file * Your file will possibly be entered into a queue which normally takes less than a minute to clear. * This will perform a scan across multiple different virus scanning engines. * Important: Wait for all of the scanning engines to complete. * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply. Also scan this file and post the link to the results. Code: [Select]c:\windows\system32\drivers\etqmhlnl.sys ---------- Download GMER Rootkit Detector and save it your desktop. * EXTRACT it to your desktop and double-click GMER.exe * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All". * Click the Rootkit tab and then Scan. * Don't check the Show All box while scanning in progress! * When scanning is finished click Copy. * This copies the log to clipboard * Post the log in your reply.tried doing what u suggested but on that website it just says that ive specified one or more files that could not be found. those two files dont exist anymore - have no idea why searching them only finds C:\WINDOWS\system32\MpEngineStore\RebootActions\xrhdbctp.dat - did a check on this filepath - http://virusscan.jotti.org/en-GB/scanresult/90cfb4f593083172c1c9abf7cb5d557ebb7c7dd7 and the second one is exactly the same C:\WINDOWS\system32\MpEngineStore\RebootActions\etqmhlnl.dat - http://virusscan.jotti.org/en-GB/scanresult/237b4d2126087569093d75d59bfbed8e07d3ece1 both scans reveal nothing found as for the GMER log -- have started scan - hopefully wont take much longer will post log shortly thanks for your help its much appreciated! How is the GMER scan coming? Be sure to do this. Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".ok so while i was doing the gmer scan the power for the whole neighbourhood went out - great now eventually here is the log obvious issue with atapi.sys which i.m still getting warnings about hope you can help (will be offline for a few hours while i get some sleep (2am in uk) GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-21 01:46:28 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgtdapoc.sys ---- System - GMER 1.0.15 ---- SSDT spit.sys ZwCreateKey [0xF837E0E0] SSDT spit.sys ZwEnumerateKey [0xF839CCA4] SSDT spit.sys ZwEnumerateValueKey [0xF839D032] SSDT spit.sys ZwOpenKey [0xF837E0C0] SSDT spit.sys ZwQueryKey [0xF839D10A] SSDT spit.sys ZwQueryValueKey [0xF839CF8A] SSDT spit.sys ZwSetValueKey [0xF839D19C] INT 0x62 ? 82EF6BF8 INT 0x82 ? 82EF6BF8 INT 0x83 ? 82C4CBF8 INT 0xA4 ? 82C4CBF8 INT 0xB4 ? 82C4CBF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 169 804E27C5 3 Bytes [CC, 39, F8] {INT 3 ; CMP EAX, EDI} ? spit.sys The system cannot find the file specified. ! .rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF83057A4] .text USBPORT.SYS!DllUnload F78588AC 5 Bytes JMP 82C4C1D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82EF82D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F83AFC4C] spit.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F83AFCA0] spit.sys IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82C4C2D8 IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F838EE9C] spit.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 82EF51F8 Device \FileSystem\Fastfat \FatCdrom 82C041F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{B9CCBD70-9E0C-484E-9FF4-5963A29B4F59} 82B16500 Device \Driver\usbuhci \Device\USBPDO-0 82C4B1F8 Device \Driver\usbuhci \Device\USBPDO-1 82C4B1F8 Device \Driver\usbuhci \Device\USBPDO-2 82C4B1F8 Device \Driver\usbehci \Device\USBPDO-3 82C29500 Device \Driver\NetBT \Device\NetBT_Tcpip_{FD9B5674-C527-4B71-ABEA-C86624BE26AD} 82B16500 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\prodrv06 \Device\ProDrv06 E1D06008 Device \Driver\Ftdisk \Device\HarddiskVolume1 82E891F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 82E891F8 Device \Driver\Cdrom \Device\CdRom0 82B431F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E1008360 Device \Driver\NetBT \Device\NetBt_Wins_Export 82B16500 Device \Driver\NetBT \Device\NetbiosSmb 82B16500 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBFDO-0 82C4B1F8 Device \Driver\usbuhci \Device\USBFDO-1 82C4B1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 829581F8 Device \Driver\usbuhci \Device\USBFDO-2 82C4B1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 829581F8 Device \Driver\usbehci \Device\USBFDO-3 82C29500 Device \Driver\Ftdisk \Device\FtControl 82E891F8 Device \FileSystem\Fastfat \Fat 82C041F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 823DB1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[emailprotected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[emailprotected] 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[emailprotected] 0x58 0x00 0x6B 0x85 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[emailprotected] 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[emailprotected] 0x58 0x00 0x6B 0x85 ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- Quote hope you can help (will be offline for a few hours while i get some sleep (2am in uk) No worries. Get some rest so you can have a clear head. I'll be around whenever you get back to it. 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: FCopy:: c:\windows\$NtServicePackUninstall$\atapi.sys | c:\windows\system32\drivers\atapi.sys c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\drivers\tcpip.sys 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze =---------- RootRepeal - Rootkit Detector * Download the following tool: RootRepeal - Rootkit Detector * Direct download link is here: RootRepeal.zip * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan. * Click this link to see a list of such programs and how to disable them. * Extract the program file to a new folder such as C:\RootRepeal * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button. * Select ALL of the checkboxes and then click OK and it will start scanning your system. * If you have multiple drives you only need to check the C: drive or the one Windows is installed on. * When done, click on Save Report * Save it to the same location where you ran it from, such as C:RootRepeal * Save it as rootrepeal.txt * Then open that log and select all and copy/paste it back on your next reply please. * Close RootRepeal. ---------- Next post please add:
tried doing the rootrepeal exactly as you showed but grey block comes up saying please wait, initializing - this stays the same for over 20 mins (i gave up) page file maxxes out and cpu usage is 100% for all this time - so maybe i need to be more patient but it seemed unneccessary to hog so much resources for all that time (could have gone on forever) i hope you can tell me if there's anything else i can do as an alternative, and whether the combofix log below shows up any other problems. thanks again. ComboFix 10-02-19.04 - Owner 1-Feb-2010 9:37.2.1 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 ))))))))))))))))))))))))))))))) . 2010-02-21 09:27 . 2004-08-04 05:0095360----a-w-C:\atapi.sys 2010-02-20 16:06 . 2010-02-20 16:06--------d-----w-c:\documents and settings\Owner\Application Data\AVG9 2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound 2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert 2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software 2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-20 19:03 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information 2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent 2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound 2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe 2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer 2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP 2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard 2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 19:14 . 2004-02-06 17:05916480------w-c:\windows\system32\wininet.dll 2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys 2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin 2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin 2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini 2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys 2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys 2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll 2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll 2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll 2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk] backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk] backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton] 2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler] 2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart] 2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2007-04-16 15:28577536----a-w-c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "UserAccess7"=2 (0x2) "MDM"=2 (0x2) "Net message Service"=2 (0x2) "KService"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "WLSetupSvc"=3 (0x3) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe "ctfmon.exe"=c:\windows\system32\CTFMON.EXE "NVIEW"=rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect "AlcxMonitor"=ALCXMNTR.EXE "HPHmon05"=c:\windows\System32\hphmon05.exe "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Opera\\opera.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7354:TCP"= 7354:TCP:ppLive "6461:UDP"= 6461:UDP:ppLive "21780:TCP"= 21780:TCP:BitComet 21780 TCP "21780:UDP"= 21780:UDP:BitComet 21780 UDP "6881:TCP"= 6881:TCP:BitComet 6881 TCP "6881:UDP"= 6881:UDP:BitComet 6881 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392] R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656] R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936] R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456] S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?] S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704] S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2009-04-08 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2003-01-01 00:12] 2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com?o=15187&l=dis uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://srch-qgb10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Trusted Zone: apple.com\phobos Trusted Zone: apple.com\www Trusted Zone: barclaycard.co.uk\www Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com Trusted Zone: capitalfm.com\www Trusted Zone: denness.net\tracker Trusted Zone: is-software-download.com Trusted Zone: is-software-download25.com Trusted Zone: is10-soft-download.com Trusted Zone: mlb.com\mlb Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com DPF: Microsoft XML Parser for Java DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-21 09:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82EF61F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28 \Driver\ACPI -> ACPI.sys @ 0xf833dcb8 \Driver\atapi -> prosync1.sys @ 0xf89a76c1 IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008] "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games" "ShortlistDir"="" "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008" "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\" "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points" "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat" "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm" "Language"="English" "LoadLangDB"=dword:00000001 "CompressHistoryPoints"=dword:00000000 "HighlightedAttributes"=dword:00000000 "MinCondition"=dword:00000032 "SkinID"=dword:00000001 "LastUpdateCheck"=dword:00000000 "HighQualityGUI"=dword:00000001 "AutomaticallyUpdateCheck"=dword:00000001 "AdvancedGeneration"=dword:00000000 "TranslateStaffSkills"=dword:00000001 "TranslatePlayerSkills"=dword:00000001 "TranslatePositions"=dword:00000001 "ShowHistory"=dword:00000001 "WindowState"=dword:00000002 "Currency"=dword:00000056 "WindowHeight"=dword:0000026d "WindowWidth"=dword:000003fc "WindowLeft"=dword:00000002 "WindowTop"=dword:0000004a "UseProxy"=dword:00000000 "ProxyHost"="" "ProxyPort"="" "UseAuthentication"=dword:00000000 "UserName"="" "UserPassword"="" --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(576) c:\windows\System32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1592) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\windows\System32\Ati2evxx.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\System32\logon.scr . ************************************************************************** . Completion time: 2010-02-21 09:57:19 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-21 09:57 ComboFix2.txt 2010-02-20 15:48 Pre-Run: 31,761,469,440 bytes free Post-Run: 31,720,009,728 bytes free - - End Of File - - 7325B3571794845FC4525A152B369C4AI left something out of the fix. Sorry... 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: etqmhlnl xrhdbctp DDS:: Trusted Zone: apple.com\phobos Trusted Zone: apple.com\www Trusted Zone: barclaycard.co.uk\www Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com Trusted Zone: capitalfm.com\www Trusted Zone: denness.net\tracker Trusted Zone: is-software-download.com Trusted Zone: is-software-download25.com Trusted Zone: is10-soft-download.com Trusted Zone: mlb.com\mlb Trusted Zone: buy-internetsecurity10.com Trusted Zone: buy-is2010.com 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeok so here is the latest combofix log- ComboFix 10-02-19.04 - Owner 1-Feb-2010 19:17:47.3.1 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_etqmhlnl -------\Service_xrhdbctp ((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 ))))))))))))))))))))))))))))))) . 2010-02-21 10:12 . 2010-02-21 10:13--------d-----w-C:\RootRepeal 2010-02-21 09:27 . 2004-08-04 05:0095360----a-w-C:\atapi.sys 2010-02-20 16:06 . 2010-02-20 16:06--------d-----w-c:\documents and settings\Owner\Application Data\AVG9 2010-02-20 10:14 . 2010-02-20 10:14--------d-----w-C:\Team17 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-02-16 23:05 . 2010-02-17 00:14--------d-----w-c:\program files\NCH Swift Sound 2010-02-08 23:56 . 2010-02-08 23:56--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert 2010-02-08 23:24 . 2010-02-08 23:57--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-08 22:20 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-02-08 22:20 . 2010-02-08 22:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-02-08 20:54 . 2010-02-09 10:08--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-03 13:45 . 2010-02-08 20:54--------d-----w-c:\documents and settings\All Users\Application Data\TuneUp Software 2010-02-03 13:31 . 2010-02-03 13:32--------d-----w-c:\documents and settings\Owner\Application Data\HpUpdate . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-21 19:08 . 2009-11-11 09:40--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2010-02-20 10:14 . 2003-01-01 10:50--------d--h--w-c:\program files\InstallShield Installation Information 2010-02-17 11:50 . 2007-10-01 13:18--------d-----w-c:\documents and settings\Owner\Application Data\uTorrent 2010-02-16 23:07 . 2006-08-26 22:08--------d-----w-c:\documents and settings\Owner\Application Data\NCH Swift Sound 2010-02-13 13:12 . 2004-04-22 17:38--------d-----w-c:\program files\Common Files\Adobe 2010-02-06 19:46 . 2009-12-13 10:19--------d-----w-c:\program files\The KMPlayer 2010-02-03 16:51 . 2003-01-01 10:05--------d-----w-c:\program files\HP 2010-02-03 13:31 . 2003-01-01 10:05--------d-----w-c:\program files\Hewlett-Packard 2010-02-03 13:21 . 2004-04-23 07:2755176-c--a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-31 16:50 . 2003-01-01 15:41353792----a-w-c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-02-06 17:05916480------w-c:\windows\system32\wininet.dll 2009-12-16 18:43 . 2003-01-01 22:38343040----a-w-c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2003-01-01 22:3733280----a-w-c:\windows\system32\csrsrv.dll 2009-12-08 19:27 . 2003-01-01 22:382189184------w-c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2002-08-29 08:042066048------w-c:\windows\system32\ntkrnlpa.exe 2009-12-04 18:22 . 2003-01-01 15:40455424----a-w-c:\windows\system32\drivers\mrxsmb.sys 2009-11-27 17:11 . 2003-05-30 16:001291776----a-w-c:\windows\system32\quartz.dll 2009-11-27 17:11 . 2003-01-01 09:3217920----a-w-c:\windows\system32\msyuv.dll 2009-11-27 16:07 . 2003-01-01 22:3828672----a-w-c:\windows\system32\msvidc32.dll 2009-11-27 16:07 . 2001-08-18 05:368704----a-w-c:\windows\system32\tsbyuv.dll 2009-11-27 16:07 . 2003-01-01 22:3811264----a-w-c:\windows\system32\msrle32.dll 2009-11-27 16:07 . 2003-01-01 22:3684992----a-w-c:\windows\system32\avifil32.dll 2009-11-27 16:07 . 2001-08-18 05:3648128----a-w-c:\windows\system32\iyuv_32.dll 2009-11-27 14:17 . 2009-11-27 14:17134072----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-27 13:52 . 2009-11-27 13:52721904----a-w-c:\windows\system32\drivers\sptd.sys 2006-02-21 14:59 . 2006-02-21 14:59524300-c--a-w-c:\program files\position.bin 2005-02-25 20:21 . 2005-02-25 20:211179648-c--a-w-c:\program files\book.bin 2004-05-06 12:11 . 2005-02-07 10:36777-c--a-w-c:\program files\trial_setup.ini 2004-04-23 14:22 . 2004-04-23 14:220-csha-w-c:\windows\SMINST\HPCD.sys 2005-06-11 13:14 . 2005-03-24 10:5856-csh--r-c:\windows\system32\71E772F4EB.sys 2005-07-14 18:31 . 2006-05-24 16:3727648-csha-w-c:\windows\system32\AVSredirect.dll 2005-06-26 21:32 . 2006-05-08 17:07616448-csha-r-c:\windows\system32\cygwin1.dll 2005-06-22 04:37 . 2006-05-24 16:3745568-csha-r-c:\windows\system32\cygz.dll 2006-08-04 08:30 . 2004-08-13 21:5213146-csha-w-c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-10-16 12:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Shortcut to avgtray.exe.lnk - c:\program files\AVG\AVG9\avgtray.exe [2009-11-10 2033432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-10 22:4312464----a-w-c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk] backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk] backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton] 2003-01-01 11:13159744-c--a-w-c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57948672----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:5735760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:1215360------w-c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2003-04-07 07:07114688----a-w-c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-11 20:0261440----a-w-c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler] 2004-01-28 08:19159744-c--a-w-c:\program files\Saitek\Software\Profiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05200704-c--a-w-c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart] 2004-01-28 08:1998304-c--a-w-c:\program files\Saitek\Software\SaiSmart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2007-04-16 15:28577536----a-w-c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-03-14 03:4383608-c--a-w-c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "UserAccess7"=2 (0x2) "MDM"=2 (0x2) "Net message Service"=2 (0x2) "KService"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "WLSetupSvc"=3 (0x3) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe "ctfmon.exe"=c:\windows\system32\CTFMON.EXE "NVIEW"=rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect "AlcxMonitor"=ALCXMNTR.EXE "HPHmon05"=c:\windows\System32\hphmon05.exe "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Opera\\opera.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7354:TCP"= 7354:TCP:ppLive "6461:UDP"= 6461:UDP:ppLive "21780:TCP"= 21780:TCP:BitComet 21780 TCP "21780:UDP"= 21780:UDP:BitComet 21780 UDP "6881:TCP"= 6881:TCP:BitComet 6881 TCP "6881:UDP"= 6881:UDP:BitComet 6881 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392] R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656] R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936] R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704] S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05] 2009-04-08 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2003-01-01 00:12] 2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com?o=15187&l=dis uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://srch-qgb10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s DPF: Microsoft XML Parser for Java DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-21 19:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82E881F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28 \Driver\ACPI -> ACPI.sys @ 0xf833dcb8 \Driver\atapi -> prosync1.sys @ 0xf89a76c1 IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008] "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games" "ShortlistDir"="" "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008" "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\" "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points" "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat" "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm" "Language"="English" "LoadLangDB"=dword:00000001 "CompressHistoryPoints"=dword:00000000 "HighlightedAttributes"=dword:00000000 "MinCondition"=dword:00000032 "SkinID"=dword:00000001 "LastUpdateCheck"=dword:00000000 "HighQualityGUI"=dword:00000001 "AutomaticallyUpdateCheck"=dword:00000001 "AdvancedGeneration"=dword:00000000 "TranslateStaffSkills"=dword:00000001 "TranslatePlayerSkills"=dword:00000001 "TranslatePositions"=dword:00000001 "ShowHistory"=dword:00000001 "WindowState"=dword:00000002 "Currency"=dword:00000056 "WindowHeight"=dword:0000026d "WindowWidth"=dword:000003fc "WindowLeft"=dword:00000002 "WindowTop"=dword:0000004a "UseProxy"=dword:00000000 "ProxyHost"="" "ProxyPort"="" "UseAuthentication"=dword:00000000 "UserName"="" "UserPassword"="" --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1360) c:\windows\System32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1048) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\program files\AVG\AVG9\avgnsx.exe c:\windows\System32\Ati2evxx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\System32\logon.scr . ************************************************************************** . Completion time: 2010-02-21 19:37:14 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-21 19:37 ComboFix2.txt 2010-02-21 09:57 ComboFix3.txt 2010-02-20 15:48 Pre-Run: 29,495,021,568 bytes free Post-Run: 29,456,936,960 bytes free - - End Of File - - 7DAE080EA2C29390E10A5EC440EFD8CC Hopefully we are about done. * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For ALTERNATE browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan Log this is the esetscan log C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.virWin32/Olmarik.RF virusdeleted - quarantined so i checked the box to have eset remove this quarantined file the uninstall combofix didnt seem to get rid off qoobox so i guess i should just delete the qoobox folder is there anything else i need to do thanks again for the helpYes you can delete the qoobox folder manually. It isn't removed automatically like the other files are. Final suggestions. Use the Secunia Software Inspector to check for out of date software. * Click Start Now * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a RISKY website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. |
|