1.

Solve : infected System32\atapi.sys file. AVG can't fix...help!?

Answer»

I get a message from AVG saying my System32\atapi.sys file is a Trojan Rootkit Pakes U virus. Object is white listed. I understand others have had this problem, so i already have a combofix log. Welcome to CH.

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Ok THANKS for the help, here is my Malwarebytes log:
Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 6.0.6001 Service Pack 1

11/2/2009 8:22:47 PM
mbam-log-2009-11-02 (20-22-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 259855
Time elapsed: 1 hour(s), 19 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Samsung\Samsung PC Studio 3\Update\util\UnZipTemp\SMSMoveD500.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Program Files\Samsung\Samsung PC Studio 3\Update\util\UnZipTemp\SMSMoveX800.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Program Files\Samsung\Samsung PC Studio 3\Update\util\UnZipTemp\SMSMoveZ510.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Program Files\Samsung\Samsung PC Studio 3\util\SMSMoveD500.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Program Files\Samsung\Samsung PC Studio 3\util\SMSMoveX800.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Program Files\Samsung\Samsung PC Studio 3\util\SMSMoveZ510.exe (Worm.Koobface) -> Quarantined and deleted successfully.


As for the file find, I can search for the atapi.sys file and I get an error when I try to export, I can't read the full file names too because the box wont scroll over. But this is what i can see:
C:\Windows\SoftwareDistribution\Download...
C:Windows\System32\drivers\atapi.sys - 21...
C:\Windows\System32\DriverStore\File...
Same thing again
C:\Windows\winsxs\x86_mshdc.inf_31bf385 (3 of these)
8 files total

But then I get an error when I try to export... Run Time error '75': Path/File access error
If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have PROBLEMS with ComboFix usage, see How to use ComboFixok here it is:
ComboFix 09-11-03.03 - Griffin 11/03/2009 23:10.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3070.2094 [GMT -8:00]
Running from: c:\users\Griffin\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 07:18 . 2009-11-04 07:18--------d-----w-c:\users\Griffin\AppData\Local\temp
2009-11-04 07:18 . 2009-11-04 07:18--------d-----w-c:\users\Public\AppData\Local\temp
2009-11-04 07:18 . 2009-11-04 07:18--------d-----w-c:\users\Default\AppData\Local\temp
2009-11-02 23:38 . 2009-11-02 23:41--------d-----w-C:\$AVG
2009-11-02 23:38 . 2009-11-02 23:38--------d-----w-c:\programdata\avg9
2009-10-29 01:07 . 2009-09-10 15:21310784----a-w-c:\windows\system32\unregmp2.exe
2009-10-29 01:07 . 2009-09-10 15:218147456----a-w-c:\windows\system32\wmploc.DLL
2009-10-16 04:21 . 2009-10-16 04:21--------d-----w-c:\program files\Common Files\DivX Shared
2009-10-16 04:16 . 2009-10-16 04:16--------d-----w-c:\program files\ffdshow
2009-10-14 23:00 . 2009-09-10 17:30213504----a-w-c:\windows\system32\msv1_0.dll
2009-10-14 23:00 . 2009-08-05 14:223597896----a-w-c:\windows\system32\ntkrnlpa.exe
2009-10-14 23:00 . 2009-08-05 14:223546184----a-w-c:\windows\system32\ntoskrnl.exe
2009-10-14 18:23 . 2009-10-14 18:23--------d-----w-c:\windows\SQL9_KB970892_ENU
2009-10-14 04:21 . 2009-10-14 04:21--------d-----w-c:\users\Griffin\AppData\Local\AVG Security Toolbar
2009-10-14 03:04 . 2009-11-02 23:38360584----a-w-c:\windows\system32\drivers\avgtdix.sys
2009-10-14 03:04 . 2009-11-02 23:3812464----a-w-c:\windows\system32\avgrsstx.dll
2009-10-14 03:04 . 2009-11-02 23:38333192----a-w-c:\windows\system32\drivers\avgldx86.sys
2009-10-14 03:04 . 2009-11-02 23:3828424----a-w-c:\windows\system32\drivers\avgmfx86.sys
2009-10-14 03:04 . 2009-11-04 06:31--------d-----w-c:\windows\system32\drivers\Avg
2009-10-14 03:04 . 2009-10-14 03:05--------d-----w-c:\programdata\AVG Security Toolbar
2009-10-14 03:04 . 2009-11-02 23:38--------d-----w-c:\program files\AVG
2009-10-14 02:46 . 2009-10-14 02:46--------d-----w-c:\programdata\McAfee
2009-10-14 02:33 . 2009-09-04 12:2461440----a-w-c:\windows\system32\msasn1.dll
2009-10-14 02:33 . 2009-09-14 09:44144896----a-w-c:\windows\system32\drivers\srv2.sys
2009-10-14 02:33 . 2009-04-02 12:37604672----a-w-c:\windows\system32\WMSPDMOD.DLL
2009-10-13 21:36 . 2009-10-13 21:36--------d-----w-c:\program files\Griffin
2009-10-13 16:45 . 2009-10-13 19:16--------d-----w-c:\programdata\SITEguard
2009-10-13 16:44 . 2009-10-15 16:01--------d-----w-c:\programdata\STOPzilla!
2009-10-13 16:44 . 2009-10-13 16:44--------d-----w-c:\program files\Common Files\iS3
2009-10-13 02:00 . 2009-10-13 02:00--------d-----w-c:\windows\CheckSur
2009-10-13 00:24 . 2009-10-13 00:24--------d-----w-c:\users\Griffin\AppData\Roaming\Malwarebytes
2009-10-12 23:44 . 2009-10-12 23:44--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-10-12 23:23 . 2009-10-12 23:23--------d-sh--w-c:\windows\system32\%APPDATA%
2009-10-12 23:22 . 2009-09-10 21:5438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 23:22 . 2009-10-13 21:37--------d-----w-c:\program files\g1pictures
2009-10-12 23:22 . 2009-10-12 23:22--------d-----w-c:\programdata\Malwarebytes
2009-10-12 23:22 . 2009-09-10 21:5319160----a-w-c:\windows\system32\drivers\mbam.sys
2009-10-12 23:19 . 2009-10-12 23:190----a-w-c:\windows\nsreg.dat
2009-10-12 18:54 . 2009-10-12 18:54--------d-----w-c:\programdata\WindowsSearch
2009-10-12 17:50 . 2009-10-14 02:08--------d-----w-c:\users\Griffin\AppData\Local\AntivirusPro_2010
2009-10-12 07:50 . 2009-10-12 07:50118983----a-w-c:\windows\zAdBHO.dll
2009-10-12 07:19 . 2009-10-12 07:1922328----a-w-c:\windows\system32\drivers\PnkBstrK.sys
2009-10-12 07:18 . 2009-10-12 07:18107832----a-w-c:\windows\system32\PnkBstrB.exe
2009-10-12 07:18 . 2009-10-12 07:1866872----a-w-c:\windows\system32\PnkBstrA.exe
2009-10-12 07:18 . 2009-10-12 07:182250024----a-w-c:\windows\system32\pbsvc.exe
2009-10-12 07:11 . 2009-10-12 07:11--------d-----w-c:\program files\Ubisoft
2009-10-08 19:11 . 2005-05-26 22:342297552----a-w-c:\windows\system32\d3dx9_26.dll
2009-10-08 18:52 . 2009-10-08 18:52--------d-----w-C:\Left4Dead
2009-10-08 18:45 . 2009-11-03 16:57--------d-----w-c:\program files\Common Files\Steam
2009-10-08 18:45 . 2009-11-04 06:41--------d-----w-c:\program files\Steam
2009-10-08 04:03 . 2009-10-08 04:03--------d-----w-c:\users\Griffin\AppData\Roaming\Samsung
2009-10-08 01:03 . 2009-10-08 01:03--------d-----w-c:\programdata\Office Genuine Advantage
2009-10-07 18:22 . 2003-02-22 01:42348160----a-w-c:\windows\system32\msvcr71.dll
2009-10-07 18:13 . 2009-10-07 18:18--------d-----w-c:\windows\system32\Samsung_USB_Drivers
2009-10-07 18:12 . 2009-10-07 18:455632----a-w-c:\windows\system32\drivers\StarOpen.sys
2009-10-07 18:12 . 2009-10-07 18:12--------d-----w-c:\program files\Samsung
2009-10-07 17:46 . 2009-06-15 15:21499712----a-w-c:\windows\system32\kerberos.dll
2009-10-07 17:46 . 2009-06-15 18:20439896----a-w-c:\windows\system32\drivers\ksecdd.sys
2009-10-07 17:46 . 2009-06-15 15:24175104----a-w-c:\windows\system32\wdigest.dll
2009-10-07 17:46 . 2009-06-15 15:2472704----a-w-c:\windows\system32\secur32.dll
2009-10-07 17:46 . 2009-06-15 15:24270848----a-w-c:\windows\system32\schannel.dll
2009-10-07 17:46 . 2009-06-15 15:231256448----a-w-c:\windows\system32\lsasrv.dll
2009-10-07 17:46 . 2009-06-15 12:579728----a-w-c:\windows\system32\lsass.exe
2009-10-06 18:12 . 2009-10-01 17:29195440------w-c:\windows\system32\MpSigStub.exe
2009-10-06 18:04 . 2009-08-07 02:2444768----a-w-c:\windows\system32\wups2.dll
2009-10-06 18:04 . 2009-08-07 02:2453472----a-w-c:\windows\system32\wuauclt.exe
2009-10-06 18:04 . 2009-08-07 02:231929952----a-w-c:\windows\system32\wuaueng.dll
2009-10-06 18:04 . 2009-08-07 01:452421760----a-w-c:\windows\system32\wucltux.dll
2009-10-06 18:04 . 2009-08-07 02:2435552----a-w-c:\windows\system32\wups.dll
2009-10-06 18:04 . 2009-08-07 02:23575704----a-w-c:\windows\system32\wuapi.dll
2009-10-06 18:04 . 2009-08-07 01:4487552----a-w-c:\windows\system32\wudriver.dll
2009-10-06 18:04 . 2009-08-07 02:23171608----a-w-c:\windows\system32\wuwebv.dll
2009-10-06 18:04 . 2009-08-07 01:4433792----a-w-c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 07:01 . 2008-10-26 19:38--------d-----w-c:\users\Griffin\AppData\Roaming\DNA
2009-11-03 01:09 . 2008-10-26 19:49--------d-----w-c:\users\Griffin\AppData\Roaming\BitTorrent
2009-11-02 23:44 . 2008-09-09 18:44--------d-----w-c:\program files\Common Files\Adobe
2009-10-25 16:01 . 2007-06-11 23:54--------d--h--w-c:\program files\InstallShield Installation Information
2009-10-25 15:53 . 2007-06-12 00:13--------d-----w-c:\programdata\WildTangent
2009-10-17 02:02 . 2008-07-31 05:27--------d-----w-c:\program files\ATI
2009-10-16 04:22 . 2008-10-17 03:40--------d-----w-c:\program files\DivX
2009-10-16 04:04 . 2008-10-20 07:58--------d-----w-c:\users\Griffin\AppData\Roaming\DivX
2009-10-15 15:59 . 2009-10-15 15:581448----a-w-c:\windows\system32\drivers\kgpcpy.cfg
2009-10-15 05:36 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2009-10-14 18:28 . 2008-07-31 05:08--------d-----w-c:\programdata\Microsoft Help
2009-10-14 18:24 . 2008-07-31 05:13--------d-----w-c:\program files\Microsoft SQL Server
2009-10-12 07:44 . 2008-08-13 19:30107888----a-w-c:\windows\system32\CmdLineExt.dll
2009-10-12 07:19 . 2009-10-12 07:1922328----a-w-c:\users\Griffin\AppData\Roaming\PnkBstrK.sys
2009-10-12 06:48 . 2008-10-26 19:38--------d-----w-c:\program files\DNA
2009-09-25 16:41 . 2008-09-25 08:0390112----a-w-c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41856064----a-w-c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41856064----a-w-c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41847872----a-w-c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41843776----a-w-c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41839680----a-w-c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41696320----a-w-c:\windows\system32\DivX.dll
2009-09-24 02:38 . 2008-07-31 07:311356----a-w-c:\users\Griffin\AppData\Local\d3d9caps.dat
2009-09-18 17:51 . 2009-09-17 23:48--------d-----w-c:\users\Griffin\AppData\Roaming\Skype
2009-09-18 17:48 . 2009-09-17 23:49--------d-----w-c:\users\Griffin\AppData\Roaming\skypePM
2009-09-18 00:46 . 2009-04-17 16:05--------d-----w-c:\users\Griffin\AppData\Roaming\Apple Computer
2009-09-18 00:06 . 2009-09-18 00:05--------d-----w-c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 00:06 . 2009-09-18 00:05--------d-----w-c:\program files\iTunes
2009-09-18 00:05 . 2009-09-18 00:05--------d-----w-c:\program files\iPod
2009-09-18 00:05 . 2009-04-17 15:59--------d-----w-c:\program files\Common Files\Apple
2009-09-18 00:04 . 2009-09-18 00:03--------d-----w-c:\program files\QuickTime
2009-09-17 23:49 . 2009-09-17 23:4956---ha-w-c:\programdata\ezsidmv.dat
2009-09-17 23:47 . 2009-09-17 23:46--------d-----r-c:\program files\Skype
2009-09-17 23:46 . 2009-09-17 23:46--------d-----w-c:\program files\Common Files\Skype
2009-09-17 23:46 . 2009-09-17 23:46--------d-----w-c:\programdata\Skype
2009-09-16 17:52 . 2009-09-16 17:46--------d-----w-c:\users\Griffin\AppData\Roaming\My Battle for Middle-earth(tm) II Files
2009-09-16 17:33 . 2009-09-16 17:33--------d-----w-c:\users\Griffin\AppData\Roaming\Ulead Systems
2009-09-16 17:31 . 2009-09-16 17:31--------d-----w-c:\program files\Electronic Arts
2009-09-05 00:44 . 2009-10-08 19:12515416----a-w-c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-10-08 19:12238936----a-w-c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-10-08 19:1269464----a-w-c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-10-08 19:12453456----a-w-c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-10-08 19:12235344----a-w-c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-10-08 19:125501792----a-w-c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-10-08 19:121974616----a-w-c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-10-08 19:121892184----a-w-c:\windows\system32\D3DX9_42.dll
2009-08-28 12:39 . 2009-09-16 23:3228672----a-w-c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-16 23:324240384----a-w-c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22 . 2009-10-14 22:59916480----a-w-c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 22:5971680----a-w-c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 22:59109056----a-w-c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 22:59133632----a-w-c:\windows\system32\ieUnatt.exe
2009-08-18 06:33 . 2009-08-18 06:331193832----a-w-c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-16 23:36897608----a-w-c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-16 23:36104960----a-w-c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-16 23:3617920----a-w-c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-16 23:369728----a-w-c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-16 23:3617920----a-w-c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-16 23:3611264----a-w-c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-16 23:3627136----a-w-c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-16 23:3619968----a-w-c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-16 23:368704----a-w-c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-16 23:3610240----a-w-c:\windows\system32\finger.exe
2009-09-25 16:41 . 2009-09-25 16:411044480----a-w-c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41200704----a-w-c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[7] 2008-08-01 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[-] 2008-01-19 07:41 . 0FFE6A920BFA532E893A7714BC44E9C5 . 21560 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((( [emailprotected]_22.51.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-02 23:37 . 2009-11-02 23:3765536 c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437\vcomp.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3749152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80KOR.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3749152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80JPN.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3761440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ITA.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3761440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80FRA.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3761440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ESP.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3757344 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ENU.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3765536 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80DEU.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3745056 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHT.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3740960 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHS.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3757856 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80u.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3769632 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80.dll
+ 2007-06-20 17:55 . 2009-11-04 06:4267628 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-11-04 06:4275940 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-31 05:58 . 2009-11-04 06:4212158 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3074739374-1649422935-3759921920-1003_UserData.bin
+ 2008-07-31 05:54 . 2009-11-03 22:0032768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-31 05:54 . 2009-11-02 22:0032768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-31 05:54 . 2009-11-03 22:0065536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-31 05:54 . 2009-11-02 22:0065536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-15 08:04 . 2008-10-15 08:0439792 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\reader_sl.exe
+ 2008-10-15 04:33 . 2008-10-15 04:3395600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\nppdf32.dll
+ 2006-10-23 06:29 . 2006-10-23 06:2914456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroRd32Info.exe
- 2009-11-02 22:00 . 2009-11-02 22:002048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-04 06:28 . 2009-11-04 06:282048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-02 22:00 . 2009-11-02 22:002048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-04 06:28 . 2009-11-04 06:282048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-11-04 06:33645412 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-02 22:07645412 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-11-04 06:33119832 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-11-02 22:07119832 c:\windows\System32\perfc009.dat
- 2008-07-31 05:54 . 2009-11-02 22:00442368 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-31 05:54 . 2009-11-03 22:00442368 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-12 01:01 . 2009-10-29 17:54813744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-06-12 01:01 . 2009-11-03 22:22813744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-11-02 23:37 . 2009-11-02 23:37424448 c:\windows\Installer\5930dc.msi
+ 2009-03-12 04:48 . 2009-11-02 23:45295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2009-03-12 04:48 . 2009-10-16 03:31295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2007-04-16 04:56 . 2007-04-16 04:56389120 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AdobeXMP.dll
+ 2007-05-11 10:06 . 2007-05-11 10:06341616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroRd32.exe
+ 2008-10-15 04:29 . 2008-10-15 04:29632168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroPDF.dll
+ 2009-11-02 23:37 . 2009-11-02 23:371093120 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll
+ 2009-11-02 23:37 . 2009-11-02 23:371105920 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80.dll
- 2006-11-02 10:22 . 2009-10-29 10:166291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-11-02 23:406291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2008-10-15 03:55 . 2008-10-15 03:551945600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\rt3d.dll
+ 2008-10-15 07:35 . 2008-10-15 07:354906496 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AGM.dll
+ 2009-10-29 17:44 . 2009-10-29 17:4433281024 c:\windows\Installer\3450b.msp
+ 2009-05-17 06:47 . 2009-11-02 23:37192550385 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{447E64C2-C073-4C31-9D1F-FF37219C8524}]
2009-10-12 07:50118983----a-w-c:\windows\zAdBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 20:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:032854912----a-w-c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:032854912----a-w-c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Griffin\Program Files\DNA\btdna.exe" [2009-10-15 323392]
"Steam"="c:\program files\Steam\Steam.exe" [2009-10-26 1217808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-04 865840]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Griffin\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2008-05-02 307200]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-02 2010904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-25 4444160]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:5090112----a-w-c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R0 pf2apj8b;FlatOut File System Driver (pf2apj8b);c:\windows\System32\drivers\pf2apj8b.sys [11/27/2007 5:52 AM 83568]
R1 AvgLdx86;AVG FREE AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/13/2009 7:04 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/13/2009 7:04 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/2/2009 3:38 PM 285392]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [6/11/2007 4:05 PM 7168]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [5/26/2009 2:50 PM 4232704]
S2 pr2apj8b;FlatOut Drivers Auto Removal (pr2apj8b);c:\windows\system32\pr2apj8b.exe svc --> c:\windows\system32\pr2apj8b.exe svc [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
c:\windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Griffin\AppData\Roaming\Mozilla\Firefox\Profiles\3t9l20jv.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\Griffin\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 23:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855211F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x855211f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-3074739374-1649422935-3759921920-1003\Software\SecuROM\License information*]
"datasecu"=hex:8c,32,87,11,1d,ea,a8,82,51,a6,66,74,4e,4c,d0,5f,b8,f0,f5,96,3f,
16,66,2e,3a,87,64,6e,ce,bf,77,0d,b2,59,59,20,f2,c8,44,1e,ff,08,9d,3e,56,ba,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(5016)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2009-11-04 23:19
ComboFix-quarantined-files.txt 2009-11-04 07:19
ComboFix2.txt 2009-11-02 22:53

Pre-Run: 48,110,321,664 bytes free
Post-Run: 48,300,666,880 bytes free

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
pr2apj8b

FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys | c:\windows\System32\drivers\atapi.sys


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.alrighty, here they are:
ComboFix 09-11-03.03 - Griffin 11/04/2009 10:12.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3070.1837 [GMT -8:00]
Running from: c:\users\Griffin\Desktop\ComboFix.exe
Command switches used :: c:\users\Griffin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pr2apj8b


((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 18:22 . 2009-11-04 18:24--------d-----w-c:\users\Griffin\AppData\Local\temp
2009-11-04 18:22 . 2009-11-04 18:22--------d-----w-c:\users\Public\AppData\Local\temp
2009-11-04 18:22 . 2009-11-04 18:22--------d-----w-c:\users\Default\AppData\Local\temp
2009-11-02 23:38 . 2009-11-02 23:41--------d-----w-C:\$AVG
2009-11-02 23:38 . 2009-11-02 23:38--------d-----w-c:\programdata\avg9
2009-10-29 01:07 . 2009-09-10 15:21310784----a-w-c:\windows\system32\unregmp2.exe
2009-10-29 01:07 . 2009-09-10 15:218147456----a-w-c:\windows\system32\wmploc.DLL
2009-10-16 04:21 . 2009-10-16 04:21--------d-----w-c:\program files\Common Files\DivX Shared
2009-10-16 04:16 . 2009-10-16 04:16--------d-----w-c:\program files\ffdshow
2009-10-14 23:00 . 2009-09-10 17:30213504----a-w-c:\windows\system32\msv1_0.dll
2009-10-14 23:00 . 2009-08-05 14:223597896----a-w-c:\windows\system32\ntkrnlpa.exe
2009-10-14 23:00 . 2009-08-05 14:223546184----a-w-c:\windows\system32\ntoskrnl.exe
2009-10-14 18:23 . 2009-10-14 18:23--------d-----w-c:\windows\SQL9_KB970892_ENU
2009-10-14 04:21 . 2009-10-14 04:21--------d-----w-c:\users\Griffin\AppData\Local\AVG Security Toolbar
2009-10-14 03:04 . 2009-11-02 23:38360584----a-w-c:\windows\system32\drivers\avgtdix.sys
2009-10-14 03:04 . 2009-11-02 23:3812464----a-w-c:\windows\system32\avgrsstx.dll
2009-10-14 03:04 . 2009-11-02 23:38333192----a-w-c:\windows\system32\drivers\avgldx86.sys
2009-10-14 03:04 . 2009-11-02 23:3828424----a-w-c:\windows\system32\drivers\avgmfx86.sys
2009-10-14 03:04 . 2009-11-04 18:07--------d-----w-c:\windows\system32\drivers\Avg
2009-10-14 03:04 . 2009-10-14 03:05--------d-----w-c:\programdata\AVG Security Toolbar
2009-10-14 03:04 . 2009-11-02 23:38--------d-----w-c:\program files\AVG
2009-10-14 02:46 . 2009-10-14 02:46--------d-----w-c:\programdata\McAfee
2009-10-14 02:33 . 2009-09-04 12:2461440----a-w-c:\windows\system32\msasn1.dll
2009-10-14 02:33 . 2009-09-14 09:44144896----a-w-c:\windows\system32\drivers\srv2.sys
2009-10-14 02:33 . 2009-04-02 12:37604672----a-w-c:\windows\system32\WMSPDMOD.DLL
2009-10-13 21:36 . 2009-10-13 21:36--------d-----w-c:\program files\Griffin
2009-10-13 16:45 . 2009-10-13 19:16--------d-----w-c:\programdata\SITEguard
2009-10-13 16:44 . 2009-10-15 16:01--------d-----w-c:\programdata\STOPzilla!
2009-10-13 16:44 . 2009-10-13 16:44--------d-----w-c:\program files\Common Files\iS3
2009-10-13 02:00 . 2009-10-13 02:00--------d-----w-c:\windows\CheckSur
2009-10-13 00:24 . 2009-10-13 00:24--------d-----w-c:\users\Griffin\AppData\Roaming\Malwarebytes
2009-10-12 23:44 . 2009-10-12 23:44--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-10-12 23:23 . 2009-10-12 23:23--------d-sh--w-c:\windows\system32\%APPDATA%
2009-10-12 23:22 . 2009-09-10 21:5438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 23:22 . 2009-10-13 21:37--------d-----w-c:\program files\g1pictures
2009-10-12 23:22 . 2009-10-12 23:22--------d-----w-c:\programdata\Malwarebytes
2009-10-12 23:22 . 2009-09-10 21:5319160----a-w-c:\windows\system32\drivers\mbam.sys
2009-10-12 23:19 . 2009-10-12 23:190----a-w-c:\windows\nsreg.dat
2009-10-12 18:54 . 2009-10-12 18:54--------d-----w-c:\programdata\WindowsSearch
2009-10-12 17:50 . 2009-10-14 02:08--------d-----w-c:\users\Griffin\AppData\Local\AntivirusPro_2010
2009-10-12 07:50 . 2009-10-12 07:50118983----a-w-c:\windows\zAdBHO.dll
2009-10-12 07:19 . 2009-10-12 07:1922328----a-w-c:\windows\system32\drivers\PnkBstrK.sys
2009-10-12 07:18 . 2009-10-12 07:18107832----a-w-c:\windows\system32\PnkBstrB.exe
2009-10-12 07:18 . 2009-10-12 07:1866872----a-w-c:\windows\system32\PnkBstrA.exe
2009-10-12 07:18 . 2009-10-12 07:182250024----a-w-c:\windows\system32\pbsvc.exe
2009-10-12 07:11 . 2009-10-12 07:11--------d-----w-c:\program files\Ubisoft
2009-10-08 19:11 . 2005-05-26 22:342297552----a-w-c:\windows\system32\d3dx9_26.dll
2009-10-08 18:52 . 2009-10-08 18:52--------d-----w-C:\Left4Dead
2009-10-08 18:45 . 2009-11-03 16:57--------d-----w-c:\program files\Common Files\Steam
2009-10-08 18:45 . 2009-11-04 18:02--------d-----w-c:\program files\Steam
2009-10-08 04:03 . 2009-10-08 04:03--------d-----w-c:\users\Griffin\AppData\Roaming\Samsung
2009-10-08 01:03 . 2009-10-08 01:03--------d-----w-c:\programdata\Office Genuine Advantage
2009-10-07 18:22 . 2003-02-22 01:42348160----a-w-c:\windows\system32\msvcr71.dll
2009-10-07 18:13 . 2009-10-07 18:18--------d-----w-c:\windows\system32\Samsung_USB_Drivers
2009-10-07 18:12 . 2009-10-07 18:455632----a-w-c:\windows\system32\drivers\StarOpen.sys
2009-10-07 18:12 . 2009-10-07 18:12--------d-----w-c:\program files\Samsung
2009-10-07 17:46 . 2009-06-15 15:21499712----a-w-c:\windows\system32\kerberos.dll
2009-10-07 17:46 . 2009-06-15 18:20439896----a-w-c:\windows\system32\drivers\ksecdd.sys
2009-10-07 17:46 . 2009-06-15 15:24175104----a-w-c:\windows\system32\wdigest.dll
2009-10-07 17:46 . 2009-06-15 15:2472704----a-w-c:\windows\system32\secur32.dll
2009-10-07 17:46 . 2009-06-15 15:24270848----a-w-c:\windows\system32\schannel.dll
2009-10-07 17:46 . 2009-06-15 15:231256448----a-w-c:\windows\system32\lsasrv.dll
2009-10-07 17:46 . 2009-06-15 12:579728----a-w-c:\windows\system32\lsass.exe
2009-10-06 18:12 . 2009-10-01 17:29195440------w-c:\windows\system32\MpSigStub.exe
2009-10-06 18:04 . 2009-08-07 02:2444768----a-w-c:\windows\system32\wups2.dll
2009-10-06 18:04 . 2009-08-07 02:2453472----a-w-c:\windows\system32\wuauclt.exe
2009-10-06 18:04 . 2009-08-07 02:231929952----a-w-c:\windows\system32\wuaueng.dll
2009-10-06 18:04 . 2009-08-07 01:452421760----a-w-c:\windows\system32\wucltux.dll
2009-10-06 18:04 . 2009-08-07 02:2435552----a-w-c:\windows\system32\wups.dll
2009-10-06 18:04 . 2009-08-07 02:23575704----a-w-c:\windows\system32\wuapi.dll
2009-10-06 18:04 . 2009-08-07 01:4487552----a-w-c:\windows\system32\wudriver.dll
2009-10-06 18:04 . 2009-08-07 02:23171608----a-w-c:\windows\system32\wuwebv.dll
2009-10-06 18:04 . 2009-08-07 01:4433792----a-w-c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 18:01 . 2008-10-26 19:38--------d-----w-c:\users\Griffin\AppData\Roaming\DNA
2009-11-03 01:09 . 2008-10-26 19:49--------d-----w-c:\users\Griffin\AppData\Roaming\BitTorrent
2009-11-02 23:44 . 2008-09-09 18:44--------d-----w-c:\program files\Common Files\Adobe
2009-10-25 16:01 . 2007-06-11 23:54--------d--h--w-c:\program files\InstallShield Installation Information
2009-10-25 15:53 . 2007-06-12 00:13--------d-----w-c:\programdata\WildTangent
2009-10-17 02:02 . 2008-07-31 05:27--------d-----w-c:\program files\ATI
2009-10-16 04:22 . 2008-10-17 03:40--------d-----w-c:\program files\DivX
2009-10-16 04:04 . 2008-10-20 07:58--------d-----w-c:\users\Griffin\AppData\Roaming\DivX
2009-10-15 15:59 . 2009-10-15 15:581448----a-w-c:\windows\system32\drivers\kgpcpy.cfg
2009-10-15 05:36 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2009-10-14 18:28 . 2008-07-31 05:08--------d-----w-c:\programdata\Microsoft Help
2009-10-14 18:24 . 2008-07-31 05:13--------d-----w-c:\program files\Microsoft SQL Server
2009-10-12 07:44 . 2008-08-13 19:30107888----a-w-c:\windows\system32\CmdLineExt.dll
2009-10-12 07:19 . 2009-10-12 07:1922328----a-w-c:\users\Griffin\AppData\Roaming\PnkBstrK.sys
2009-10-12 06:48 . 2008-10-26 19:38--------d-----w-c:\program files\DNA
2009-09-25 16:41 . 2008-09-25 08:0390112----a-w-c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41856064----a-w-c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41856064----a-w-c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41847872----a-w-c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41843776----a-w-c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41839680----a-w-c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41696320----a-w-c:\windows\system32\DivX.dll
2009-09-24 02:38 . 2008-07-31 07:311356----a-w-c:\users\Griffin\AppData\Local\d3d9caps.dat
2009-09-18 17:51 . 2009-09-17 23:48--------d-----w-c:\users\Griffin\AppData\Roaming\Skype
2009-09-18 17:48 . 2009-09-17 23:49--------d-----w-c:\users\Griffin\AppData\Roaming\skypePM
2009-09-18 00:46 . 2009-04-17 16:05--------d-----w-c:\users\Griffin\AppData\Roaming\Apple Computer
2009-09-18 00:06 . 2009-09-18 00:05--------d-----w-c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 00:06 . 2009-09-18 00:05--------d-----w-c:\program files\iTunes
2009-09-18 00:05 . 2009-09-18 00:05--------d-----w-c:\program files\iPod
2009-09-18 00:05 . 2009-04-17 15:59--------d-----w-c:\program files\Common Files\Apple
2009-09-18 00:04 . 2009-09-18 00:03--------d-----w-c:\program files\QuickTime
2009-09-17 23:49 . 2009-09-17 23:4956---ha-w-c:\programdata\ezsidmv.dat
2009-09-17 23:47 . 2009-09-17 23:46--------d-----r-c:\program files\Skype
2009-09-17 23:46 . 2009-09-17 23:46--------d-----w-c:\program files\Common Files\Skype
2009-09-17 23:46 . 2009-09-17 23:46--------d-----w-c:\programdata\Skype
2009-09-16 17:52 . 2009-09-16 17:46--------d-----w-c:\users\Griffin\AppData\Roaming\My Battle for Middle-earth(tm) II Files
2009-09-16 17:33 . 2009-09-16 17:33--------d-----w-c:\users\Griffin\AppData\Roaming\Ulead Systems
2009-09-16 17:31 . 2009-09-16 17:31--------d-----w-c:\program files\Electronic Arts
2009-09-05 00:44 . 2009-10-08 19:12515416----a-w-c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-10-08 19:12238936----a-w-c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-10-08 19:1269464----a-w-c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-10-08 19:12453456----a-w-c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-10-08 19:12235344----a-w-c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-10-08 19:125501792----a-w-c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-10-08 19:121974616----a-w-c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-10-08 19:121892184----a-w-c:\windows\system32\D3DX9_42.dll
2009-08-28 12:39 . 2009-09-16 23:3228672----a-w-c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-16 23:324240384----a-w-c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22 . 2009-10-14 22:59916480----a-w-c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 22:5971680----a-w-c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 22:59109056----a-w-c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 22:59133632----a-w-c:\windows\system32\ieUnatt.exe
2009-08-18 06:33 . 2009-08-18 06:331193832----a-w-c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-16 23:36897608----a-w-c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-16 23:36104960----a-w-c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-16 23:3617920----a-w-c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-16 23:369728----a-w-c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-16 23:3617920----a-w-c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-16 23:3611264----a-w-c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-16 23:3627136----a-w-c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-16 23:3619968----a-w-c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-16 23:368704----a-w-c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-16 23:3610240----a-w-c:\windows\system32\finger.exe
2009-09-25 16:41 . 2009-09-25 16:411044480----a-w-c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41200704----a-w-c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [emailprotected]_22.51.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-02 23:37 . 2009-11-02 23:3765536 c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437\vcomp.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3749152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80KOR.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3749152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80JPN.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3761440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ITA.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3761440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80FRA.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3761440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ESP.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3757344 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ENU.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3765536 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80DEU.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3745056 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHT.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3740960 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHS.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3757856 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80u.dll
+ 2009-11-02 23:37 . 2009-11-02 23:3769632 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80.dll
+ 2007-06-20 17:55 . 2009-11-04 18:0367740 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-11-04 18:0376026 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-31 05:58 . 2009-11-04 18:0312362 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3074739374-1649422935-3759921920-1003_UserData.bin
+ 2008-07-31 05:54 . 2009-11-04 18:0632768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-31 05:54 . 2009-11-02 22:0032768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-31 05:54 . 2009-11-04 18:0665536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-31 05:54 . 2009-11-02 22:0065536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-15 08:04 . 2008-10-15 08:0439792 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\reader_sl.exe
+ 2008-10-15 04:33 . 2008-10-15 04:3395600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\nppdf32.dll
+ 2006-10-23 06:29 . 2006-10-23 06:2914456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroRd32Info.exe
- 2009-11-02 22:00 . 2009-11-02 22:002048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-04 18:23 . 2009-11-04 18:232048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-04 18:23 . 2009-11-04 18:232048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-11-02 22:00 . 2009-11-02 22:002048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-11-04 18:07645412 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-02 22:07645412 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-02 22:07119832 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-11-04 18:07119832 c:\windows\System32\perfc009.dat
- 2008-07-31 05:54 . 2009-11-02 22:00442368 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-31 05:54 . 2009-11-04 18:06442368 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-12 01:01 . 2009-10-29 17:54813744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-06-12 01:01 . 2009-11-04 18:22813744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-11-02 23:37 . 2009-11-02 23:37424448 c:\windows\Installer\5930dc.msi
+ 2009-03-12 04:48 . 2009-11-02 23:45295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2009-03-12 04:48 . 2009-10-16 03:31295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2007-04-16 04:56 . 2007-04-16 04:56389120 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AdobeXMP.dll
+ 2007-05-11 10:06 . 2007-05-11 10:06341616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroRd32.exe
+ 2008-10-15 04:29 . 2008-10-15 04:29632168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroPDF.dll
+ 2009-11-02 23:37 . 2009-11-02 23:371093120 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll
+ 2009-11-02 23:37 . 2009-11-02 23:371105920 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80.dll
+ 2006-11-02 10:22 . 2009-11-04 18:226115328 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2008-10-15 03:55 . 2008-10-15 03:551945600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\rt3d.dll
+ 2008-10-15 07:35 . 2008-10-15 07:354906496 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AGM.dll
+ 2009-11-04 18:22 . 2009-11-04 18:226115328 c:\windows\ERDNT\subs\schema.dat
+ 2009-11-04 18:10 . 2009-11-04 18:106115328 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-10-29 17:44 . 2009-10-29 17:4433281024 c:\windows\Installer\3450b.msp
+ 2009-05-17 06:47 . 2009-11-04 18:06193707260 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{447E64C2-C073-4C31-9D1F-FF37219C8524}]
2009-10-12 07:50118983----a-w-c:\windows\zAdBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 20:121119488----a-w-c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:032854912----a-w-c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:032854912----a-w-c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Griffin\Program Files\DNA\btdna.exe" [2009-10-15 323392]
"Steam"="c:\program files\Steam\Steam.exe" [2009-10-26 1217808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-04 865840]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Griffin\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2008-05-02 307200]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-02 2010904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-25 4444160]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:5090112----a-w-c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R0 pf2apj8b;FlatOut File System Driver (pf2apj8b);c:\windows\System32\drivers\pf2apj8b.sys [11/27/2007 5:52 AM 83568]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/13/2009 7:04 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/13/2009 7:04 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/2/2009 3:38 PM 285392]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [6/11/2007 4:05 PM 7168]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [5/26/2009 2:50 PM 4232704]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Griffin\AppData\Roaming\Mozilla\Firefox\Profiles\3t9l20jv.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[emailprotected]\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\Griffin\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 10:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x853211F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x853211f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-3074739374-1649422935-3759921920-1003\Software\SecuROM\License information*]
"datasecu"=hex:8c,32,87,11,1d,ea,a8,82,51,a6,66,74,4e,4c,d0,5f,b8,f0,f5,96,3f,
16,66,2e,3a,87,64,6e,ce,bf,77,0d,b2,59,59,20,f2,c8,44,1e,ff,08,9d,3e,56,ba,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(3636)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-04 10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 18:28
ComboFix2.txt 2009-11-04 07:19
ComboFix3.txt 2009-11-02 22:53

Pre-Run: 48,208,482,304 bytes free
Post-Run: 48,457,031,680 bytes free







Here are my RootRepeal results:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:2009/11/04 10:34
Program Version:Version 1.3.5.0
Windows Version:Windows Vista SP1
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0x9B800000Size: 31744File Visible: NoSigned: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F5E9000Size: 45056File Visible: NoSigned: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x8F5F4000Size: 40960File Visible: NoSigned: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\Windows\system32\Drivers\PROCEXP113.SYS
Address: 0x9B808000Size: 7872File Visible: NoSigned: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x8A3F4000Size: 49152File Visible: NoSigned: -
Status: -

Name: spof.sys
Image Path: C:\Windows\System32\Drivers\spof.sys
Address: 0x82294000Size: 1048576File Visible: NoSigned: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000Size: 0File Visible: NoSigned: -
Status: -

Processes
-------------------
Path: System
PID: 4Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1296Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: SystemAddress: 0x853231f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_CREATE]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_CLOSE]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_POWER]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: aurcta9uЕ楆, IRP_MJ_PNP]
Process: SystemAddress: 0x863541f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: SystemAddress: 0x853211f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: SystemAddress: 0x863651f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: SystemAddress: 0x862f71f8Size: 121

Object: Hidden Code [Driver: Smb前І瑎湦܇$, IRP_MJ_CREATE]
Process: SystemAddress: 0x87f77500Size: 121

Object: Hidden Code [Driver: Smb前І瑎湦܇$, IRP_MJ_CLOSE]
Process: SystemAddress: 0x87f77500Size: 121

Object: Hidden Code [Driver: Smb前І瑎湦܇$, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x87f77500Size: 121

Object: Hidden Code [Driver: Smb前І瑎湦܇$, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x87f77500Size: 121

Object: Hidden Code [Driver: Smb前І瑎湦܇$, IRP_MJ_CLEANUP]
Process: SystemAddress: 0x87f77500Size: 121

Object: Hidden Code [Driver: Smb前І瑎湦܇$, IRP_MJ_PNP]
Process: SystemAddress: 0x87f77500Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_CREATE]
Process: SystemAddress: 0x87f891f8Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_CLOSE]
Process: SystemAddress: 0x87f891f8Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x87f891f8Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x87f891f8Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_CLEANUP]
Process: SystemAddress: 0x87f891f8Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_PNP]
Process: SystemAddress: 0x87f891f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_CREATE]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_CLOSE]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_POWER]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄礈諦⽸赥, IRP_MJ_PNP]
Process: SystemAddress: 0x863751f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: SystemAddress: 0x849941f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: SystemAddress: 0x862fc1f8Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_POWER]
Process: SystemAddress: 0x853221f8Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x853221f8Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_PNP]
Process: SystemAddress: 0x853221f8Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_CREATE]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_CREATE_NAMED_PIPE]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_CLOSE]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_READ]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_WRITE]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_QUERY_INFORMATION]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SET_INFORMATION]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_QUERY_EA]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SET_EA]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_FLUSH_BUFFERS]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SET_VOLUME_INFORMATION]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_DIRECTORY_CONTROL]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SHUTDOWN]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_LOCK_CONTROL]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_CLEANUP]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_CREATE_MAILSLOT]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_QUERY_SECURITY]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SET_SECURITY]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_POWER]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SYSTEM_CONTROL]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_DEVICE_CHANGE]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_QUERY_QUOTA]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_SET_QUOTA]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: mrxsmb糄쀁П牄焠諥 讠骲, IRP_MJ_PNP]
Process: SystemAddress: 0x862ca500Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_CREATE]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_CLOSE]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_READ]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_WRITE]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_QUERY_INFORMATION]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_SET_INFORMATION]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_DIRECTORY_CONTROL]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_DEVICE_CONTROL]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_SHUTDOWN]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_LOCK_CONTROL]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_CLEANUP]
Process: SystemAddress: 0x84b621f8Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ꦻ裾┸蓯츘蒴0, IRP_MJ_PNP]
Process: SystemAddress: 0x84b621f8Size: 121

==EOF==* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

How is the computer running now?

.It seems to be running good! Only thing is every time I try to install the windows Sp2 update it fails....any reason for this?Not sure about that. Do you get any errors?error 800B0100, when i try to install it. As for the trojan atapi.sys, we seem to have fixed that, thank you so much for your help. Do you think i really need Vista SP2?Yes you do.

Look at this Google Search for some possible solutions.Hey just letting you know I got that issue fixed, I just needed to download the standalone SP2 download through the support website. Thanks again for all your help!Glad it worked.

Safe surfing...


Discussion

No Comment Found

Related InterviewSolutions