# Rootkit-Pakes.U trojan found in atapi.sys



## djtappin (Oct 26, 2009)

Hello,

My AVH found this infection>> Rootkit-Pakes.U trojan found in atapi.sys<<<<

AVG is stating that it can't delete the file as it is suppose to be a important file, but it's coming up as a infection and I think it's causing my computer to not take the last update from Microsoft. But I'm not sure of that.

My computer is running fine, but that infection is still there and I don't want it get worse and also my computer will not take the last Microsoft update>>>Microsoft SQL Server 2005 Express Edition Service Pack 3 (KB955706)<<<<<

Please help like you help that one guy who had the same problem with the Rootkit-Pakes.U trojan found in atapi.sys

I know every problem is different with everyone, but I hope you can help.

My computer is a Dell Latitude D520, Intel Centrino Duo, 1GB Ram

Desmond J Tappin


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

I assume your computer is not a 64bit machine or Windows 7. If it is then don't follow the instructions below but come back and tell me.

Download *Combofix* from either of the links below. You* must **rename it *before saving it. Save it to your desktop.

*Link 1*
*Link 2*


















--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Double click on *Combo-Fix.exe* & follow the prompts.

When finished, it will produce a report for you. 
Please post the *C:\ComboFix.txt * for review.


----------



## djtappin (Oct 26, 2009)

Hello sir,

Thanks a lot for your help. I have attached the Combo-Fix log txt to this post. I hope you are able to view it.

Thanks, I'll stand by for you next instructions.

Desmond J Tappin


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

Please download Malwarebytes' Anti-Malware from *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.


----------



## djtappin (Oct 26, 2009)

Hi,

Here is the log below.


Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 3

10/27/2009 11:38:12 PM
mbam-log-2009-10-27 (23-38-12).txt

Scan type: Quick Scan
Objects scanned: 104063
Time elapsed: 18 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Give4Free Plugin (Adware.Give4free) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Give4Free Plugin (Adware.Give4free) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## emeraldnzl (Nov 3, 2007)

Hello again djtappin,

Download *OTL* to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Under the *Standard Registry* box change it to *All*.
Check the boxes beside *LOP Check* and *Purity Check*.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post it with your next reply.


----------



## djtappin (Oct 26, 2009)

Hello there again,

Below is one log, I have to use 2 replies as you stated I might have to do before.

OTL logfile created on: 10/28/2009 10:17:50 AM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.34 Mb Total Physical Memory | 581.55 Mb Available Physical Memory | 57.33% Memory free
3.88 Gb Paging File | 3.44 Gb Available in Paging File | 88.73% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.22 Gb Total Space | 5.72 Gb Free Space | 15.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 7.47 Gb Total Space | 5.60 Gb Free Space | 74.93% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PAR3F15TB1
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Apoint\Apntex.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\HidFind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
PRC - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
PRC - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe (GuardianEdge Technologies, Inc.)
PRC - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe (GuardianEdge Technologies, Inc.)
PRC - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe (GuardianEdge Technologies, Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (Intel(R) Corporation)
PRC - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe ()
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe ()
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DGService [Auto | Stopped]) -- C:\PROGRAM FILES\DGAGENT\DGService.exe (Verdasys, Inc.)
SRV - (DigiRefresh [Auto | Stopped]) -- File not found
SRV - (digiSPTIService [On_Demand | Stopped]) -- File not found
SRV - (EphdXlatService [Auto | Running]) -- C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe (GuardianEdge Technologies, Inc.)
SRV - (EvtEng [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (lxcj_device [Auto | Stopped]) -- File not found
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (MSSQL$SQLEXPRESS [Auto | Running]) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQL$VPINSTANCE [Auto | Running]) -- c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper [Disabled | Stopped]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NICCONFIGSVC [Auto | Running]) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PCG Protect [Auto | Running]) -- C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe (GuardianEdge Technologies, Inc.)
SRV - (RegSrvc [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (S24EventMonitor [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (SQLBrowser [Auto | Running]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (SQLWriter [Auto | Running]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WLANKEEPER [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (Intel(R) Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (AliIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APPDRV [System | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (asc [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (atapi [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\atapi.sys ()
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (bcm4sbxp [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)
DRV - (CmdIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (DGAPIMon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\DGAPIMon.SYS (Verdasys, Inc.)
DRV - (DGBusMon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\DGBusMon.SYS (Verdasys, Inc.)
DRV - (DGFSMon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\DGFSMon.SYS (Verdasys, Inc.)
DRV - (DGRoot [Boot | Running]) -- C:\WINDOWS\System32\Drivers\DGRoot.SYS (Verdasys, Inc.)
DRV - (DGRule [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\DGRule.SYS (Verdasys, Inc.)
DRV - (DGTDIMon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\DGTDIMon.SYS (Verdasys, Inc.)
DRV - (DigiNet [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\diginet.sys (Digidesign, A Division of Avid Technology, Inc.)
DRV - (DLABOIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLACDBHM [System | Running]) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLADResN [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLAIFS_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLAOPIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLARTL_N [System | Running]) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DLAUDF_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAUDFAM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DRVMCDB [Boot | Running]) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (DRVNDDM [Auto | Running]) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (E100B [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (EAFSPROT [Boot | Running]) -- C:\WINDOWS\System32\drivers\eafsprot.sys (PC Guardian)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EPHDXLAT [Boot | Running]) -- C:\WINDOWS\System32\drivers\ephdxlat.sys (GuardianEdge Technologies, Inc.)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys (Windows (R) Server 2003 DDK provider)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mraid35x [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (NAVENG [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091011.020\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091011.020\NAVEX15.SYS (Symantec Corporation)
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (PTDWBus [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDWBus.sys (DEVGURU Co,LTD.)
DRV - (PTDWMdm [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDWMdm.sys (DEVGURU Co,LTD.)
DRV - (PTDWVsp [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDWVsp.sys (DEVGURU Co,LTD.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PWCTLDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\PWCTLDRV.sys (DEVGURU Co,LTD.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (s24trans [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\s24trans.sys (Intel Corporation)
DRV - (SCREAMINGBDRIVER [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\ScreamingBAudio.sys (Screaming Bee LLC)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sisagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Sparrow [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (sym_hi [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (symc810 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (TPkd [Boot | Running]) -- C:\WINDOWS\System32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)
DRV - (ultra [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (w39n51 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\w39n51.sys (Intel® Corporation)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSX_CNXT.sys (Conexant Systems, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "msn.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: [email protected]:2.609.002.003
FF - prefs.js..extensions.enabledItems: [email protected]:3.2
FF - prefs.js..extensions.enabledItems: {dd68c513-9296-4b63-8d8b-8f1c991c8a48}:0.1.7.3
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/10/12 02:03:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVG\AVG8\Toolbar\Firefox\[email protected] [2009/10/12 02:03:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock 2.5.2\extensions\\Components: C:\Program Files\Flock\components [2009/10/22 20:35:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock 2.5.2\extensions\\Plugins: C:\Program Files\Flock\plugins [2009/10/22 20:35:06 | 00,000,000 | ---D | M]

[2009/10/22 20:35:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/10/22 20:35:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b}
[2009/04/18 21:10:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/22 14:58:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\jzmi17um.default\extensions
[2009/06/28 16:53:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\jzmi17um.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/12 17:53:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\jzmi17um.default\extensions\{dd68c513-9296-4b63-8d8b-8f1c991c8a48}
[2009/10/16 00:14:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\jzmi17um.default\extensions\[email protected]
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/05/18 18:41:32 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/10/21 14:18:12 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/04/16 13:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/10/21 16:18:31 | 00,002,273 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml


----------



## djtappin (Oct 26, 2009)

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [EPHD User] C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe (GuardianEdge Technologies, Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install/00/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - G:\Article Content Spinner\DLL\mshtml.dll File not found
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\System32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 08:26:23 | 00,000,309 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: ('autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*') - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[9 C:\WINDOWS\*.tmp files]
[2009/10/12 02:03:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/10/12 02:03:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/10/12 16:53:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/07 18:24:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/10/20 15:25:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Auslogics
[2009/10/12 01:57:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8
[2009/10/22 20:35:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Flock
[2009/10/12 16:53:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/10/07 18:23:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Office Genuine Advantage
[2009/10/11 15:53:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Screaming Bee
[2009/10/11 23:45:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
[2009/10/12 02:07:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
[2009/10/22 20:35:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Flock
[2009/10/21 14:14:35 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/10/20 15:25:36 | 00,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2009/10/12 02:03:30 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/10/22 20:35:04 | 00,000,000 | ---D | C] -- C:\Program Files\Flock
[2009/10/10 22:27:36 | 00,000,000 | ---D | C] -- C:\Program Files\IEHelper.dll Removal Tool
[2009/10/12 16:53:00 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/09 15:14:51 | 00,000,000 | ---D | C] -- C:\Program Files\pahimw
[2009/10/20 19:57:05 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Easy
[2009/10/11 15:51:29 | 00,000,000 | ---D | C] -- C:\Program Files\Screaming Bee
[2009/10/12 18:10:27 | 00,000,000 | ---D | C] -- C:\Program Files\The Logo Creator v5
[2009/10/28 10:10:05 | 00,521,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/27 21:10:49 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/27 21:08:58 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/27 21:08:58 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/27 21:08:58 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/27 21:08:58 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/27 21:08:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/27 21:08:07 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/20 19:40:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/10/12 16:53:02 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/12 16:53:00 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/12 02:06:12 | 00,000,000 | ---D | C] -- C:\$AVG8.VAULT$
[2009/10/12 02:04:25 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/10/12 02:04:24 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/10/12 02:04:18 | 00,335,240 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/10/12 02:04:17 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/10/12 02:03:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2009/10/07 15:45:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA


----------



## djtappin (Oct 26, 2009)

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[9 C:\WINDOWS\*.tmp files]
[10 C:\Documents and Settings\Administrator\My Documents\*.tmp files]
[2009/10/28 10:15:19 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
[2009/10/28 10:09:52 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/28 09:58:42 | 44,321,664 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/10/28 09:58:42 | 00,062,663 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/10/28 09:56:58 | 00,001,164 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/28 09:56:57 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/10/28 09:56:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/28 09:56:01 | 10,636,90240 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/28 09:56:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/27 22:07:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/10/27 21:30:40 | 00,000,285 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/27 21:29:12 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/27 21:11:11 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/10/27 21:05:32 | 03,436,782 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
[2009/10/26 10:50:12 | 00,004,011 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2009/10/26 10:50:12 | 00,002,171 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ive_bak
[2009/10/26 10:49:10 | 00,667,914 | ---- | M] () -- C:\WINDOWS\unins000.exe
[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2009/10/22 20:35:13 | 00,001,492 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Flock Web Browser.lnk
[2009/10/22 11:38:00 | 00,069,232 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/20 20:09:57 | 00,000,042 | ---- | M] () -- C:\WINDOWS\System32\RegistryEasy.lie
[2009/10/20 19:42:35 | 00,000,955 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/20 19:42:35 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/10/20 09:42:59 | 00,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/16 01:28:27 | 00,639,934 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/16 01:28:27 | 00,539,354 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/16 01:28:27 | 00,108,262 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/16 01:21:57 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/16 01:15:20 | 04,839,640 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/10/12 13:16:06 | 00,000,148 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/10/12 02:04:25 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/10/12 02:04:24 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/10/12 02:04:18 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/10/12 02:04:17 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/10/12 02:04:00 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/10/12 02:03:58 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/10/12 01:49:52 | 00,002,808 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/10/11 16:51:43 | 00,038,400 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/10/02 14:01:57 | 25,198,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Files - No Company Name ==========
[2009/10/27 21:11:10 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/10/27 21:11:03 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/27 21:08:58 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/27 21:08:58 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/27 21:08:58 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/27 21:08:58 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/10/27 21:08:58 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/27 21:05:45 | 03,436,782 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
[2009/10/26 10:50:12 | 00,667,914 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2009/10/26 10:50:12 | 00,004,011 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2009/10/26 10:50:12 | 00,001,128 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Barnes and Noble.rdp
[2009/10/22 20:35:13 | 00,001,492 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Flock Web Browser.lnk
[2009/10/21 14:14:45 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/10/20 20:09:57 | 00,000,042 | ---- | C] () -- C:\WINDOWS\System32\RegistryEasy.lie
[2009/10/12 11:39:13 | 10,636,90240 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/12 02:04:01 | 44,321,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/10/12 02:04:00 | 00,062,663 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/10/12 02:03:58 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/10/12 02:03:56 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/10/12 01:49:51 | 00,002,808 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/10/07 15:45:36 | 00,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/08/28 00:47:47 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/30 19:06:07 | 00,000,012 | ---- | C] () -- C:\WINDOWS\System32\vcklib.sys
[2009/07/30 19:06:07 | 00,000,012 | ---- | C] () -- C:\WINDOWS\System32\vchklib.sys
[2009/07/20 14:17:20 | 00,000,343 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/06/29 14:38:03 | 00,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2irdao.dll
[2009/06/29 14:38:03 | 00,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2ctdao.dll
[2009/06/11 15:01:48 | 00,000,136 | -H-- | C] () -- C:\Documents and Settings\Administrator\Application Data\lakerda1967.sys
[2009/06/11 14:57:31 | 00,010,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\docXConverter (3).ini
[2007/09/26 11:58:50 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/02/08 12:19:18 | 00,000,404 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2007/02/05 16:43:45 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/12/18 21:43:29 | 00,069,232 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/12/17 18:39:39 | 00,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/11/26 11:54:48 | 00,000,016 | ---- | C] () -- C:\WINDOWS\Biblerp.ini
[2006/10/18 11:11:25 | 00,038,400 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/18 13:11:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/18 13:06:42 | 00,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/18 13:02:12 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/18 12:56:31 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/09/18 12:34:56 | 00,000,390 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 02:38:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 18:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:20:48 | 04,839,640 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2004/08/11 18:20:25 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2004/08/11 18:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 18:07:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/11 18:00:37 | 00,000,955 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/11 18:00:35 | 00,000,285 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/03 23:59:44 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys

========== LOP Check ==========

[2009/10/22 20:35:29 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2009/08/29 17:02:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ableton
[2009/08/30 19:17:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Audacity
[2009/10/20 15:25:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Auslogics
[2006/11/19 12:27:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CyberLink
[2009/10/22 20:35:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Flock
[2008/03/15 14:23:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
[2006/09/18 12:56:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Intel
[2009/07/16 22:35:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IPRental
[2006/11/18 19:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/08/12 18:35:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Listing Factory 2009
[2009/06/18 19:47:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
[2009/06/29 11:43:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
[2009/08/23 23:46:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MXSkypeRec
[2007/09/26 12:17:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\NewSoft
[2009/06/26 17:39:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nvu
[2009/08/28 01:10:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PACE Anti-Piracy
[2009/07/23 10:36:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Phipe
[2009/10/11 15:53:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Screaming Bee
[2009/10/11 23:45:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
[2006/11/18 12:09:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Smith Micro
[2009/08/28 01:14:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Trillium Lane
[2009/10/24 02:18:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\U3
[2009/10/23 00:01:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2009/08/27 16:04:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vendio
[2009/10/12 16:53:00 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/04/04 17:38:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/09/18 02:23:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/30 19:25:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/29 17:02:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2009/10/12 02:03:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2007/09/26 12:03:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2007/08/02 07:55:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2006/09/18 12:55:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intel
[2009/08/28 01:10:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2009/06/30 12:26:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2004/08/11 18:25:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/08/03 22:37:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/04 15:39:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/10/27 22:07:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 06:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/28 09:56:57 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2009/10/28 09:56:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/10/28 10:15:19 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:42DC4246
@Alternate Data Stream - 1117 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:4s33mxkVCuHOAOTdoAY6Qdn
@Alternate Data Stream - 1065 bytes -> C:\Documents and Settings\Administrator\Local Settings\Application Data:LWVlwV6LCbrpENDEU0sGAv1
@Alternate Data Stream - 1022 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:OJQRXn2bnPeuxCUKCOUOU4bhUE
< End of report >


----------



## djtappin (Oct 26, 2009)

OTL Extras logfile created on: 10/28/2009 10:17:50 AM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.34 Mb Total Physical Memory | 581.55 Mb Available Physical Memory | 57.33% Memory free
3.88 Gb Paging File | 3.44 Gb Available in Paging File | 88.73% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.22 Gb Total Space | 5.72 Gb Free Space | 15.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 7.47 Gb Total Space | 5.60 Gb Free Space | 74.93% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PAR3F15TB1
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FlockHTML] -- C:\Program Files\Flock\flock.exe (Flock, Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [AddToPlaylistVLC] -- "C:\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Documents and Settings\Administrator\CCA8.0\winvnc.exe" = C:\Documents and Settings\Administrator\CCA8.0\winvnc.exe:*isabled:VNC server for Win32 -- (RealVNC Ltd.)
"G:\Skype.exe" = G:\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{167F938F-5AD3-40e2-B05D-2B7C6F0FDE48}" = HP Deskjet D1500 Printer Driver 10.0 Rel .3
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x32
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.9
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (VPINSTANCE)
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72CD4C5F-AB0B-4814-8780-9A4F26A2086B}" = Presto! PageManager 7.12.10
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7C05EEDD-E565-4E2B-ADE4-0C784C17311C}" = Crystal Reports for .NET Framework 2.0 (x86)
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{82379BBF-E59C-4F84-B2A0-8E1F871C4F89}" = Encryption Plus Hard Disk
"{862388F2-ACCF-4CE2-945C-7D559B21058E}" = Vendio XPress Image Publisher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{917BAAEA-297A-4B35-ACDD-A26C47D64DF6}" = Digital Guardian Agent
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F240855E-57B8-4807-9A00-7047211D9793}" = Curitel PC Card Software
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Article Content Spinner 1.0" = Article Content Spinner 1.0
"AT&&T Yahoo! Messenger" = AT&T Yahoo! Messenger
"AVG8Uninstall" = AVG Free 8.5
"Barnes & Noble_is1" = Willow: Barnes & Noble 1.0
"Blog Link Generator 1.4" = Blog Link Generator 1.4
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Flock (2.5.2)" = Flock (2.5.2)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MidiSport8x8" = Midisport 8x8 1.0.1.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nvu_is1" = Nvu 1.0PR
"Podcast Teleprompter 1.4" = Podcast Teleprompter 1.4
"Premium Quote" = Premium Quote
"ProInst" = Intel(R) PROSet/Wireless Software
"QuickArticlePro 3 .0" = QuickArticlePro 3 .0
"Registry Easy_is1" = Registry Easy v5.6
"SearchAssist" = SearchAssist
"The Logo Creator v5" = The Logo Creator v5
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.0
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Acrobat Connect Add-in" = Adobe Acrobat Connect Add-in
"HSHSetup Utility" = HSHSetup Utility
"Mozilla Firefox-Arise" = Mozilla Firefox-Arise
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/28/2009 12:04:49 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:04:49 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:04:49 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:04:49 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:51:24 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:51:24 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:51:24 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 12:51:24 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 9:56:13 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 10/28/2009 9:56:13 AM | Computer Name = PAR3F15TB1 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 10/28/2009 12:51:42 AM | Computer Name = PAR3F15TB1 | Source = Print | ID = 23
Description = Printer Lexmark 4200 Series,1 failed to initialize because a suitable
Lexmark 4200 Series driver could not be found.

Error - 10/28/2009 12:51:43 AM | Computer Name = PAR3F15TB1 | Source = Service Control Manager | ID = 7000
Description = The Digidesign MME Refresh Service service failed to start due to 
the following error: %%2

Error - 10/28/2009 12:51:44 AM | Computer Name = PAR3F15TB1 | Source = Service Control Manager | ID = 7000
Description = The lxcj_device service failed to start due to the following error:
%%2

Error - 10/28/2009 1:04:21 AM | Computer Name = PAR3F15TB1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft SQL Server 2005 Express Edition Service Pack 3
(KB955706).

Error - 10/28/2009 2:13:59 AM | Computer Name = PAR3F15TB1 | Source = Print | ID = 23
Description = Printer Lexmark 4200 Series,1 failed to initialize because a suitable
Lexmark 4200 Series driver could not be found.

Error - 10/28/2009 2:14:00 AM | Computer Name = PAR3F15TB1 | Source = Service Control Manager | ID = 7000
Description = The Digidesign MME Refresh Service service failed to start due to 
the following error: %%2

Error - 10/28/2009 2:14:01 AM | Computer Name = PAR3F15TB1 | Source = Service Control Manager | ID = 7000
Description = The lxcj_device service failed to start due to the following error:
%%2

Error - 10/28/2009 9:56:24 AM | Computer Name = PAR3F15TB1 | Source = Print | ID = 23
Description = Printer Lexmark 4200 Series,1 failed to initialize because a suitable
Lexmark 4200 Series driver could not be found.

Error - 10/28/2009 9:56:25 AM | Computer Name = PAR3F15TB1 | Source = Service Control Manager | ID = 7000
Description = The Digidesign MME Refresh Service service failed to start due to 
the following error: %%2

Error - 10/28/2009 9:56:25 AM | Computer Name = PAR3F15TB1 | Source = Service Control Manager | ID = 7000
Description = The lxcj_device service failed to start due to the following error:
%%2

< End of report >


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

In this post I will point out a suspect program, we will update your Java and we will run a scan to make sure we haven't missed anything.

*Now*

Viewpoint Manager is considered as *foistware* instead of malware since it is mostly installed without users approval. This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

Up to you but I recommend removal of this program. Click on *Start* > *Control Panel* > *Add or Remove Programs* uninstall the following if they exist: *Viewpoint, Viewpoint Manager, Viewpoint Media Player*.

*Next*

Your Java is out to date. Older versions are vunerable to attack.

Please follow these steps:


Download from here *Java Runtime Environment (JDK) Update * 
Scroll to where it says *"Windows XP/Vista/2000/2003/2008 online" * and download and follow the instructions.

Reboot your computer. 
You also need to uininstall older versions of Java.

 Click *Start* > *Control Panel* > *Add or Remove Programs*
 Remove all Java updates except the latest one you have just installed.
*Finally in this post*

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

*Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) .*

Go to *Kaspersky website* and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.


Read through the requirements and privacy statement and click on *Accept* button.
It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Copy and paste that information in your next post.


----------



## djtappin (Oct 26, 2009)

Hello and thanks for all your help you giving me. It's really appreciated.

I have followed your instructions up onto the *Kaspersky website*

When it's first doing is downloading, I receive a error message as follows.
By the way, I disable the AVG as well. Bellow is the error message.

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.

Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Invalid file signature]

My internet connection was never interrupted, so I'm not sure if I did something wrong or not. Please advise.

Desmond J Tappin


----------



## djtappin (Oct 26, 2009)

Hi again,

It finally updated, so now it's scanning my computer right now.
I'll post the log when it's finished.

Desmond J Tappin


----------



## emeraldnzl (Nov 3, 2007)

Okie dokie


----------



## djtappin (Oct 26, 2009)

OK now I'm back, This scanner finally found the infection I was talking about along with 3 others.

Below is the log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, October 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, October 28, 2009 20:44:14
Records in database: 3096805
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\

Scan statistics:
Objects scanned: 81457
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 03:25:33


File name / Threat / Threats count
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Administrator\CCA8.0\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\Adobe\Flash\install.js Infected: Trojan-Spy.JS.FFSpy.a 1
C:\WINDOWS\system32\drivers\atapi.sys Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"*box on the top of the page:

*C:\Documents and Settings\Administrator\CCA8.0\othread2.dll*

 Click on the *Upload* button
 Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
 Paste the contents of the Clipboard in your next reply.
And do the same with this one:

*C:\WINDOWS\system32\drivers\atapi.sys*

*Next*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> File::
> C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt*. Please post that here for further review.


----------



## djtappin (Oct 26, 2009)

Hey there,

Below are the reports you requested.

VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 00:31:50 (EDT)
Scanner results: 79% Scanner(s) (30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report  : http://virscan.org/report/e8541b64f8b1bb1cbd8e955aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32ialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32ialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virusorn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

VirSCAN.org Scanned Report :
Scanned time : 2009/10/29 00:08:25 (EDT)
Scanner results: 32% Scanner(s) (12/37) found malware!
File Name : atapi.sys
File Size : 96512 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 554deb762f86770ef2fd7d80b4f68c0f
SHA1 : be1fc0067855135de2a131bcdd2a258d7a213d7d
Online report : http://virscan.org/report/9034b84f4be4c89aadf50a62f335951f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091029023454 2009-10-29 4.37 Rootkit.Win32.TDSS!IK
AhnLab V3 2009.10.29.00 2009.10.29 2009-10-29 1.00 Win-Trojan/Patched.X
AntiVir 8.2.1.50 7.1.6.162 2009-10-28 0.08 -
Antiy 2.0.18 20091028.3102810 2009-10-28 0.12 -
Arcavir 2009 200910281552 2009-10-28 0.05 -
Authentium 5.1.1 200910281538 2009-10-28 1.26 -
AVAST! 4.7.4 091028-0 2009-10-28 0.01 Win32atched-LF [Trj]
AVG 8.5.288 270.14.37/2466 2009-10-29 0.32 Rootkit-Pakes.U
BitDefender 7.81008.4468145 7.28630 2009-10-29 3.89 -
CA (VET) 35.1.0 7087 2009-10-27 4.82 -
ClamAV 0.95.2 9958 2009-10-29 0.02 -
Comodo 3.12 2764 2009-10-29 0.92 -
CP Secure 1.3.0.5 2009.10.29 2009-10-29 0.07 -
Dr.Web 4.44.0.9170 2009.10.28 2009-10-28 6.11 BackDoor.Tdss.565
F-Prot 4.4.4.56 20091028 2009-10-28 1.18 -
F-Secure 7.02.73807 2009.10.28.20 2009-10-28 0.10 Rootkit.Win32.TDSS.u [AVP]
Fortinet 2.81-3.120 10.997 2009-10-28 0.22 -
GData 19.8625/19.526 20091029 2009-10-29 7.06 Rootkit.Win32.TDSS.u [Engine:A]
ViRobot 20091028 2009.10.28 2009-10-28 0.96 -
Ikarus T3.1.01.72 2009.10.29.74310 2009-10-29 4.25 Rootkit.Win32.TDSS
JiangMin 11.0.800 2009.10.26 2009-10-26 5.75 Rootkit.TDSS.ctt
Kaspersky 5.5.10 2009.10.29 2009-10-29 0.07 Rootkit.Win32.TDSS.u
KingSoft 2009.2.5.15 2009.10.28.21 2009-10-28 0.67 -
McAfee 5.3.00 5785 2009-10-28 3.38 -
Microsoft 1.5202 2009.10.28 2009-10-28 6.51 Virus:Win32/Alureon.A
Norman 6.01.09 6.01.00 2009-10-28 4.01 -
Panda 9.05.01 2009.10.28 2009-10-28 2.01 -
Trend Micro 8.700-1004 6.584.01 2009-10-28 0.03 -
Quick Heal 10.00 2009.10.29 2009-10-29 1.22 -
Rising 20.0 21.53.30.00 2009-10-29 0.82 -
Sophos 3.00.1 4.46 2009-10-29 2.77 -
Sunbelt 5472 5472 2009-10-27 1.68 -
Symantec 1.3.0.24 20091028.006 2009-10-28 0.25 -
nProtect 20091028.01 6034135 2009-10-28 9.19 Trojan/W32.Rootkit.96512
The Hacker 6.5.0.2 v00056 2009-10-28 1.01 -
VBA32 3.12.10.11 20091027.1255 2009-10-27 1.93 -
VirusBuster 4.5.11.10 10.112.82/2011851 2009-10-28 2.51 -

ComboFix 09-10-28.01 - Administrator 10/29/2009 0:34.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.764 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip"
"c:\program files\Adobe\Flash\install.js"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5975bd5c-48db7cf3.zip
c:\program files\Adobe\Flash\install.js

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 04:28 . 2009-10-29 04:29 -------- d-----w- C:\Combo-Fix
2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-28 22:34 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-29 04:03 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-28 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-28 13:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:33 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-30 23:17 . 2009-06-16 18:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( [email protected]_01.30.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 22:17 . 2009-10-28 22:17 16384 c:\windows\Temp\Perflib_Perfdata_eec.dat
+ 2009-10-29 04:44 . 2009-10-29 04:44 16384 c:\windows\Temp\Perflib_Perfdata_e78.dat
+ 2009-10-29 04:42 . 2009-10-29 04:42 16384 c:\windows\Temp\Perflib_Perfdata_698.dat
+ 2006-10-17 19:01 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
+ 2009-10-28 22:10 . 2009-10-28 22:10 149280 c:\windows\system32\javaws.exe
+ 2009-10-28 22:10 . 2009-10-28 22:10 145184 c:\windows\system32\javaw.exe
+ 2009-10-28 22:10 . 2009-10-28 22:10 145184 c:\windows\system32\java.exe
- 2006-10-17 18:27 . 2009-08-29 07:36 380928 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 18:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll
+ 2007-05-10 12:02 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-10 12:02 . 2009-08-29 07:36 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2009-10-28 05:03 . 2009-10-28 05:03 817152 c:\windows\Installer\8f2bb.msi
+ 2009-10-28 22:10 . 2009-10-28 22:10 537600 c:\windows\Installer\24209f.msi
- 2009-07-29 13:02 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB972260-IE7\update\update.exe
+ 2009-07-29 13:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB972260-IE7\update\update.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*Deregistered* - ephdlink
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 00:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\combo-fix2902c\CF28242.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\combo-fix2902c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 0:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 04:50
ComboFix2.txt 2009-10-28 01:36

Pre-Run: 6,599,766,016 bytes free
Post-Run: 6,708,240,384 bytes free

- - End Of File - - B956A486D6185F052FF56D7E3E093897


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

Please delete your version of ComboFix, including the folders *C:\Qoobox* and *C:\Combofix*, and download a new version of Combofix.

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*

----------------------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

----------------------------------------------------------------------------------------------------------

Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> File::
> C:\Documents and Settings\Administrator\CCA8.0\othread2.dll
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt* Please post that here for further review.

*Next*

Download GMER from *here*

Unzip it to the desktop.

***Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst.*

Open the program and click on the *Rootkit* tab.
Make sure all the boxes on the right of the screen are checked, *EXCEPT* for Show All.
Click on *Scan*.
When the scan has run click *Copy* and paste the results (if any) into this thread.

*So when you return please post
ComboFix.txt 
GMER Rootkit revealer scan results
*


----------



## djtappin (Oct 26, 2009)

Hello,

Below are the results.

ComboFix 09-10-28.08 - Administrator 10/29/2009 9:45.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.311 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Administrator\CCA8.0\othread2.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\CCA8.0\othread2.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-29 13:25 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-29 05:06 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-28 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-28 13:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:33 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-30 23:17 . 2009-06-16 18:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
*Deregistered* - ephdlink
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-10-29 10:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 14:02
ComboFix2.txt 2009-10-29 04:51

Pre-Run: 6,712,750,080 bytes free
Post-Run: 6,747,004,928 bytes free

- - End Of File - - FE10F6946BD543774EACABBE21102D3E


----------



## djtappin (Oct 26, 2009)

Hello again,

Here is the other log.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-29 10:14:13
Windows 5.1.2600 Service Pack 3
Running: ucvzo6qy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwdoqpow.sys

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\CLASSPNP_2.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\atapi_2.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT  C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3588] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eafsprot.sys (EAFS Volume File Protector/PC Guardian)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice eafsprot.sys (EAFS Volume File Protector/PC Guardian)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


----------



## emeraldnzl (Nov 3, 2007)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:filefind
atapi_2.sys
PROCEXP90.SYS
CLASSPNP_2.sys
ucvzo6qy.exe
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## djtappin (Oct 26, 2009)

Hi

I want to again thank you for your support, you've really helpful I must say.

Here is the log below. I noticed it said files not found in this log, but for some reason the *Rootkit-Pakes.U trojan atapi.sys* is still in the system32/drivers folder. When AVG scans daily it finds it but it will not delete it, it says it's a important file and cannot be deleted, LOL but it's showing as a trojan hmmm . But maybe I'm getting a little a head of myself, I apologze if so. You guys have been doing a great job in helping me with this problem. So I'll continue to let you do your job with out complaining 

Thanks a lot!

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:53 on 29/10/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi_2.sys"
No files found.

Searching for "PROCEXP90.SYS"
No files found.

Searching for "CLASSPNP_2.sys"
No files found.

Searching for "ucvzo6qy.exe"
C:\Documents and Settings\Administrator\Desktop\ucvzo6qy.exe --a--- 291328 bytes [14:07 29/10/2009] [14:07 29/10/2009] BE611621504065D54AC2CE8F2F7BC27A

-=End Of File=-


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:filefind
atapi.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

*Next*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> File::
> C:\Documents and Settings\Administrator\Desktop\ucvzo6qy.exe
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt*. Please post that here for further review.

*So when you return please post
SystemLook.txt
ComboFix.txt
*


----------



## djtappin (Oct 26, 2009)

Hello,

Below are the logs.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:46 on 29/10/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [16:28 24/10/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [00:10 25/04/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [04:09 23/04/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 554DEB762F86770EF2FD7D80B4F68C0F
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:41 18/09/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

ComboFix 09-10-28.08 - Administrator 10/29/2009 22:54.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.459 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\kwdoqpow.sys"
"c:\documents and settings\Administrator\Desktop\ucvzo6qy.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Desktop\ucvzo6qy.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-29 23:12 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-29 22:25 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-29 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-29 22:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 02:23 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( [email protected]_13.54.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-29 13:55 . 2009-10-29 13:55 16384 c:\windows\Temp\Perflib_Perfdata_d40.dat
+ 2009-10-30 03:00 . 2009-10-30 03:00 16384 c:\windows\Temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - ephdlink
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-30 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 23:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-10-30 23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 03:08
ComboFix2.txt 2009-10-29 14:03
ComboFix3.txt 2009-10-29 04:51

Pre-Run: 6,693,847,040 bytes free
Post-Run: 6,689,574,912 bytes free

- - End Of File - - 5BA3B2B1E277A01233E4B041919F13A6


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> FCopy::
> C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sy
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt*. Please post that here for further review.


----------



## djtappin (Oct 26, 2009)

Hello,

Here is the log report!

ComboFix 09-10-28.08 - Administrator 10/30/2009 0:26.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.556 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sy
c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-28 02:07 . 2009-10-28 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-10-30 03:10 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-30 03:28 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-10-29 16:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-10-29 22:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 02:23 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:39 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:45 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 16:56 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 04:55 . 2006-09-18 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 04:54 . 2006-12-03 21:26 -------- d-----w- c:\program files\Yahoo!
2009-08-31 04:54 . 2006-09-18 16:59 -------- d-----w- c:\program files\Modem Helper
2009-08-31 04:53 . 2006-09-18 16:56 -------- d-----w- c:\program files\Dell
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( [email protected]_13.54.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-30 04:41 . 2009-10-30 04:41 16384 c:\windows\Temp\Perflib_Perfdata_f0c.dat
+ 2009-10-29 13:55 . 2009-10-29 13:55 16384 c:\windows\Temp\Perflib_Perfdata_d40.dat
+ 2009-10-30 04:40 . 2009-10-30 04:40 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 10:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 1:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 6:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 2:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 2:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 2:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/28/2009 12:47 AM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 4:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 5:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 4:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 10:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 10:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 10:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 10:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 10:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 10:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 11:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 11:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 11:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 11:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - ephdlink
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-30 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 00:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-10-30 0:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 04:48
ComboFix2.txt 2009-10-30 03:09
ComboFix3.txt 2009-10-29 14:03
ComboFix4.txt 2009-10-29 04:51

Pre-Run: 6,709,170,176 bytes free
Post-Run: 6,939,365,376 bytes free

- - End Of File - - 5F2B31400283B0C0F1E1D7891E92DABC


----------



## emeraldnzl (Nov 3, 2007)

Okay time to have another check that we aren't missing anything else.

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

*Next*

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

*Kaspersky works with Internet Explorer and Firefox 3.*

Go to *Kaspersky website* and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.


Read through the requirements and privacy statement and click on *Accept* button.
It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Copy and paste that information in your next post.

*So when you return please post
MBAM log
Kaspersky scan results
and tell me how your computer is performing now
*


----------



## djtappin (Oct 26, 2009)

Hello,

Are the logs.

Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 3

10/30/2009 1:48:26 AM
mbam-log-2009-10-30 (01-48-26).txt

Scan type: Quick Scan
Objects scanned: 103993
Time elapsed: 26 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------------------------------------------


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 30, 2009 15:47:42
Records in database: 3104654
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\

Scan statistics:
Objects scanned: 84799
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 04:13:25


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\CCA8.0\othread2.dll.vir Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP491\A0080351.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\WINDOWS\system32\drivers\atapi.sys Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.


----------



## emeraldnzl (Nov 3, 2007)

Looking good. One of those found by Kaspersky is in quarantine in the tools we have been using, one is in System Restore and will be dealt with when we clean up and the third may be a false positive but we will just check.

*Now*

Please run OTL.exe

Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:processes


:OTL

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
*It will produce a log for you on reboot, please post that log in your next reply. 
Also please answer my question at last post about how your computer is now.*


----------



## djtappin (Oct 26, 2009)

Hello,

I can tell a little bit that it's running a little better. My computer is running good, it was actually running descent when I first contacted you guys, even after AVG found the Rootkit-Pakes. U trojan atapi.sys. That's why I looked it up and found you guys and I saw where another guy found the same file and it was repaired and sovled.

But you guys have found even more infections that AVG didn't find, so I really thank you for that.

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\2728 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_wDHjKNgPN39aG7QWCdiP scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\fla212.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_710.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_c0c.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DB9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DC6.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53A8.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53BE.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53D5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5406.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF547E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF548B.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 111034833 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OWICFSQ3\client_ad[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O8DGROHU\client_ad[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 2203324 bytes
->Java cache emptied: 97609745 bytes
->FireFox cache emptied: 90716123 bytes
->Google Chrome cache emptied: 369447136 bytes
->Apple Safari cache emptied: 722935040 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\LMI10.tmp folder deleted successfully.
C:\WINDOWS\LMI11.tmp folder deleted successfully.
C:\WINDOWS\LMI29.tmp folder deleted successfully.
C:\WINDOWS\LMI2A.tmp folder deleted successfully.
C:\WINDOWS\LMI2C.tmp folder deleted successfully.
C:\WINDOWS\LMI43.tmp folder deleted successfully.
C:\WINDOWS\LMIF.tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 12232305 bytes
%systemroot%\System32 .tmp files removed: 4532241 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6c0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_eac.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 55899 bytes
RecycleBin emptied: 3418 bytes

Total Files Cleaned = 1345.54 mb

OTL by OldTimer - Version 3.0.22.1 log created on 10302009_175217

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\2728 not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_wDHjKNgPN39aG7QWCdiP not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\fla212.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_710.dat not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_c0c.dat not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DB9.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DC6.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53A8.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53BE.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF53D5.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5406.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF547E.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF548B.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OWICFSQ3\client_ad[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O8DGROHU\client_ad[1].htm moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6c0.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_eac.dat moved successfully.

Registry entries deleted on Reboot...


----------



## emeraldnzl (Nov 3, 2007)

I am of the opinion that we are pretty well there with your machine but there are a couple of things make me slightly uncomfortable so I would like you to carry out one last scan before we go to cleaning away the tools we have been using.

Just want to have another look to make sure that that rootkit GMER found and I think we got rid of hasn't still got parts of itself still hidden deep down there.

Please download and save *SysProt AntiRootkit* to your Desktop.


double click the Zip file.
You should now have a folder with *SysProt* and some other files within it on your Desktop.
Double-click *SysProt* and you should see another small window with *SysProt* underneath it.
Double-click this and Wizard will appear to guide you through extracting the files.
Double-click the Sysprot folder
SysProt will appear with a red cross on black - double-click
a panel will appear with a number of tabs along the top
click on the Log tab and check all boxes except the one Hidden objects only
click the *Creat Log* button
it will scan...once finished a panel will appear
click on Scan all drives
A log will be created and saved automatically in the same folder. 
Open the text file copy and paste the contents back here in the forum. Close any left open panels.


----------



## djtappin (Oct 26, 2009)

Hello, Below is the log.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 552
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 576
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 620
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 824
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 872
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 968
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PID: 1020
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PID: 1100
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PID: 1136
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1324
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1532
Hidden: No
Window Visible: No

Name: C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe
PID: 1584
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1612
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 304
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 548
Hidden: No
Window Visible: No

Name: C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe
PID: 960
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1180
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 752
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1828
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PID: 1864
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\Apoint.exe
PID: 1912
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 1928
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxpers.exe
PID: 1940
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PID: 1964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxsrvc.exe
PID: 1988
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PID: 1996
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PID: 2084
Hidden: No
Window Visible: No

Name: C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe
PID: 2100
Hidden: No
Window Visible: No

Name: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PID: 2120
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
PID: 2148
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\ApntEx.exe
PID: 2160
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PID: 2172
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 2192
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 2232
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
PID: 2256
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\hidfind.exe
PID: 2264
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
PID: 2308
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PID: 2352
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 2408
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PID: 2448
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PID: 2664
Hidden: No
Window Visible: No

Name: C:\Program Files\Digital Line Detect\DLG.exe
PID: 2792
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PID: 2852
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PID: 3216
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 3252
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 3908
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3992
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 4048
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 1344
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
PID: 2500
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3888
Hidden: No
Window Visible: No

Name: C:\Program Files\Flock\flock.exe
PID: 3652
Hidden: No
Window Visible: No

Name: G:\Skype.exe
PID: 388
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Administrator\Desktop\SysProt\SysProt\SysProt.exe
PID: 2528
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Administrator\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: 99D44000
Module End: 99D4F000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7A70000
Module End: F7A72000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7980000
Module End: F7983000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ephdlink.sys
Service Name: ephdlink
Module Base: F7A72000
Module End: F7A74000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7441000
Module End: F746F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7A74000
Module End: F7A76000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7430000
Module End: F7441000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7570000
Module End: F757A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F7984000
Module End: F7987000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F7988000
Module End: F798C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7B38000
Module End: F7B39000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F77F0000
Module End: F77F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F7412000
Module End: F7430000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7580000
Module End: F758B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F73F3000
Module End: F7412000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F73CD000
Module End: F73F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F77F8000
Module End: F77FD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7590000
Module End: F759D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73B5000
Module End: F73CD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F75A0000
Module End: F75A9000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F75B0000
Module End: F75BD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7395000
Module End: F73B5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7383000
Module End: F7395000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\DRVMCDB.SYS
Service Name: DRVMCDB
Module Base: F736D000
Module End: F7383000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\eafsprot.sys
Service Name: EAFSPROT
Module Base: F798C000
Module End: F798F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F75C0000
Module End: F75C9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\TPkd.sys
Service Name: TPkd
Module Base: F734F000
Module End: F736D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7338000
Module End: F734F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F72AB000
Module End: F7338000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F727E000
Module End: F72AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F75D0000
Module End: F75E0000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F75E0000
Module End: F75EE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7264000
Module End: F727E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\EPHDXLAT.sys
Service Name: EPHDXLAT
Module Base: F724E000
Module End: F7264000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\DGRoot.SYS
Service Name: DGRoot
Module Base: F723C000
Module End: F724E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F7770000
Module End: F7780000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F635E000
Module End: F6367000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F69EA000
Module End: F69EE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: F61F0000
Module End: F633E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F61DC000
Module End: F61F0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F61B4000
Module End: F61DC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\w39n51.sys
Service Name: w39n51
Module Base: F6057000
Module End: F61B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F7910000
Module End: F7916000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6033000
Module End: F6057000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7918000
Module End: F7920000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Service Name: bcm4sbxp
Module Base: F634E000
Module End: F635A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F633E000
Module End: F634B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Service Name: ApfiltrService
Module Base: F6018000
Module End: F6033000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F78F0000
Module End: F78F6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F78F8000
Module End: F78FE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7640000
Module End: F7650000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F69E2000
Module End: F69E6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7650000
Module End: F765B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
Service Name: DLACDBHM
Module Base: F7AAC000
Module End: F7AAE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7660000
Module End: F7670000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7670000
Module End: F767F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F5FF5000
Module End: F6018000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F7900000
Module End: F7906000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7BDC000
Module End: F7BDD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7680000
Module End: F768D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F69DA000
Module End: F69DD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F5FDE000
Module End: F5FF5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7690000
Module End: F769B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F76A0000
Module End: F76AC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7908000
Module End: F790D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F5FCD000
Module End: F5FDE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F76B0000
Module End: F76B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7920000
Module End: F7925000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7928000
Module End: F792D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F5F9D000
Module End: F5FCD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F76C0000
Module End: F76CA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7AAE000
Module End: F7AB0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F5F3F000
Module End: F5F9D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7A1C000
Module End: F7A20000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F76D0000
Module End: F76DA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sthda.sys
Service Name: STHDA
Module Base: A9CC6000
Module End: A9DD6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: A9CA2000
Module End: A9CC6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F77A0000
Module End: F77AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Service Name: HSXHWAZL
Module Base: A9C68000
Module End: A9CA2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Service Name: HSF_DPV
Module Base: A9B71000
Module End: A9C68000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Service Name: winachsf
Module Base: A9ABB000
Module End: A9B71000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7970000
Module End: F7978000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F77E0000
Module End: F77EF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7AC6000
Module End: F7AC8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: F7208000
Module End: F720B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F78E8000
Module End: F78EF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7AF0000
Module End: F7AF2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7BB4000
Module End: F7BB5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7AFC000
Module End: F7AFE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\DLARTL_N.SYS
Service Name: DLARTL_N
Module Base: A8FB9000
Module End: A8FBF000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: A8176000
Module End: A817C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7AFE000
Module End: F7B00000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7B00000
Module End: F7B02000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: A5D95000
Module End: A5D9A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: A5D8D000
Module End: A5D95000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F5F23000
Module End: F5F26000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: A4C26000
Module End: A4C39000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: A4BCD000
Module End: A4C26000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: A4BB4000
Module End: A4BCD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: A6C33000
Module End: A6C3C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: A4AEE000
Module End: A4B14000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: A4AC6000
Module End: A4AEE000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: A9E07000
Module End: A9E0A000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: A4AA4000
Module End: A4AC6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: A6C23000
Module End: A6C32000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: A6C13000
Module End: A6C1C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: A4A51000
Module End: A4A7C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: A49E1000
Module End: A4A51000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: A6C03000
Module End: A6C0E000
Hidden: No

Module Name: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Service Name: eeCtrl
Module Base: A4095000
Module End: A40F3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: A5D4D000
Module End: A5D53000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: A4044000
Module End: A4095000
Hidden: No


----------



## djtappin (Oct 26, 2009)

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Service Name: APPDRV
Module Base: 9DC94000
Module End: 9DC98000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F638E000
Module End: F639E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: 9AEEF000
Module End: 9AF13000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 9AED7000
Module End: 9AEEF000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A7C000
Module End: F7A7E000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: 9B512000
Module End: 9B515000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: 9B550000
Module End: 9B555000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7C94000
Module End: F7C95000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
Service Name: DRVNDDM
Module Base: A84ED000
Module End: A84F7000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLADResN.SYS
Service Name: DLADResN
Module Base: 9B08F000
Module End: 9B090000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLAIFS_M.SYS
Service Name: DLAIFS_M
Module Base: 9AEC1000
Module End: 9AED7000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLAOPIOM.SYS
Service Name: DLAOPIOM
Module Base: A2718000
Module End: A271C000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLAPoolM.SYS
Service Name: DLAPoolM
Module Base: 9AF27000
Module End: 9AF29000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLABOIOM.SYS
Service Name: DLABOIOM
Module Base: 9AF85000
Module End: 9AF8C000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLAUDFAM.SYS
Service Name: DLAUDFAM
Module Base: 9AEA9000
Module End: 9AEC1000
Hidden: No

Module Name: C:\WINDOWS\System32\DLA\DLAUDF_M.SYS
Service Name: DLAUDF_M
Module Base: 9AE93000
Module End: 9AEA9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Service Name: AegisP
Module Base: A816E000
Module End: A8173000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\diginet.sys
Service Name: DigiNet
Module Base: A814E000
Module End: A8156000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Service Name: s24trans
Module Base: F5F33000
Module End: F5F37000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A4A98000
Module End: A4A9C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: 9ADEE000
Module End: 9AE1B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: 9AD89000
Module End: 9AD9E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: F636E000
Module End: F637D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: 9AB01000
Module End: 9AB53000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: 9AC0F000
Module End: 9AC13000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: 9A16A000
Module End: 9A1AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: 99C89000
Module End: 99CB4000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: PAR3F15TB1:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: PAR3F15TB1:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1589
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1587
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1584
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1582
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1579
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1576
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1573
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1571
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: LOCALHOST:1567
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: PAR3F15TB1:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: PAR3F15TB1:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: PAR3F15TB1:3489
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: CLOSE_WAIT

Local Address: PAR3F15TB1:1589
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Flock\flock.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1582
Remote Address: LOCALHOST:10080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PAR3F15TB1:1120
Remote Address: LOCALHOST:1119
Type: TCP
Process: C:\Program Files\Flock\flock.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1119
Remote Address: LOCALHOST:1120
Type: TCP
Process: C:\Program Files\Flock\flock.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1112
Remote Address: LOCALHOST:1111
Type: TCP
Process: C:\Program Files\Flock\flock.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1111
Remote Address: LOCALHOST:1112
Type: TCP
Process: C:\Program Files\Flock\flock.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1033
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: PAR3F15TB1:1028
Remote Address: LOCALHOST:1027
Type: TCP
Process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1027
Remote Address: LOCALHOST:1028
Type: TCP
Process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:3568
Remote Address: C-76-22-34-2.HSD1.WA.COMCAST.NET:33868
Type: TCP
Process: G:\Skype.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1590
Remote Address: CHANNEL46-09-01-SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1554
Remote Address: WWW-11-01-SNC2.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Flock\flock.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1052
Remote Address: SIP21.VOICE.RE2.YAHOO.COM:5050
Type: TCP
Process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:1042
Remote Address: CS124.MSG.AC4.YAHOO.COM:5050
Type: TCP
Process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
State: ESTABLISHED

Local Address: PAR3F15TB1:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PAR3F15TB1:60406
Remote Address: 0.0.0.0:0
Type: TCP
Process: G:\Skype.exe
State: LISTENING

Local Address: PAR3F15TB1:5101
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
State: LISTENING

Local Address: PAR3F15TB1:1932
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
State: LISTENING

Local Address: PAR3F15TB1:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PAR3F15TB1:HTTPS
Remote Address: 0.0.0.0:0
Type: TCP
Process: G:\Skype.exe
State: LISTENING

Local Address: PAR3F15TB1:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: PAR3F15TB1:HTTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: G:\Skype.exe
State: LISTENING

Local Address: PAR3F15TB1:3565
Remote Address: NA
Type: UDP
Process: G:\Skype.exe
State: NA

Local Address: PAR3F15TB1:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PAR3F15TB1:1037
Remote Address: NA
Type: UDP
Process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
State: NA

Local Address: PAR3F15TB1:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PAR3F15TB1:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PAR3F15TB1:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PAR3F15TB1:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PAR3F15TB1:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PAR3F15TB1:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PAR3F15TB1:62989
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PAR3F15TB1:60406
Remote Address: NA
Type: UDP
Process: G:\Skype.exe
State: NA

Local Address: PAR3F15TB1:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: PAR3F15TB1:MS-SQL-M
Remote Address: NA
Type: UDP
Process: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
State: NA

Local Address: PAR3F15TB1:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PAR3F15TB1:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: PAR3F15TB1:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PAR3F15TB1:HTTPS
Remote Address: NA
Type: UDP
Process: G:\Skype.exe
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

I think your machine is clean.

We have a couple of last steps to perform and then you're all set.









*Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









*Step 2*

Double-click *OTL.exe* to run it. (Vista users, please right click on *OTL.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose *Yes.*

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. The SysProt folder can be deleted.

-------------------------------------------------------------------------------------------------------------------

*A reminder:* Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

*Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:*

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:
*ATF Cleaner*
--------------------------------------------------------------------------------------------------------------------

*Make Internet Explorer more secure*

Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.
*** *MVPS Hosts file* replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

*** Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is more secure than Internet Explorer. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from *Here*

NoScripts is a good Add-on for Firefox that prevents execution of malicious scripts.

-----------------------------------------------------------------------------------------------------------------------

*Startuplite* is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting

*Microsoft Windows Update*
monthly.

It is recommended that you do set Windows to check, download and install your updates automatically.

 Click *Start > Control Panel > Automatic Updates*
 Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
 Click *Apply* then *OK*. 
Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!


----------



## djtappin (Oct 26, 2009)

Hello,

Thanks for the tips, I was not aware of most of those.

My computer is running great! Nice and zippy I must say.

However, AVG is finding this infection, but states it can not be deleted as it is a critical file. >>>>>>>>>"C:\WINDOWS\system32\drivers\atapi.sys";"Trojan horse Rootkit-Pakes.U";"Object is white-listed (critical/system file that should not be removed)"

Can you tell me if this is true or not?

Thanks

Desmond J Tappin


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

Hmm... I thought we had fixed that. We replaced the bad ones... or at least I thought we had.

atapi.sys is a system file so you can't just delete it. There is an infection currently out there that does infect atapi.sys but you can also get a false positive i.e. where the anti-virus thinks it is infected but it isn't really. My thought with this one is that it is most likely a false positive particularly with the performance of your machine - usually with that infection you have all sorts of problems running your computer... further, there is a rootkit involved which didn't show with that last scan. Having said all that, let's have another look at those files and see if we missed something.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:filefind
atapi.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

*Also, show me that AVG report:*

To get the results of the latest AVG scan:

 Right click the AVG icon in your taskbar.
o Click *Launch AVG Test Centre*
o Click *Results*
+ Click the latest scan results
+ Click *Virus Results* (if present) or click Spyware Results (if present)
o Click *Program*
+ Click *Export list to file*
o Name it *AVG log.txt*
+ Save as type: *All files (*.*)* to your Desktop.
o Exit AVG
 Open *AVG log.txt* and Copy/Paste the results in your next reply
*So when you return please post
SystemLook.txt
AVG scan results
*


----------



## djtappin (Oct 26, 2009)

Hello and thanks for replying back so soon.

Below are results you requested.

Two of the infections were fixed. I actually got those yesterday when I was looking for drivers for another laptop of mine, but AVG fixed them and I deleted the temp files as well.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:49 on 02/11/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [16:28 24/10/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [00:10 25/04/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys --a--- 95360 bytes [04:09 23/04/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 554DEB762F86770EF2FD7D80B4F68C0F
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:41 18/09/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

"AVG Scan ""Scheduled scan"" was finished."
"Infections";"3";"2";"1"
"Warnings";"126"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Monday, November 02, 2009, 12:00:04 PM"
"Scan finished:";"Monday, November 02, 2009, 1:49:02 PM (1 hour(s) 48 minute(s) 58 second(s))"
"Total object scanned:";"521681"
"User who launched the scan:";"SYSTEM"

"Infections"
"File";"Infection";"Result"
"C:\WINDOWS\system32\drivers\atapi.sys";"Trojan horse Rootkit-Pakes.U";"Object is white-listed (critical/system file that should not be removed)"
"C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX02.406\keygen.exe";"Trojan horse Generic11.BCIT";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX00.297\Driver-Detective-6-4-1-3.exe";"Trojan horse PSW.Delf.DWI";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\doubleclick.net.1d39bd48";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.f1d14556";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.dd15d628";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.cef1c7af";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.6a4b36ab";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.17180eac";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\stat.dealtime.com.f58c396a";"Found Tracking cookie.Dealtime";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.f7ac007f";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\zedo.com.14a38114";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\trafficmp.com.e2e71e33";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\trafficmp.com.ae53b8b";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\trafficmp.com.37644bdb";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\smartadserver.com.bf8b766";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\smartadserver.com.3e749ab9";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.e9b51fc6";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.8642c85d";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.6b2e2a72";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\pro-market.net.679dd108";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\pro-market.net.2b0015e3";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\pro-market.net.266912e2";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\mediaplex.com.323e9a10";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\hitbox.com.bbf2a6e8";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.a5a8b88c";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revsci.net.a5874ce1";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\revenue.net.bcf44ea1";"Found Tracking cookie.Revenue";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.9514c147";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.e14be39e";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.dc841856";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.cb8f36de";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.a2b49f1a";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock


----------



## djtappin (Oct 26, 2009)

\Browser\Profiles\uftruf1o.default\cookies.sqlite:\realmedia.com.125a868c";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\questionmarket.com.767e4302";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\fastclick.net.94ca190b";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\fastclick.net.6fd479aa";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\fastclick.net.fac3d6f0";"Found Tracking cookie.Fastclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.fb62dd4b";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\bluestreak.com.bf396750";"Found Tracking cookie.Bluestreak";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\atdmt.com.f4b86dca";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.3a28db8d";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.ca97f6e1";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\burstbeacon.com.c4fe2ebb";"Found Tracking cookie.Burstbeacon";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.156cbc67";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\burstnet.com.a3218a37";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.e31bc356";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.b0922707";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.ae5b0007";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.87a9ab5d";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.909244a3";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.7919062b";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.7256b8c3";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.2dd7128e";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\2o7.net.1c413404";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\247realmedia.com.22701b7f";"Found Tracking cookie.247realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\247realmedia.com.125a868c";"Found Tracking cookie.247realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite";"Found Tracking cookie.Atdmt";"Potentially dangerous object"


----------



## emeraldnzl (Nov 3, 2007)

Hello djtappin,

It does look like one of those atapi.sys files has been patched.

*Let's see if we can replace it:*

Please download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*

----------------------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

----------------------------------------------------------------------------------------------------------

Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> FCopy::
> C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt* Please post that here for further review.


----------



## djtappin (Oct 26, 2009)

Hello, here is the log below.

ComboFix 09-11-01.04 - Administrator 11/02/2009 17:41.6.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.365 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-10-26 14:50 . 2009-10-26 14:50 4011 ----a-w- c:\windows\unins000.dat
2009-10-26 14:50 . 2009-10-26 14:49 667914 ----a-w- c:\windows\unins000.exe
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Flock
2009-10-23 00:35 . 2009-10-23 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Flock
2009-10-23 00:35 . 2009-11-02 21:31 -------- d-----w- c:\program files\Flock
2009-10-21 18:14 . 2009-10-21 18:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-20 23:57 . 2009-10-21 00:10 -------- d-----w- c:\program files\Registry Easy
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics
2009-10-20 19:25 . 2009-10-20 19:25 -------- d-----w- c:\program files\Auslogics
2009-10-12 22:10 . 2009-10-30 03:28 -------- d-----w- c:\program files\The Logo Creator v5
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-12 20:53 . 2009-10-28 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 20:53 . 2009-10-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 20:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 06:07 . 2009-10-12 06:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-12 06:06 . 2009-11-02 17:12 -------- d-----w- C:\$AVG8.VAULT$
2009-10-12 06:04 . 2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 06:04 . 2009-10-12 06:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 06:04 . 2009-10-12 06:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 06:04 . 2009-10-12 06:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 06:03 . 2009-11-02 14:45 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-12 06:03 . 2009-10-12 06:03 -------- d-----w- c:\program files\AVG
2009-10-12 06:03 . 2009-10-12 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-12 05:57 . 2009-10-12 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2009-10-11 19:53 . 2009-10-11 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-10-11 19:51 . 2009-10-11 19:51 -------- d-----w- c:\program files\Screaming Bee
2009-10-11 02:27 . 2009-10-11 04:31 -------- d-----w- c:\program files\IEHelper.dll Removal Tool
2009-10-09 19:14 . 2009-10-12 21:34 -------- d-----w- c:\program files\pahimw
2009-10-07 22:24 . 2009-10-07 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 22:13 . 2009-04-03 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-11-02 15:18 . 2006-12-19 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-30 14:58 . 2009-08-09 02:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-10-30 14:58 . 2009-10-30 14:58 -------- d-----w- c:\program files\Common Files\Skype
2009-10-30 14:57 . 2009-04-03 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-28 22:10 . 2009-01-03 19:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 22:07 . 2009-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-28 01:28 . 2006-11-02 21:56 -------- d-----w- c:\program files\DGAGENT
2009-10-24 06:18 . 2006-10-18 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-10-23 04:01 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-22 15:38 . 2006-12-19 01:43 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 18:17 . 2009-02-22 19:04 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:15 . 2007-09-28 01:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 04:36 . 2009-08-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 04:33 . 2009-08-11 22:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 00:03 . 2009-08-11 22:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-12 05:52 . 2007-02-05 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 05:49 . 2007-02-05 20:23 -------- d-----w- c:\program files\Symantec
2009-10-11 21:43 . 2009-08-05 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-21 19:18 . 2009-09-21 19:18 -------- d-----w- c:\program files\HSHSetup Utility
2009-09-21 19:08 . 2007-09-26 13:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-20 06:35 . 2009-09-20 06:11 -------- d-----w- c:\program files\DivX
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\program files\iTunes
2009-09-18 06:23 . 2009-09-18 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 06:22 . 2009-09-18 06:22 -------- d-----w- c:\program files\iPod
2009-09-15 03:58 . 2006-09-18 16:52 -------- d-----w- c:\program files\Java
2009-09-15 03:52 . 2009-09-15 00:03 266 ----a-w- C:\CCAMigration.bat
2009-09-14 23:27 . 2009-09-14 23:27 -------- d-----w- c:\program files\PowerHost
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 01:38 . 2009-09-09 01:38 -------- d-----w- c:\program files\Arise
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-02-08 19:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 05:30 . 2009-08-28 05:31 724992 ----a-w- c:\windows\iun6002.exe
2009-08-27 21:11 . 2009-08-14 17:40 9264 ----a-w- c:\windows\system32\msqtvcap.dat
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-09 02:00 . 2009-08-09 02:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-21 17:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-09-21 17:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 13:24 . 2009-08-05 13:23 18015723 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2006-08-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 06:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGAPIMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGBUSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGFSMon.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRoot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGRule.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DGService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Administrator\\CCA8.0\\winvnc.exe"=
"g:\\Phone\\Skype.exe"=
"g:\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"g:\\Skype.exe"=

R0 DGRoot;DGRoot;c:\windows\system32\drivers\DGRoot.sys [9/6/2006 9:48 PM 72960]
R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [4/27/2005 12:46 PM 11456]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\ephdxlat.sys [5/15/2006 5:15 PM 90016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 1:04 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 1:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/12/2009 1:03 AM 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/27/2009 11:47 PM 16400]
R2 EphdXlatService;EphdXlatService;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\DISrv.exe [8/2/2006 3:46 PM 192512]
R2 MSSQL$VPINSTANCE;SQL Server (VPINSTANCE);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 4:51 AM 28768528]
R2 PCG Protect;PCG Protect;c:\program files\GuardianEdge Technologies\EP Hard Disk\User\PCGProt.exe [8/2/2006 3:47 PM 61440]
S2 DGService;Usage History Monitor;c:\program files\DGAGENT\DGService.exe [9/6/2006 9:43 PM 65536]
S3 DGAPIMon;DGAPIMon;c:\windows\system32\drivers\DGAPIMon.sys [9/6/2006 9:44 PM 69248]
S3 DGBusMon;DGBusMon;c:\windows\system32\drivers\DGBUSMon.sys [9/6/2006 9:44 PM 22016]
S3 DGFSMon;DGFSMon;c:\windows\system32\drivers\DGFSMon.sys [9/6/2006 9:44 PM 44800]
S3 DGRule;DGRule;c:\windows\system32\drivers\DGRule.sys [9/6/2006 9:43 PM 63488]
S3 DGTDIMon;DGTDIMon;c:\windows\system32\drivers\DGTDIMon.sys [9/6/2006 9:44 PM 106880]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [3/13/2008 10:16 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [3/13/2008 10:16 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [3/13/2008 10:16 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [3/13/2008 10:16 PM 5888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys --> c:\windows\system32\DRIVERS\pwi_bus.sys [?]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys --> c:\windows\system32\DRIVERS\pwi_mdfl.sys [?]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys --> c:\windows\system32\DRIVERS\pwi_mdm.sys [?]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys --> c:\windows\system32\DRIVERS\pwi_oflt.sys [?]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys --> c:\windows\system32\DRIVERS\pwi_serd.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 12:19 PM 23064]

--- Other Services/Drivers In Memory ---

*Deregistered* - ephdlink
*Deregistered* - mbr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5ef4916-8984-11dd-95cc-0015c5ae1fba}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-02 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-11-02 c:\windows\Tasks\User_Feed_Synchronization-{A0D8ADA2-222F-44FA-A9F6-F1DF13D80536}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2312)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-02 17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 22:56

Pre-Run: 10,079,780,864 bytes free
Post-Run: 10,128,179,200 bytes free

- - End Of File - - B8C008DC6839E1833E96AECCB1BB3DC0


----------



## emeraldnzl (Nov 3, 2007)

Looks ok, now let's just check to make sure.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:filefind
atapi.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## djtappin (Oct 26, 2009)

Hello here is the requested log.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:51 on 02/11/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [16:28 24/10/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [00:10 25/04/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 95360 bytes [04:09 23/04/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\dllcache\atapi.sys --a--- 95360 bytes [03:59 04/08/2004] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys --a--- 95360 bytes [03:59 04/08/2004] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:41 18/09/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-


----------



## emeraldnzl (Nov 3, 2007)

That looks good.

Try your AVG scan now.

After that come back and tell me the results.


----------



## djtappin (Oct 26, 2009)

Hello,

I scanned the Windows folder only, and it found the infection and healed it or placed it in the virus vault. 

Please look and tell me what you think? 

"Scan ""Scan specific files or folders"" was finished."
"Infections";"1";"1";"0"
"Folders selected for scanning:";"C:\;C:\WINDOWS;G:\;"
"Scan started:";"Monday, November 02, 2009, 7:23:26 PM"
"Scan finished:";"Monday, November 02, 2009, 8:47:32 PM (1 hour(s) 24 minute(s) 6 second(s))"
"Total object scanned:";"362791"
"User who launched the scan:";"Administrator"

"Infections"
"File";"Infection";"Result"
"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP498\A0080714.sys";"Trojan horse Rootkit-Pakes.U";"Moved to Virus Vault"


----------



## emeraldnzl (Nov 3, 2007)

That is old infection in System Restore. 

It would not have harmed your computer unless you had carried out System Restore.

I am intrigued though because that should have been removed when you ran combofix /u. I take it you did that?

If you did, it must have come since, which makes me think we should run another scan to see if there is anything else regenerated.

Let me know.


----------



## djtappin (Oct 26, 2009)

Yes I ran the combo fix when you told me too every time.


----------



## emeraldnzl (Nov 3, 2007)

Okay then.

Let's do this:

It is a pretty big download at 28mb's but is very useful at detecting\cleaning rootkits or whatever it finds.

Please click *here* to download AVP Tool by Kaspersky.

Save it to your desktop. 
Reboot your computer into SafeMode.
_You can do this by restarting your computer and continually tapping the *F8* key until a menu appears.
Use your up arrow key to highlight SafeMode then hit *enter*_*.*​
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.


[*] System Memory
[*]Startup Objects
[*]Disk Boot Sectors.
[*]My Computer.
[*]Also any other drives (Removable that you may have) 

After that click on *Security level* then choose *Customize* then click on the tab that says *Heuristic Analyzer* then choose *Enable Deep rootkit search* then choose *ok*.
Then choose OK again then you are back to the main screen.


Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file, name it *Kas*.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under *Detected* post those results in your next reply.

*Note: This tool will self uninstall when you close it so please save the log before closing it.​*
*​*


----------



## djtappin (Oct 26, 2009)

WOW! That's really good program. It took almost 9 hours to scan.

Below is the report.

Detected
--------
Status Object
------ ------
disinfected: Trojan program Rootkit.Win32.TDSS.u File: C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir


----------



## djtappin (Oct 26, 2009)

Hello,

That last program worked. AVG did not detect it as a virus today. So the last program disinfected the root.

Below is the result of the AVG scan.

"Scan ""Scheduled scan"" was finished."
"Warnings";"24"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Tuesday, November 03, 2009, 12:00:06 PM"
"Scan finished:";"Tuesday, November 03, 2009, 1:32:30 PM (1 hour(s) 32 minute(s) 23 second(s))"
"Total object scanned:";"519182"
"User who launched the scan:";"SYSTEM"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Application Data\Flock\Browser\Profiles\uftruf1o.default\cookies.sqlite";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"


----------



## emeraldnzl (Nov 3, 2007)

That one Kaspersky AVG found was in ComboFix quarantine. Another one that should have been removed at cleanup. I am suspicious that that didn't work properly.

In any event you are all done and dusted now.

regards
emeraldnzl


----------



## djtappin (Oct 26, 2009)

Yep it all done now! I'll mark this one as solved!

Thanks a lot for your support! 

Desmond J Tappin


----------



## emeraldnzl (Nov 3, 2007)

Your welcome


----------

