Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE HELP SEARCH ENGINE REDIRECTION VIRUS SO ANNOYING CANT FIX


  • Please log in to reply
24 replies to this topic

#1 Cheek Devil

Cheek Devil

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 27 January 2010 - 04:12 PM

Hi All
I hope everybody is good, I can see some people on here have had the same problem as me I HAVE TRIED TOP FIX IT MYSELF WITHOUT ANY LUCK...
CAN SOMEBODY PLEASE HELP??

Everytime I do a search in Google and click on a search result I am Redirected to another webpage usually another unknown search engine or someything weird like that.

I have done a scan on Norton no luck. I downloaded Avast did a full pre boot and full system scan NO LUCK, Tried Malwarebytes Anti Malware NO LUCK JUST COOKIES, Tried Ad-Aware Anti Malware I couldnt get the Full scan to work, Tried Spybot Search and Destroy Guess what NO LUCK.

Im dying here please help.......

Oh also tried IObit Security 360 and you guessed it nooo luuckkk sad.gif

Plus to add to the story I cant bootup in safe mode and while i was waiting for a response I tried to use Combofix but i couldnt run that either and i did switch off all my anti virus first but Combo Fix just stalled.. So things are not looking good i cant use my computer at all

DDS (Ver_09-12-01.01) - NTFSx86
Run by adam at 2:12:49.00 on Thu 01/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2824 [GMT 0:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\adam\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080926
uSearch Bar =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225912207480
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259069111140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adam\applic~1\mozilla\firefox\profiles\llav9aqm.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-27 162640]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/01/16 17:24:49];c:\program files\cyberlink\powerdvd9\000.fcl [2009-9-1 87536]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-12-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-12-10 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-12-10 2177464]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100122.025\NAVENG.SYS [2010-1-23 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100122.025\NAVEX15.SYS [2010-1-23 1323568]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-12-10 23888]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-01-28 01:42:40 0 d-s---w- C:\Tiger
2010-01-27 19:44:34 0 d-----w- c:\documents and settings\adam\SecurityScans
2010-01-27 03:26:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-26 17:52:37 0 d-----w- c:\program files\Lavasoft
2010-01-26 15:36:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-26 13:26:42 0 d-----w- c:\docume~1\adam\applic~1\Malwarebytes
2010-01-26 13:26:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-26 11:53:11 3251 ----a-w- c:\windows\system32\wbem\Outlook_01ca9e7e22460504.mof
2010-01-25 17:48:44 0 d-----w- c:\program files\VS Revo Group
2010-01-25 17:35:07 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-25 15:35:45 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-01-25 15:31:14 0 d-----w- c:\docume~1\adam\applic~1\IObit
2010-01-25 15:31:13 0 d-----w- c:\program files\IObit
2010-01-24 22:13:41 0 d-----w- c:\docume~1\adam\applic~1\Windows Search
2010-01-20 02:47:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 17:24:38 0 d-----w- c:\program files\common files\CyberLink
2010-01-16 17:23:00 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-16 17:16:29 0 d-----w- c:\windows\system32\custom matrices
2010-01-16 17:16:22 0 d-----w- c:\windows\system32\QuickTime
2010-01-16 17:16:22 0 d-----w- c:\windows\system32\C2MP
2010-01-16 16:57:52 0 d-----w- C:\DECCHECK
2010-01-15 16:44:35 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-15 16:44:35 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-15 16:44:35 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-15 16:44:34 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-15 16:24:53 0 d-----w- c:\program files\Photo Story 3 for Windows
2010-01-15 16:14:30 0 d-----w- c:\program files\PhotoScape
2010-01-15 15:49:44 0 d-----w- c:\program files\IrfanView
2010-01-15 15:01:01 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-15 14:50:35 0 d-sh--w- c:\documents and settings\adam\IECompatCache
2010-01-15 14:49:45 0 d-sh--w- c:\documents and settings\adam\PrivacIE
2010-01-12 20:12:36 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-01 00:00:00 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-01-01 00:00:00 248320 ----a-w- c:\windows\system32\ff_kernelDeint.dll

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-14 18:37:08 154112 ----a-w- c:\windows\system32\ts.dll
2009-11-14 18:33:40 357888 ----a-w- c:\windows\system32\gdsmux.exe
2009-11-14 18:33:38 249856 ----a-w- c:\windows\system32\dxr.dll
2009-11-14 18:11:50 93184 ----a-w- c:\windows\system32\avss.dll
2009-11-14 18:11:42 150016 ----a-w- c:\windows\system32\mkx.dll
2009-11-14 18:11:42 141824 ----a-w- c:\windows\system32\mp4.dll
2009-11-14 18:11:40 123392 ----a-w- c:\windows\system32\ogm.dll
2009-11-14 18:11:40 109568 ----a-w- c:\windows\system32\avi.dll
2009-11-14 18:11:38 97792 ----a-w- c:\windows\system32\avs.dll
2009-11-14 18:11:36 136704 ----a-w- c:\windows\system32\mkv2vfr.exe
2009-11-14 18:11:36 113152 ----a-w- c:\windows\system32\dsmux.exe
2009-11-14 18:11:32 80384 ----a-w- c:\windows\system32\mkzlib.dll
2009-11-14 18:11:32 24576 ----a-w- c:\windows\system32\mkunicode.dll

============= FINISH: 2:13:44.23 ===============

Attached Files


Edited by Cheek Devil, 28 January 2010 - 10:59 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 28 January 2010 - 04:09 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 28 January 2010 - 08:05 PM

Hi Grinler
Thanks fore the reply and help
I looked at and followed those instructions before you posted the reply
But i decided to try again i went through step by step about 10 times but combo fix keeps stalling my computer

I also tried different ways around it to see if they work like, changing the name of combofix.exe when downloading as i saw in some posts, restarting my pc, turning my internet connection off. etc etc but no luck i cant seem to get combo fix to work
I did on one occasion get it to start and it suggested there was an updated version of combo fix and do i want to install it i clicked yes
It downloaded the update and tried to start then it stalled my pc again thats as close as i have got.

I even clicked on the execute file and i get the Windows Open File Security Warning i click yes and left it for 15 mins but no luck my computer was stalled again.
I cant seem to use that program I can use any other program anti Malware program except ComboFix and Ad-Aware Anti Malware as i posted above they just wont start

PLEASE HELP IM DYING !!

Edited by Cheek Devil, 28 January 2010 - 08:26 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 28 January 2010 - 08:30 PM

Download a fresh copy and rename it to combofix.pif and try again.

#5 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 05 February 2010 - 06:58 AM

Hi Grinler
Sorry for the delay I was in hospital all ok now
Guess what it worked hysterical.gif

here is the log from combo fix
whats next ?? Because the problem is still there?

ComboFix 10-02-04.06 - adam 02/05/2010 10:47:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2938 [GMT 0:00]
Running from: c:\documents and settings\adam\Desktop\ComboFix.pif
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_STacSV
-------\Service_STacSV


((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-05 07:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 07:39 . 2010-02-05 07:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 07:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-29 00:41 . 2010-01-29 00:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-28 22:30 . 2010-01-28 22:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-28 02:17 . 2010-01-28 02:17 0 ----a-w- c:\documents and settings\adam\settings.dat
2010-01-28 01:42 . 2010-02-05 08:32 -------- d-----w- C:\Tiger
2010-01-27 19:44 . 2010-01-27 19:44 -------- d-----w- c:\documents and settings\adam\SecurityScans
2010-01-27 03:26 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-27 03:26 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-27 03:26 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-27 03:26 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-27 03:26 . 2010-01-19 11:43 100304 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-27 03:26 . 2010-01-19 11:43 94672 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-27 03:26 . 2010-01-19 11:42 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-27 03:26 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-27 03:26 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-27 03:26 . 2010-01-27 03:26 -------- d-----w- c:\program files\Alwil Software
2010-01-27 03:26 . 2010-01-27 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-26 17:52 . 2010-01-26 18:44 -------- d-----w- c:\program files\Lavasoft
2010-01-26 15:36 . 2010-01-26 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-26 15:19 . 2010-01-26 15:19 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Apple
2010-01-26 13:26 . 2010-01-26 13:26 -------- d-----w- c:\documents and settings\adam\Application Data\Malwarebytes
2010-01-26 13:26 . 2010-01-26 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 12:37 . 2010-01-26 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-25 17:48 . 2010-01-25 17:48 -------- d-----w- c:\program files\VS Revo Group
2010-01-25 17:35 . 2010-01-25 17:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-25 15:35 . 2010-01-25 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-01-25 15:31 . 2010-01-25 15:31 -------- d-----w- c:\documents and settings\adam\Application Data\IObit
2010-01-25 15:31 . 2010-01-25 15:35 -------- d-----w- c:\program files\IObit
2010-01-24 22:41 . 2010-01-24 22:41 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Yahoo!
2010-01-24 22:13 . 2010-01-24 22:13 -------- d-----w- c:\documents and settings\adam\Application Data\Windows Search
2010-01-23 01:49 . 2010-01-23 01:49 -------- d-----w- c:\documents and settings\adam\Application Data\Apple Computer
2010-01-23 01:31 . 2010-01-23 01:31 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Apple Computer
2010-01-20 02:47 . 2010-01-20 02:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 17:27 . 2010-01-23 17:33 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Cyberlink
2010-01-16 17:24 . 2010-01-16 17:24 -------- d-----w- c:\program files\Common Files\CyberLink
2010-01-16 17:23 . 2010-01-16 17:22 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-16 17:22 . 2010-01-16 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-01-16 17:22 . 2010-01-16 17:22 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2010-01-16 17:16 . 2010-01-16 17:16 -------- d-----w- c:\windows\system32\custom matrices
2010-01-16 17:16 . 2010-01-16 17:16 -------- d-----w- c:\windows\system32\C2MP
2010-01-16 17:16 . 2010-01-16 17:16 -------- d-----w- c:\windows\system32\QuickTime
2010-01-16 16:57 . 2010-01-16 16:57 -------- d-----w- C:\DECCHECK
2010-01-15 18:00 . 2010-01-15 18:00 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Western Digital
2010-01-15 16:44 . 2008-04-13 13:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-15 16:44 . 2008-04-13 13:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-15 16:44 . 2001-08-17 22:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-15 16:44 . 2008-04-13 19:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-15 16:42 . 2010-01-15 16:42 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Adobe
2010-01-15 16:24 . 2010-01-15 16:24 -------- d-----w- c:\program files\Photo Story 3 for Windows
2010-01-15 16:14 . 2010-01-15 16:19 -------- d-----w- c:\program files\PhotoScape
2010-01-15 15:49 . 2010-01-15 15:49 -------- d-----w- c:\program files\IrfanView
2010-01-15 15:30 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\adam\Application Data\CyberLink
2010-01-15 15:01 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-15 14:53 . 2010-01-15 14:53 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Mozilla
2010-01-15 14:50 . 2010-01-15 14:50 -------- d-sh--w- c:\documents and settings\adam\IECompatCache
2010-01-15 14:49 . 2010-01-15 14:49 -------- d-sh--w- c:\documents and settings\adam\PrivacIE
2010-01-12 20:12 . 2010-01-12 20:12 85504 ----a-w- c:\windows\system32\ff_vfw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 10:58 . 2009-11-30 15:15 0 ----a-w- c:\documents and settings\adam\Local Settings\Application Data\WavXMapDrive.bat
2010-01-28 22:30 . 2008-09-26 21:19 -------- d-----w- c:\program files\Google
2010-01-25 21:37 . 2008-09-26 21:01 -------- d-----w- c:\program files\Dell
2010-01-21 21:37 . 2009-02-11 20:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 17:27 . 2009-02-18 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-16 17:24 . 2008-09-26 21:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 17:23 . 2008-09-26 21:20 -------- d-----w- c:\program files\CyberLink
2010-01-16 13:17 . 2008-11-05 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-15 17:06 . 2008-11-05 23:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-01 00:00 . 2010-01-01 00:00 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-01-01 00:00 . 2010-01-01 00:00 248320 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-12-21 19:14 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-30 15:08 . 2009-11-24 16:35 0 ----a-w- c:\documents and settings\Agent\Local Settings\Application Data\WavXMapDrive.bat
2009-11-30 14:54 . 2008-11-05 20:22 0 ----a-w- c:\documents and settings\AP.HQ\Local Settings\Application Data\WavXMapDrive.bat
2009-11-24 13:43 . 2009-11-24 13:43 152576 ----a-w- c:\documents and settings\AP.HQ\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 13:43 . 2009-11-24 13:29 79488 ----a-w- c:\documents and settings\AP.HQ\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 18:37 . 2009-11-14 18:37 154112 ----a-w- c:\windows\system32\ts.dll
2009-11-14 18:33 . 2009-11-14 18:33 357888 ----a-w- c:\windows\system32\gdsmux.exe
2009-11-14 18:33 . 2009-11-14 18:33 249856 ----a-w- c:\windows\system32\dxr.dll
2009-11-14 18:11 . 2009-11-14 18:11 93184 ----a-w- c:\windows\system32\avss.dll
2009-11-14 18:11 . 2009-11-14 18:11 150016 ----a-w- c:\windows\system32\mkx.dll
2009-11-14 18:11 . 2009-11-14 18:11 141824 ----a-w- c:\windows\system32\mp4.dll
2009-11-14 18:11 . 2009-11-14 18:11 123392 ----a-w- c:\windows\system32\ogm.dll
2009-11-14 18:11 . 2009-11-14 18:11 109568 ----a-w- c:\windows\system32\avi.dll
2009-11-14 18:11 . 2009-11-14 18:11 97792 ----a-w- c:\windows\system32\avs.dll
2009-11-14 18:11 . 2009-11-14 18:11 136704 ----a-w- c:\windows\system32\mkv2vfr.exe
2009-11-14 18:11 . 2009-11-14 18:11 113152 ----a-w- c:\windows\system32\dsmux.exe
2009-11-14 18:11 . 2009-11-14 18:11 80384 ----a-w- c:\windows\system32\mkzlib.dll
2009-11-14 18:11 . 2009-11-14 18:11 24576 ----a-w- c:\windows\system32\mkunicode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-26 29744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-12-10 115560]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-01 75048]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-9-26 50688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/27/2010 3:26 AM 162640]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/01/16 17:24];c:\program files\CyberLink\PowerDVD9\000.fcl [9/1/2009 4:59 PM 87536]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 7:21 PM 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/27/2010 3:26 AM 19024]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 10:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 5:32 PM 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 7:11 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 10:30 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/10/2007 5:05 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:30]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\adam\Application Data\Mozilla\Firefox\Profiles\llav9aqm.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8B10C8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef6b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9dffbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e0ca21
SendHandler -> NDIS.sys @ 0xb9dea87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1324)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(2300)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-02-05 11:03:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-05 11:03

Pre-Run: 136,446,644,224 bytes free
Post-Run: 137,271,451,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 282D87E09DE51AA4A3C7C9F9D0332129

Edited by Cheek Devil, 05 February 2010 - 10:15 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 05 February 2010 - 03:33 PM

Sorry about the hospital. Hope everything is allright.

Please disable CD Emulation programs using DeFogger using the following steps:
  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK
  6. button to exit the program.
  7. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
Then,

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Run ComboFix again and post the combofix.log and the ark.txt log as a reply to this topic.

#7 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 06 February 2010 - 11:25 AM

hi
i did everything you advised but got an error while i was doing the GMER Rootkit Scanner
I got a full blue screen and this is the error i got

"STOP: c000021a {Fatal System Error}
The windows subsystem system process terminated unexpectedly with a status of 0x
c0000005 (0x6f0256f6 0x0053fb80).
The system has been shut down.

I tried the scan twice but got the same error message both times. This doesnt sound good does it??

Edited by Cheek Devil, 06 February 2010 - 11:25 AM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 06 February 2010 - 03:22 PM

Did you run defogger to disable the CD emulation programs? If not, please do so.

Then post another combofix log please.

#9 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 06 February 2010 - 04:53 PM

i did run the defrogger
i tried it again twice and still get the same error
the only time the GMER Rootkit Scanner works is if i uncheck the Systemdrive (typically C:\)
i dont have any partition so this is the only drive

what do you think??


#10 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 11 February 2010 - 10:25 AM

CAN ANYBODY PLEASE HELP ME WITH MY PROBLEM?????

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 11 February 2010 - 11:22 AM

Sorry for the delay, but I did not get the original notification.

First, it appears you have both symantec and avast installed. It is typically not wise to have two antivirus programs installed and active at the same time as they can cause conflicts and general system slowdown. So please uninstall either symantec or avast. I use avast if that is any help with deciding.

Then, I want you to download a fresh copy of combofix from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save it to your desktop. Then run it and post a new log combofix log.

Thanks

#12 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 11 February 2010 - 11:09 PM

ComboFix 10-02-11.04 - adam 02/12/2010 3:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2913 [GMT 0:00]
Running from: c:\documents and settings\adam\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-12 03:49 . 2010-02-12 03:49 -------- d-----w- c:\windows\LastGood
2010-02-05 19:17 . 2010-02-05 19:17 -------- d-----w- c:\windows\Internet Logs
2010-02-05 19:16 . 2008-03-29 17:36 106768 ----a-w- c:\windows\system32\dneinobj.dll
2010-02-05 19:16 . 2008-03-29 17:36 125328 ----a-w- c:\windows\system32\drivers\dne2000.sys
2010-02-05 19:16 . 2010-02-05 19:16 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-02-05 19:16 . 2010-02-05 19:16 -------- d-----w- c:\program files\Cisco Systems
2010-02-05 07:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 07:39 . 2010-02-05 07:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 07:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-29 00:41 . 2010-01-29 00:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-28 22:30 . 2010-01-28 22:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-28 02:17 . 2010-01-28 02:17 0 ----a-w- c:\documents and settings\adam\settings.dat
2010-01-28 01:42 . 2010-02-05 08:32 -------- d-----w- C:\Tiger
2010-01-27 19:44 . 2010-01-27 19:44 -------- d-----w- c:\documents and settings\adam\SecurityScans
2010-01-27 03:26 . 2010-02-05 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-27 03:26 . 2010-01-27 03:26 -------- d-----w- c:\program files\Alwil Software
2010-01-26 15:36 . 2010-01-26 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-26 15:19 . 2010-01-26 15:19 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Apple
2010-01-26 13:26 . 2010-01-26 13:26 -------- d-----w- c:\documents and settings\adam\Application Data\Malwarebytes
2010-01-26 13:26 . 2010-01-26 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 12:37 . 2010-02-05 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-25 17:48 . 2010-01-25 17:48 -------- d-----w- c:\program files\VS Revo Group
2010-01-25 17:35 . 2010-01-25 17:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-25 15:35 . 2010-01-25 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-01-25 15:31 . 2010-01-25 15:31 -------- d-----w- c:\documents and settings\adam\Application Data\IObit
2010-01-25 15:31 . 2010-01-25 15:35 -------- d-----w- c:\program files\IObit
2010-01-24 22:41 . 2010-01-24 22:41 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Yahoo!
2010-01-24 22:13 . 2010-01-24 22:13 -------- d-----w- c:\documents and settings\adam\Application Data\Windows Search
2010-01-23 01:49 . 2010-01-23 01:49 -------- d-----w- c:\documents and settings\adam\Application Data\Apple Computer
2010-01-23 01:31 . 2010-01-23 01:31 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Apple Computer
2010-01-20 02:47 . 2010-01-20 02:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 17:27 . 2010-01-23 17:33 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Cyberlink
2010-01-16 17:24 . 2010-01-16 17:24 -------- d-----w- c:\program files\Common Files\CyberLink
2010-01-16 17:23 . 2010-01-16 17:22 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-16 17:22 . 2010-01-16 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-01-16 17:22 . 2010-01-16 17:22 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2010-01-16 17:16 . 2010-01-16 17:16 -------- d-----w- c:\windows\system32\QuickTime
2010-01-16 16:57 . 2010-01-16 16:57 -------- d-----w- C:\DECCHECK
2010-01-15 18:00 . 2010-01-15 18:00 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Western Digital
2010-01-15 16:44 . 2008-04-13 13:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-15 16:44 . 2008-04-13 13:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-15 16:44 . 2001-08-17 22:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-15 16:44 . 2008-04-13 19:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-15 16:42 . 2010-01-15 16:42 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Adobe
2010-01-15 16:24 . 2010-01-15 16:24 -------- d-----w- c:\program files\Photo Story 3 for Windows
2010-01-15 16:14 . 2010-01-15 16:19 -------- d-----w- c:\program files\PhotoScape
2010-01-15 15:49 . 2010-01-15 15:49 -------- d-----w- c:\program files\IrfanView
2010-01-15 15:30 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\adam\Application Data\CyberLink
2010-01-15 15:01 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-15 14:53 . 2010-01-15 14:53 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Mozilla
2010-01-15 14:50 . 2010-01-15 14:50 -------- d-sh--w- c:\documents and settings\adam\IECompatCache
2010-01-15 14:49 . 2010-01-15 14:49 -------- d-sh--w- c:\documents and settings\adam\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 03:47 . 2009-11-30 15:15 0 ----a-w- c:\documents and settings\adam\Local Settings\Application Data\WavXMapDrive.bat
2010-01-28 22:30 . 2008-09-26 21:19 -------- d-----w- c:\program files\Google
2010-01-25 21:37 . 2008-09-26 21:01 -------- d-----w- c:\program files\Dell
2010-01-21 21:37 . 2009-02-11 20:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 17:27 . 2009-02-18 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-16 17:24 . 2008-09-26 21:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 17:23 . 2008-09-26 21:20 -------- d-----w- c:\program files\CyberLink
2010-01-16 13:17 . 2008-11-05 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-15 17:06 . 2008-11-05 23:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 19:14 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-11-30 15:08 . 2009-11-24 16:35 0 ----a-w- c:\documents and settings\Agent\Local Settings\Application Data\WavXMapDrive.bat
2009-11-30 14:54 . 2008-11-05 20:22 0 ----a-w- c:\documents and settings\AP.HQ\Local Settings\Application Data\WavXMapDrive.bat
2009-11-24 13:43 . 2009-11-24 13:43 152576 ----a-w- c:\documents and settings\AP.HQ\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 13:43 . 2009-11-24 13:29 79488 ----a-w- c:\documents and settings\AP.HQ\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-05_10.58.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-06 21:20 . 2010-02-06 21:20 16384 c:\windows\Temp\Perflib_Perfdata_4e8.dat
+ 2010-02-12 03:45 . 2010-02-12 03:45 16384 c:\windows\Temp\Perflib_Perfdata_280.dat
+ 2007-11-14 17:04 . 2007-11-14 17:04 83432 c:\windows\system32\vsdata.dll
- 2004-08-11 22:00 . 2010-01-26 15:35 80550 c:\windows\system32\perfc009.dat
+ 2004-08-11 22:00 . 2010-02-05 19:23 80550 c:\windows\system32\perfc009.dat
+ 2007-01-18 18:28 . 2007-01-18 18:28 5275 c:\windows\system32\drivers\CVirtA.sys
+ 2010-02-05 19:17 . 2010-02-05 19:17 6144 c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED1.exe
+ 2007-11-14 17:04 . 2007-11-14 17:04 157160 c:\windows\system32\vsinit.dll
+ 2007-11-14 17:05 . 2007-11-14 17:05 394952 c:\windows\system32\vsdatant.sys
+ 2008-08-29 13:58 . 2008-08-29 13:58 197408 c:\windows\system32\vpnapi.dll
+ 2004-08-11 22:00 . 2010-02-05 19:23 467858 c:\windows\system32\perfh009.dat
- 2004-08-11 22:00 . 2010-01-26 15:35 467858 c:\windows\system32\perfh009.dat
+ 2008-08-29 13:57 . 2008-08-29 13:57 306299 c:\windows\system32\drivers\CVPNDRVA.sys
+ 2008-08-29 13:58 . 2008-08-29 13:58 193312 c:\windows\system32\CSGina.dll
+ 2010-02-05 19:17 . 2010-02-05 19:17 5362688 c:\windows\Installer\91600.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-26 29744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-12-10 115560]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-01 75048]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-9-26 50688]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2010-2-5 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/01/16 17:24];c:\program files\CyberLink\PowerDVD9\000.fcl [9/1/2009 4:59 PM 87536]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 7:21 PM 79432]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [2/5/2010 1:37 PM 311568]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 10:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 5:32 PM 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 7:11 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 10:30 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/10/2007 5:05 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:30]

2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\adam\Application Data\Mozilla\Firefox\Profiles\llav9aqm.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 04:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8B1418C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef6b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9dffbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9deea0d
SendHandler -> NDIS.sys @ 0xb9e02b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1816)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-02-12 04:05:51
ComboFix-quarantined-files.txt 2010-02-12 04:05
ComboFix2.txt 2010-02-05 11:03

Pre-Run: 137,122,344,960 bytes free
Post-Run: 137,077,919,744 bytes free

- - End Of File - - BBDD6AEE40C0F936D5726B2C25774C87


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 12 February 2010 - 10:32 AM

Hi,

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    atapi.*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply


#14 Cheek Devil

Cheek Devil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 12 February 2010 - 09:02 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:55 on 13/02/2010 by adam (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [22:59 03/08/2004] [22:59 03/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\dell\ATAPI.EXE --a--- 28672 bytes [20:35 26/09/2008] [06:23 27/05/2004] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\i386\atapi.sys --a--- 96512 bytes [21:09 05/11/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [19:47 05/11/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [11:01 05/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [19:35 05/11/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 95360 bytes [20:43 26/09/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\atapi.sys --a--- 95360 bytes [20:44 26/09/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 AM

Posted 12 February 2010 - 11:11 PM

Download the attached atapi.bat file and save it to the C:\Windows folder.

Then, reboot your computer and when it asks what version of Windows you would like to start, please select the recovery console.

The recovery console will startup and ask you what version of Windows you would like to start. Press 1 and then enter on your keyboard.

If the recovery console asks you to enter your Administrator password, enter it and press enter. If you do not know your administrator password, just press enter.

You should now be in the recovery console that looks like a black box. Type the following and press enter:

batch atapi.bat

Then type exit and the computer will reboot into normal mode.

Once at your desktop, go to http://www.bleepingcomputer.com/submit-malware.php?channel=3, browse to the C:\Windows\atapi.sys.vir and then submit it.

Then create a new combofix log and post it as a reply to the topic. Also tell me if your Google search engine results are being redirected anymore.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users