Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi driver redirect virus problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 Metsfan61

Metsfan61

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 16 April 2010 - 09:32 PM

Here is the gamer log and the dds log

DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by BILL at 17:34:21.60 on Fri 04/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.46 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BILL.WILLIAM-7D47F85\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///G:/MY%20DOCS/WEBSITES/My%20Bookmarks.htm
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 116264]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-16 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-17 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-17 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-17 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-16 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-16 267432]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-12 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-12 308064]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-16 60936]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 MSDTCTermService;Distributed Transaction Coordinator MSDTCTermService;c:\windows\system32\abalezipj.exe srv --> c:\windows\system32\AbaleZipj.exe srv [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\nsak.sys --> c:\docume~1\bill~1.wil\locals~1\temp\000009b9.nmc\nse\bin\nsak.sys [?]

=============== Created Last 30 ================

2010-04-16 21:28:45 0 ----a-w- c:\documents and settings\bill.william-7d47f85\defogger_reenable
2010-04-16 18:33:37 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-16 18:33:34 0 d-----w- c:\program files\Avira
2010-04-16 18:33:34 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Avira
2010-04-16 14:28:29 95360 ----a-w- c:\windows\system32\drivers\tskF.tmp
2010-04-16 14:28:29 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-16 14:26:56 272 ----a-w- c:\windows\system32\bootdelete.lst
2010-04-16 14:26:56 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-16 14:02:30 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-16 14:01:37 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Hitman Pro
2010-04-16 14:01:23 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-14 23:52:14 0 d-sha-r- C:\cmdcons
2010-04-14 23:50:12 98816 ----a-w- c:\windows\sed.exe
2010-04-14 23:50:12 77312 ----a-w- c:\windows\MBR.exe
2010-04-14 23:50:12 261632 ----a-w- c:\windows\PEV.exe
2010-04-14 23:50:12 161792 ----a-w- c:\windows\SWREG.exe
2010-04-14 23:08:23 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 23:08:23 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-04-14 22:58:24 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-14 22:58:24 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-14 22:58:24 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-14 22:58:24 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-14 22:58:24 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-14 22:58:22 0 d-----w- c:\program files\Trojan Remover
2010-04-14 22:58:22 0 d-----w- c:\docume~1\bill~1.wil\applic~1\Simply Super Software
2010-04-14 22:58:22 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Simply Super Software
2010-04-14 22:56:36 0 d-----w- c:\program files\Sun
2010-04-14 22:56:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-14 03:08:41 69632 ----a-w- c:\windows\system32\CNQU70.DLL
2010-04-14 03:08:40 339968 ----a-w- c:\windows\system32\N067UFW.DLL
2010-04-14 02:23:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-04-14 02:19:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 02:19:23 0 d-----w- c:\docume~1\bill~1.wil\applic~1\SUPERAntiSpyware.com
2010-04-06 14:50:57 0 d-----w- c:\docume~1\bill~1.wil\applic~1\TaxCut
2010-04-06 14:20:59 0 d-----w- c:\program files\PDF995
2010-04-06 14:20:59 0 d-----w- c:\program files\HRBlock2009
2010-04-06 14:08:10 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TaxCut
2010-04-02 18:54:33 1864003 --sha-w- c:\windows\system32\acluim.sys
2010-04-02 18:54:31 105437 ----a-w- c:\windows\system32\1031s.sys
2010-03-29 02:36:25 2 ----a-w- c:\windows\Twain001.Mtx
2010-03-28 21:57:08 0 d-----w- c:\program files\BPBotpro
2010-03-25 04:21:49 0 d-----w- c:\program files\Apsense Software
2010-03-22 18:56:32 0 d-----w- c:\program files\common files\DivX Shared
2010-03-22 18:55:25 0 d-----w- c:\program files\DivX
2010-03-22 18:54:56 0 d-----w- c:\docume~1\alluse~1.win\applic~1\DivX
2010-03-22 15:47:59 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-03-22 15:47:58 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-22 15:47:56 0 d-----w- c:\program files\ffdshow
2010-03-22 15:29:32 0 d-----w- c:\docume~1\bill~1.wil\applic~1\playitall
2010-03-22 15:12:46 0 d-----w- c:\program files\PlayItAll Media Player
2010-03-22 15:11:34 0 d-----w- c:\program files\PlayItAll
2010-03-19 23:28:17 28 ----a-w- c:\windows\hegames.ini

==================== Find3M ====================

2010-04-15 00:03:17 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-14 22:55:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 08:29:18 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 14:09:24 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 14:09:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 14:08:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-17 14:53:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-01-30 21:13:04 47360 ----a-w- c:\docume~1\bill~1.wil\applic~1\pcouffin.sys
2010-01-30 04:19:01 157208 ----a-w- c:\windows\hphins25.dat
2010-01-30 03:33:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:36:05.15 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/29/2010 10:41:30 PM
System Uptime: 4/16/2010 8:54:55 AM (9 hours ago)

Motherboard: | | KM400-8235
Processor: AMD Athlon™ XP 2400+ | | 1994/mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 32 GiB total, 12.054 GiB free.
D: is FIXED (FAT32) - 112 GiB total, 23.243 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is FIXED (FAT32) - 931 GiB total, 6.156 GiB free.
H: is FIXED (FAT32) - 466 GiB total, 1.731 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP111: 4/12/2010 3:22:35 PM - System Checkpoint
RP112: 4/12/2010 9:38:32 PM - Installed Microsoft Publisher 2002
RP113: 4/13/2010 10:19:15 PM - Installed SUPERAntiSpyware Free Edition
RP114: 4/13/2010 11:06:05 PM - Removed CanoScan LiDE20,30 Manual
RP115: 4/14/2010 6:48:56 PM - Removed Java™ 6 Update 18
RP116: 4/14/2010 6:52:31 PM - Installed Java™ SE Development Kit 6 Update 19
RP117: 4/14/2010 6:55:36 PM - Installed Java™ 6 Update 19
RP118: 4/16/2010 10:46:46 AM - Removed AVG Free 9.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 Plugin
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
AVG Free 9.0
Avira AntiVir Personal - Free Antivirus
BitTorrent
BufferChm
Canon CanoScan Toolbox 4.1
CCleaner
CD - DVD Publishing Service
CDisplay 1.8
CustomerResearchQFolder
D2500
D2500_Help
DeviceDiscovery
DeviceManagementQFolder
DivX Setup
DJ_SF_03_D2500_ProductContext
DJ_SF_03_D2500_Software
DJ_SF_03_D2500_Software_Min
DVDFab 6.2.1.8 (31/12/2009)
EA.com Update
eSupportQFolder
exPressit S.E. 2.1
ffdshow [rev 3299] [2010-03-03]
GPBaseService
Graboid Video 1.65
H&R Block New Jersey 2009
H&R Block Premium + Efile + State 2009
HijackThis 2.0.2
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 10.0
HP Deskjet D2500 Printer Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPProductAssistant
HPSSupply
ImTOO AVI to DVD Converter
Java Auto Updater
Java DB 10.5.3.0
Java™ 6 Update 19
Java™ SE Development Kit 6 Update 19
LightScribe System Software 1.14.19.1
Madden NFL ™ 2000
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Nero 7 Essentials
OmniPage SE
PlayItAll media player 1.0.5
PSSWCORE
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Shop for HP Supplies
SmartWebPrintingOC
SolutionCenter
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
Triple Play
Trojan Remover 6.8.1
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VC80CRTRedist - 8.0.50727.4053
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.6d
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

4/9/2010 8:57:39 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
4/16/2010 2:30:00 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
4/16/2010 2:30:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\BILL~1.WIL\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
4/16/2010 2:30:00 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
4/16/2010 10:41:54 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
4/16/2010 10:41:48 AM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 2 time(s).
4/16/2010 10:41:41 AM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
4/14/2010 8:07:23 PM, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
4/14/2010 6:46:52 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/14/2010 6:23:32 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s).
4/14/2010 6:23:23 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/14/2010 6:23:07 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/13/2010 9:41:55 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\regedt32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
4/13/2010 10:09:11 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/13/2010 1:35:10 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
4/13/2010 1:33:07 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/13/2010 1:33:07 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/13/2010 1:29:44 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
4/13/2010 1:29:11 PM, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
4/13/2010 1:21:44 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
4/13/2010 1:19:06 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\D.
4/12/2010 12:26:47 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom1.
4/11/2010 6:24:04 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================



GAMER LOG


_______________________



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 22:23:46
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\BILL~1.WIL\LOCALS~1\Temp\ffgiqfog.sys


---- System - GMER 1.0.15 ----

SSDT F8B88666 ZwCreateKey
SSDT F8B8865C ZwCreateThread
SSDT F8B8866B ZwDeleteKey
SSDT F8B88675 ZwDeleteValueKey
SSDT F8B8867A ZwLoadKey
SSDT F8B88648 ZwOpenProcess
SSDT F8B8864D ZwOpenThread
SSDT F8B88684 ZwReplaceKey
SSDT F8B8867F ZwRestoreKey
SSDT F8B88670 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEDA2320]

---- Kernel code sections - GMER 1.0.15 ----

? tsk36.tmp The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xF85E3214]
? system32\drivers\klmd.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[212] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\wuauclt.exe[212] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\wuauclt.exe[212] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008E000C
.text C:\WINDOWS\System32\svchost.exe[1020] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 013E000A
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 013D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0130000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0131000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 012F000C
.text C:\WINDOWS\explorer.exe[3376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\explorer.exe[3376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\explorer.exe[3376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdePort0 tsk36.tmp
Device \Driver\atapi \Device\Ide\IdePort1 tsk36.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c tsk36.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 tsk36.tmp

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\klmd21 \Device\KLMD202000 klmd.sys

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 81E44AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:27 AM

Posted 16 April 2010 - 10:56 PM

Hello Metsfan61,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

We are dealing with a nasty infection it may take multiple posts to rid your machine of this Malware.

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Avira.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

4.
    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    atapi.sys
    serial.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Things to include in your next reply:
Combofix.txt
OTL.txt
Extra.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:27 AM

Posted 18 April 2010 - 07:50 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:27 AM

Posted 20 April 2010 - 07:08 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users