Yesterday my computer was infected with the Packed.Monder trojan. I first tried Bitdefender (my normal anti-virus software) and it detected the virus but was unable to remove it. Then Bitdefender stopped working all together. Then, I tried installing AVG-free which detected the virus but couldn't remove it. Even worse, when I try using Malwarebytes' anti-malware software (which had been my never-fail go-to program for particularly nasty malware) I get a message saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." If I reinstall the software it will scan for about 5 seconds before shutting down and giving me the error message again.

As if all this wasn't bad enough, my computer now crashes everytime I try to boot into safe mode. Any help would be much appreciated! Thanks!

Railbob

Please do the following:


Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"


NEXT

Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   • Download Win32kDiag (Win32kDiag.exe) - #1
   • Download Win32kDiag (Win32kDiag.exe) - #2
   • Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Before the log, here's an update. I was finally able to get Malwarebytes to run (so didn't need Inherit). It keeps finding a Rootkit.TDSS. If I select to remove the file, after the computer reboots it will find the virus again after another scan. So here is both the Win32kDiag log as well as the Malwarebytes log. Again, thanks for the help.

Win32kDiag:
Running from: C:\Documents and Settings\Robert\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Robert\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-12 08:19:33 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)





Finished!


Malwarebytes:
Malwarebytes' Anti-Malware 1.41
Database version: 2820
Windows 5.1.2600 Service Pack 3

9/20/2009 1:58:00 PM
mbam-log-2009-09-20 (13-57-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 18273
Time elapsed: 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort1\vpfhxjin\vpfhxjin\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort1\vpfhxjin\vpfhxjin\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Ok, here are the logs:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Robert at 15:35:24.98 on Sun 09/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1086 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www2.tcnet.ne.jp/metadoll/mov13.htm"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\robert\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\robert\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-16 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-16 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-16 297752]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit11\ArcNameService.exe [2007-5-1 157264]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-18 38224]
S2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2009-2-13 16]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]

=============== Created Last 30 ================

2009-09-20 13:21 <DIR> --d----- C:\UBCD4Win
2009-09-18 09:49 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 09:49 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-17 09:34 63 a------- c:\windows\system\SysSD.dll
2009-09-17 09:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-17 08:58 <DIR> --d----- c:\program files\Trend Micro
2009-09-17 07:58 229,888 a------- c:\windows\PEV.exe
2009-09-17 07:58 161,792 a------- c:\windows\SWREG.exe
2009-09-17 07:58 98,816 a------- c:\windows\sed.exe
2009-09-16 20:54 4 a------- C:\KLSA.DAT
2009-09-16 20:28 <DIR> --d----- c:\program files\SpywareDetector
2009-09-16 20:27 <DIR> --d----- C:\SDFix
2009-09-16 19:07 <DIR> --d----- C:\$AVG8.VAULT$
2009-09-16 19:05 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 19:05 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-16 19:05 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 19:04 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-16 19:04 <DIR> --d----- c:\program files\AVG
2009-09-16 18:54 <DIR> --d----- c:\docume~1\robert\applic~1\AVG8
2009-09-10 13:12 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-09-09 22:35 <DIR> --d----- c:\program files\Oldgames
2009-09-09 14:13 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 16:39 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-09-08 16:39 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-09-08 01:47 61,440 ---sh--- c:\windows\system32\Client.exe
2009-09-02 15:39 <DIR> --d----- c:\documents and settings\robert\.thumbnails
2009-08-31 15:07 70,144 a------- c:\windows\system32\drivers\sgpylprpqjpwfyfy.sys
2009-08-31 09:12 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-09-15 23:43 81,984 a------- c:\windows\system32\bdod.bin
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-22 21:42 87,608 a------- c:\docume~1\robert\applic~1\inst.exe
2009-07-22 21:42 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-07-22 21:42 47,360 a------- c:\docume~1\robert\applic~1\pcouffin.sys
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2008-12-02 12:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120220081203\index.dat
2008-12-03 22:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120320081204\index.dat

============= FINISH: 15:39:55.45 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/30/2008 4:40:44 PM
System Uptime: 9/20/2009 7:17:48 AM (8 hours ago)

Motherboard: Dell Inc. | | 0XD720
Processor: Genuine Intel® CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 16.219 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP403: 9/17/2009 8:03:17 AM - Installed Spyware Detector
RP404: 9/17/2009 9:03:17 AM - Removed BitDefender Antivirus 2009
RP405: 9/17/2009 9:09:50 AM - Removed AVG Free 8.5
RP406: 9/17/2009 9:31:14 AM - Configured AVG Free 8.5
RP407: 9/18/2009 8:13:40 AM - Avg8 Update
RP408: 9/19/2009 9:28:25 AM - System Checkpoint
RP409: 9/20/2009 11:23:11 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.6
Adobe Shockwave Player 11.5
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 8.5
AviSynth 2.5
BitTorrent
Bonjour
Broadcom 440x 10/100 Integrated Controller
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Wireless WLAN Card
DivX Web Player
DNA
DVDFab 6.0.2.2 (June 26, 2009)
ffdshow [rev 2844] [2009-03-30]
Haali Media Splitter
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hp deskjet 3600 series
InterActual Player
iTunes
Java™ 6 Update 11
Java™ 6 Update 6
Java™ 6 Update 7
Magic ISO Maker v5.5 (build 0273)
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
Matroska Pack
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel Viewer 2003
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
MSN
Nero Suite
Netflix Movie Viewer
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
PlayOn 2.59.3330
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SigmaTel Audio
Sprint Mobile Broadband (Novatel Wireless)
StuffIt Deluxe 11 for Windows
Synaptics Pointing Device Driver
System Requirements Lab
Tales of Monkey Island - The Siege of Spinner Cay
UBCD4Win 3.50
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb973514)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB942763)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.8a
WebFldrs XP
wheelshark
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Search 4.0
Windows XP Service Pack 3
X3watch 5.0.6
Xvid 1.2.1 final uninstall
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Widgets

==== Event Viewer Messages From Past Week ========

9/20/2009 7:22:25 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WMI Performance Adapter service to connect.
9/20/2009 7:22:25 AM, error: Service Control Manager [7000] - The WMI Performance Adapter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/20/2009 7:21:09 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.
9/20/2009 7:21:09 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
9/20/2009 7:21:09 AM, error: Service Control Manager [7000] - The Windows Firewall/Internet Connection Sharing (ICS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/20/2009 7:21:09 AM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/19/2009 5:51:18 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
9/19/2009 5:51:18 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/19/2009 5:50:39 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
9/19/2009 5:50:39 AM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/18/2009 3:47:42 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0016CF598147 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/18/2009 10:55:58 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
9/18/2009 10:55:58 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/18/2009 10:25:46 AM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/18/2009 10:25:45 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.
9/17/2009 8:31:11 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
9/17/2009 8:31:11 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/17/2009 8:31:11 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
9/17/2009 8:25:01 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
9/17/2009 8:24:38 AM, error: Service Control Manager [7000] - The BitDefender Virus Shield service failed to start due to the following error: Access is denied.
9/17/2009 8:22:02 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/17/2009 8:22:02 AM, error: PlugPlayManager [11] - The device Root\LEGACY_PCMSTUB\0000 disappeared from the system without first being prepared for removal.
9/17/2009 8:13:18 AM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/17/2009 8:02:46 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'addins' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/17/2009 2:49:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the MaxWatchDogService service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/17/2009 2:49:12 PM, error: Service Control Manager [7031] - The MaxWatchDogService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.

==== End Of File ===========================


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-20 21:42:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Robert\LOCALS~1\Temp\kgrcrpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort1\qhxbdiba\qhxbdiba\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\IEXPLORE.EXE [1284] 0x10000000
Library \\?\globalroot\Device\Ide\IdePort1\qhxbdiba\qhxbdiba\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\IEXPLORE.EXE [1568] 0x10000000
Library \\?\globalroot\Device\Ide\IdePort1\qhxbdiba\qhxbdiba\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2128] 0x10000000

---- EOF - GMER 1.0.15 ----

Hi,

I notice you have two active antivirus programs - Bit Defender and AVG.
You should only have one - two will cause system slowdowns, crashes and conflicts, one needs to be removed,

I notice you have also run Combofix.

Please post the combofix log. It can be found at C:\Combofix.txt


The MBAM log shows "no action taken"? did you copy the log before it cleaned the items?

Right now I only have AVG installed. I uninstalled Bitdefender because it stopped working. I forgot to mention using Combofix, that was one of the few things I tried to fix the problem before posting here. And the log from Malwarebytes was before the reboot so it hadn't attempted to remove files yet but like I said it keeps reappearing after the reboot. Here's the Combofix log. Again, I really appreciate you taking the time to help me out. This infection is a nightmare!

ComboFix 09-09-16.05 - Robert 09/17/2009 8:04.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT -5:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
PEV Error: AppFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\11443.msi
c:\windows\msa.exe
c:\windows\system\SysSD.dll
c:\windows\Tasks\qldoylsk.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_PCMSTUB
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_pcmstub
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 01:54 . 2009-09-17 01:54 4 ----a-w- C:\KLSA.DAT
2009-09-17 01:28 . 2009-09-17 01:29 -------- d-----w- c:\program files\SpywareDetector
2009-09-17 01:27 . 2009-09-17 01:28 -------- d-----w- C:\SDFix
2009-09-17 00:07 . 2009-09-17 00:16 -------- d-----w- C:\$AVG8.VAULT$
2009-09-17 00:05 . 2009-09-17 00:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-17 00:05 . 2009-09-17 00:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-17 00:05 . 2009-09-17 00:05 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-17 00:05 . 2009-09-17 00:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-17 00:04 . 2009-09-17 11:12 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-17 00:04 . 2009-09-17 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-17 00:04 . 2009-09-17 00:04 -------- d-----w- c:\program files\AVG
2009-09-16 23:54 . 2009-09-16 23:54 -------- d-----w- c:\documents and settings\Robert\Application Data\AVG8
2009-09-16 23:03 . 2009-09-16 23:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-16 22:55 . 2009-09-17 13:02 0 ----a-w- c:\windows\win32k.sys
2009-09-10 03:35 . 2009-09-10 04:00 -------- d-----w- c:\program files\Oldgames
2009-09-09 19:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 21:39 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-09-08 21:39 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-09-08 06:47 . 2009-09-08 06:47 61440 --sh--w- c:\windows\system32\Client.exe
2009-09-02 20:39 . 2009-09-02 20:39 -------- d-----w- c:\documents and settings\Robert\.thumbnails
2009-09-02 20:32 . 2009-09-15 22:24 -------- d-----w- c:\documents and settings\Robert\Application Data\gtk-2.0
2009-09-01 21:50 . 2009-09-01 21:50 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\Yahoo
2009-08-31 20:07 . 2009-08-31 20:07 70144 ----a-w- c:\windows\system32\drivers\sgpylprpqjpwfyfy.sys
2009-08-31 16:16 . 2009-08-31 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-18 14:59 . 2009-08-31 14:17 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\Google
2009-08-18 14:58 . 2009-08-31 13:30 -------- d-----w- c:\documents and settings\Robert\Application Data\skypePM
2009-08-18 14:58 . 2009-08-18 14:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-18 14:52 . 2009-08-31 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 13:29 . 2008-06-15 02:27 -------- d-----w- c:\program files\DNA
2009-09-17 13:29 . 2008-06-15 02:27 -------- d-----w- c:\documents and settings\Robert\Application Data\DNA
2009-09-17 13:27 . 2008-06-07 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\x3watch
2009-09-17 00:04 . 2008-05-31 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 23:44 . 2008-12-03 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 04:43 . 2009-01-15 16:16 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-10 19:54 . 2008-12-03 00:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-03 00:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 18:12 . 2009-09-10 18:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-09-10 12:57 . 2009-02-16 13:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 04:45 . 2008-05-30 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 20:31 . 2008-11-06 21:42 -------- d-----w- c:\program files\Telltale Games
2009-09-04 20:16 . 2008-06-15 02:27 -------- d-----w- c:\documents and settings\Robert\Application Data\BitTorrent
2009-09-01 21:49 . 2008-06-14 04:43 -------- d-----w- c:\program files\Yahoo!
2009-08-31 14:16 . 2008-06-15 02:52 -------- d-----w- c:\program files\Miranda IM
2009-08-31 14:11 . 2009-02-03 04:30 -------- d-----w- c:\documents and settings\Robert\Application Data\Dropbox
2009-08-28 13:45 . 2009-02-03 04:30 -------- d-----w- c:\program files\Dropbox
2009-08-17 13:44 . 2009-08-04 00:28 -------- d-----w- c:\program files\Turbine
2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:15 . 2009-08-04 02:15 129 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\fusioncache.dat
2009-08-04 00:24 . 2009-06-09 00:26 -------- d-----w- c:\program files\LucasArts
2009-08-04 00:24 . 2008-05-30 22:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 23:52 . 2009-08-03 23:52 -------- d-----w- c:\program files\SystemRequirementsLab
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-23 04:21 . 2009-03-28 14:45 -------- d-----w- c:\documents and settings\Robert\Application Data\dvdcss
2009-07-23 04:18 . 2009-07-23 02:42 -------- d-----w- c:\program files\DVDFab 6
2009-07-23 03:55 . 2009-07-23 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-07-23 02:43 . 2009-07-22 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-23 02:43 . 2009-07-23 02:42 -------- d-----w- c:\documents and settings\Robert\Application Data\Vso
2009-07-23 02:43 . 2009-07-22 18:53 -------- d-----w- c:\program files\NOS
2009-07-23 02:42 . 2009-07-23 02:42 87608 ----a-w- c:\documents and settings\Robert\Application Data\inst.exe
2009-07-23 02:42 . 2009-07-23 02:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-23 02:42 . 2009-07-23 02:42 47360 ----a-w- c:\documents and settings\Robert\Application Data\pcouffin.sys
2009-07-20 19:00 . 2009-07-13 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\13915624
2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-12 13:34 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-12 13:32 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-12 13:28 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-12 13:27 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-12 13:21 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-12 13:20 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-12 13:20 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-01-15 15:59 . 2008-08-14 01:02 47616 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 14:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2008-06-01 299008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-11 136600]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-22 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2007832]
"SDActiveMonitor"="c:\program files\SpywareDetector\MaxSDTray.exe" [2009-08-11 570800]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-1 575488]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-17 00:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/16/2009 7:05 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/16/2009 7:05 PM 108552]
R1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [9/16/2009 8:28 PM 15872]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/16/2009 7:04 PM 297752]
R2 MaxWatchDogService;MaxWatchDogService;c:\program files\SpywareDetector\MaxWatchDogService.exe [9/16/2009 8:28 PM 409008]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [5/1/2007 11:15 AM 157264]
S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/13/2009 7:58 AM 16]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 2:06 PM 118784]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [8/12/2008 7:40 PM 111112]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
Notify-SDNotify - c:\program files\SpywareDetector\SDNotify.dll
AddRemove-AVI MPEG WMV Joiner_is1 - c:\program files\Video Joiner\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 08:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1708537768-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,c7,a5,43,80,b0,71,51,49,37,17,1d,66,59,fc,91,04,35,32,00,87,03,9f,
28,8d,6a,33,54,75,5b,64,06,f3,c6,f5,01,05,de,f9,c1,75,8b,ca,92,17,63,1f,51,\
"??"=hex:cc,16,87,b7,4c,11,61,04,14,e5,9f,5f,0b,31,72,00

[HKEY_USERS\S-1-5-21-796845957-1708537768-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d4,c1,52,b4,04,14,1c,aa,a0,6b,ae,76,06,9e,d5,95,56,5b,57,d7,1f,
03,f9,ea,41,a3,a6,6b,f2,d1,fa,89,7a,fb,70,0f,55,ae,ba,21,47,9e,de,02,76,66,\
"rkeysecu"=hex:69,ac,fe,25,0d,2d,72,23,3c,5f,e1,0e,1c,1f,bf,51
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7148)
c:\windows\system32\WININET.dll
tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\IdePort1\mbfgnwkb\mbfgnwkb\tdlwsp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\program files\SpywareDetector\MaxActMon.exe
c:\windows\system32\searchindexer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-09-17 8:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 13:44

Pre-Run: 17,396,645,888 bytes free
Post-Run: 19,315,351,552 bytes free

268 --- E O F --- 2009-09-10 04:48

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Ok, I haven't run ComboFix yet because I get an error message saying the Bitdefender Antivirus is running. However, like I said earlier I uninstalled it so I'm not sure what if anything I need to disable. Should I go ahead and run it anyway or is there is something else I need to do first?

Go ahead and run it

Hi,

I need you to run these additional scans as well

1. Download RootRepeal from the following location and save it to your desktop.
   
   • Zip Mirrors (Recommended)
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
     
     
   • Rar Mirrors - Only if you know what a RAR is and can extract it.
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
2. Extract RootRepeal.exe from the archive.
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all seven boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

NEXT

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
• In the Write to log box select ALL ITEMS
• Look near the bottom left, and Check Hidden Objects Only
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  
• Open the text file and copy/paste the log here.

Ok, all 3 scans have been run. However, I made a mistake on the Combofix one. I accidently closed the log before saving it and didn't realize it saves a copy at C:\. So, I ran the scan a second time. Hope that doesn't mess things up for you. I do know that in the original scan Combofix deleted the sgpylprpqjpwfyfy.sys file. So, the log here for Combofix is from the second scan and it did delete another file there. Again, hope I'm not making things difficult for you.

ComboFix 09-09-20.04 - Robert 09/21/2009 14:53.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1390 [GMT -5:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-20 18:21 . 2009-09-20 18:30 -------- d-----w- C:\UBCD4Win
2009-09-18 14:49 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 14:49 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 14:09 . 2009-09-17 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-17 13:58 . 2009-09-17 13:58 -------- d-----w- c:\program files\Trend Micro
2009-09-17 01:54 . 2009-09-17 01:54 4 ----a-w- C:\KLSA.DAT
2009-09-17 01:28 . 2009-09-17 19:49 -------- d-----w- c:\program files\SpywareDetector
2009-09-17 01:27 . 2009-09-17 01:28 -------- d-----w- C:\SDFix
2009-09-17 00:07 . 2009-09-17 00:16 -------- d-----w- C:\$AVG8.VAULT$
2009-09-17 00:05 . 2009-09-17 00:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-17 00:05 . 2009-09-17 00:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-17 00:05 . 2009-09-17 00:05 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-17 00:05 . 2009-09-17 00:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-17 00:04 . 2009-09-21 13:06 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-17 00:04 . 2009-09-17 00:04 -------- d-----w- c:\program files\AVG
2009-09-16 23:54 . 2009-09-16 23:54 -------- d-----w- c:\documents and settings\Robert\Application Data\AVG8
2009-09-16 23:03 . 2009-09-16 23:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-10 03:35 . 2009-09-10 04:00 -------- d-----w- c:\program files\Oldgames
2009-09-09 19:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 21:39 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-09-08 21:39 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-09-08 06:47 . 2009-09-08 06:47 61440 --sh--w- c:\windows\system32\Client.exe
2009-09-02 20:39 . 2009-09-02 20:39 -------- d-----w- c:\documents and settings\Robert\.thumbnails
2009-09-02 20:32 . 2009-09-15 22:24 -------- d-----w- c:\documents and settings\Robert\Application Data\gtk-2.0
2009-09-01 21:50 . 2009-09-01 21:50 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\Yahoo
2009-08-31 16:16 . 2009-08-31 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 16:14 . 2008-06-15 02:27 -------- d-----w- c:\documents and settings\Robert\Application Data\DNA
2009-09-21 10:44 . 2008-06-07 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\x3watch
2009-09-21 10:43 . 2008-06-15 02:27 -------- d-----w- c:\program files\DNA
2009-09-18 14:49 . 2008-12-03 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 14:28 . 2008-05-31 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-17 14:04 . 2008-12-02 17:25 -------- d-----w- c:\program files\Common Files\BitDefender
2009-09-16 04:43 . 2009-01-15 16:16 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-10 18:12 . 2009-09-10 18:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-09-10 12:57 . 2009-02-16 13:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 04:45 . 2008-05-30 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 20:31 . 2008-11-06 21:42 -------- d-----w- c:\program files\Telltale Games
2009-09-04 20:16 . 2008-06-15 02:27 -------- d-----w- c:\documents and settings\Robert\Application Data\BitTorrent
2009-09-01 21:49 . 2008-06-14 04:43 -------- d-----w- c:\program files\Yahoo!
2009-08-31 14:16 . 2008-06-15 02:52 -------- d-----w- c:\program files\Miranda IM
2009-08-31 14:12 . 2009-08-18 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-31 14:11 . 2009-02-03 04:30 -------- d-----w- c:\documents and settings\Robert\Application Data\Dropbox
2009-08-31 13:30 . 2009-08-18 14:58 -------- d-----w- c:\documents and settings\Robert\Application Data\skypePM
2009-08-28 13:45 . 2009-02-03 04:30 -------- d-----w- c:\program files\Dropbox
2009-08-18 14:58 . 2009-08-18 14:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-17 13:44 . 2009-08-04 00:28 -------- d-----w- c:\program files\Turbine
2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:15 . 2009-08-04 02:15 129 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\fusioncache.dat
2009-08-04 00:24 . 2009-06-09 00:26 -------- d-----w- c:\program files\LucasArts
2009-08-04 00:24 . 2008-05-30 22:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 23:52 . 2009-08-03 23:52 -------- d-----w- c:\program files\SystemRequirementsLab
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-23 02:42 . 2009-07-23 02:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-23 02:42 . 2009-07-23 02:42 47360 ----a-w- c:\documents and settings\Robert\Application Data\pcouffin.sys
2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-12 13:34 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-12 13:33 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-12 13:32 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-12 13:28 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-12 13:27 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-12 13:21 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-12 13:20 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-12 13:20 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_13.35.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-12 13:26 . 2009-09-21 18:58 81490 c:\windows\system32\perfc009.dat
+ 2008-05-30 22:02 . 2009-09-21 10:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 22:02 . 2009-09-17 13:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-30 22:02 . 2009-09-21 10:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-30 22:02 . 2009-09-17 13:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-16 23:03 . 2009-09-21 10:42 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-09-16 23:03 . 2009-09-17 13:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2008-05-30 22:02 . 2009-09-21 10:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-05-30 22:02 . 2009-09-17 13:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-12 13:26 . 2009-09-21 18:58 469012 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 14:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2008-06-01 299008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-11 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-1 575488]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-17 00:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/16/2009 7:05 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/16/2009 7:05 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/16/2009 7:04 PM 297752]
S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/13/2009 7:58 AM 16]
S2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [5/1/2007 11:15 AM 157264]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1708537768-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,c7,a5,43,80,b0,71,51,49,37,17,1d,66,59,fc,91,04,35,32,00,87,03,9f,
28,8d,6a,33,54,75,5b,64,06,f3,c6,f5,01,05,de,f9,c1,75,8b,ca,92,17,63,1f,51,\
"??"=hex:cc,16,87,b7,4c,11,61,04,14,e5,9f,5f,0b,31,72,00

[HKEY_USERS\S-1-5-21-796845957-1708537768-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d4,c1,52,b4,04,14,1c,aa,a0,6b,ae,76,06,9e,d5,95,56,5b,57,d7,1f,
03,f9,ea,41,a3,a6,6b,f2,d1,fa,89,7a,fb,70,0f,55,ae,ba,21,47,9e,de,02,76,66,\
"rkeysecu"=hex:69,ac,fe,25,0d,2d,72,23,3c,5f,e1,0e,1c,1f,bf,51
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-21 15:18
ComboFix-quarantined-files.txt 2009-09-21 20:18
ComboFix2.txt 2009-09-21 19:37
ComboFix3.txt 2009-09-17 13:45

Pre-Run: 18,452,557,824 bytes free
Post-Run: 18,428,215,296 bytes free

211 --- E O F --- 2009-09-10 04:48


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/22 15:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Robert\LOCALS~1\Temp\catchme.sys
Address: 0xBABD8000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB15C0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE6E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBADD2000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB16D1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\robert\local settings\temp\~df8fbe.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\robert\local settings\temp\~dfd471.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 1136) Address: 0x10000000 Size: 24576

==EOF==


SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

No Hidden Processes found

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B15C0000
Module End: B15D8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BAE6E000
Module End: BAE70000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Robert\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: BABD8000
Module End: BABE0000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: BADD2000
Module End: BADD4000
Hidden: Yes

********************************************************************************
**********
********************************************************************************
**********
No SSDT Hooks found

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
No IRP Hooks found

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:2590
Remote Address: GX-IN-F138.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ROBERTUNIT:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: ROBERTUNIT:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: ROBERTUNIT:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: ROBERTUNIT:10080
Remote Address: LOCALHOST:2591
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ROBERTUNIT:10080
Remote Address: LOCALHOST:2589
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: ROBERTUNIT:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: ROBERTUNIT:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: ROBERTUNIT:2591
Remote Address: LOCALHOST:10080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: ROBERTUNIT:2589
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\X3watch\x3watch.exe
State: ESTABLISHED

Local Address: ROBERTUNIT:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: LISTENING

Local Address: ROBERTUNIT:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: ROBERTUNIT:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ROBERTUNIT:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ROBERTUNIT.DOMAIN_NOT_SET.INVALID:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ROBERTUNIT:2585
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: ROBERTUNIT:2471
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ROBERTUNIT:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ROBERTUNIT:1708
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: ROBERTUNIT:1704
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: ROBERTUNIT:1631
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: ROBERTUNIT:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ROBERTUNIT:57517
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ROBERTUNIT:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ROBERTUNIT:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ROBERTUNIT:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ROBERTUNIT:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\Documents and Settings\Robert\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\Robert\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Hi,

There are still traces of a rootkit on your system,

Please delete the copy of ComboFix that you have on your desktop

Please download a fresh copy from one of the previous links provided and run it...

post the resulting log

Should I use the script from earlier or just run it?

Just run it...


(just to confirm...you already ran that script once correct?)