30 replies to this topic

[JoeGons]

It’s very interesting, There’s now a Short Cut to Internet Explorer on my Desktop. What is OTC by Oldtimer? Thanks, Joe

Edited by JoeGons, 25 November 2009 - 04:43 PM.

[extremeboy]

Hello again.

It’s very interesting, There’s now a Short Cut to Internet Explorer on my Desktop.

Yes, Combofix did that. You can delete that shortcut if you wish.

What is OTC by Oldtimer?

I should be asking you that question. Why is OTC brought up here? Did I tell you to run it anywhere in this topic?

--
Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:

  File::
  c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe
  c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe
  c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe
  c:\windows\system32\1.tmp
  c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe
  c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe
  c:\windows\system32\42cAA.sys
  c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe
  c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys
  c:\windows\winlogon.exe
  Driver::
  FRM
  JJ
  LCKAQ
  MEMSWEEP2
  OJMCTAV
  QEDMY
  42cAA
  ELQQIN
  SysProtDrv.sys
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{32544452-2241-2343-2313-245211031325}]
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusOverride"=-
  "FirewallOverride"=-
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SpybotSD TeaTimer"=-
  RegLock::
  [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download a new copy of RootRepeal and see if you can run it. It so run it and post back with the log in your next reply.

Thanks.

~Extremeboy

[JoeGons]

Hi,
Thanks for the follow up.
After this run, my windows Firewall and Virus Protection warnings have returned.
I use Sygate Firewall and Norton Anti Virus.
I have been made to understand that one should not run two Anti Virus programs at the same time.
Would you recommend turning on BOTH Windows Firewall and Windows Virus Protection along with my Sygate and Norton?

I downloaded a new copy of RootRepeal and tried to run it.
It never got past initializing.
At first there is a lot of hard drive activity. After about 5 minutes the hard drive activity stopped and nothing for the next 10 minutes.
Using Task Manager, I noticed it was using 99% CPU I stopped it.
Under “Applications” it showed “Busy” ---“Nor responding”

How long should it take to “Initialize?
----------------------------------------------------

ComboFix 09-11-25.01 - Owner 11/26/2009 5:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.349 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}

FILE ::
"c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe"
"c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys"
"c:\windows\system32\1.tmp"
"c:\windows\system32\42cAA.sys"
"c:\windows\winlogon.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\42cAA.sys

c:\windows\System32\Drivers\d347prt.sys . . . is infected!!

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_42CAA
-------\Legacy_ELQQIN
-------\Legacy_FRM
-------\Legacy_JJ
-------\Legacy_LCKAQ
-------\Legacy_MEMSWEEP2
-------\Legacy_OJMCTAV
-------\Legacy_QEDMY
-------\Legacy_SYSPROTDRV.SYS
-------\Service_42cAA
-------\Service_ELQQIN
-------\Service_FRM
-------\Service_JJ
-------\Service_LCKAQ
-------\Service_MEMSWEEP2
-------\Service_OJMCTAV
-------\Service_QEDMY
-------\Service_SysProtDrv.sys


((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-25 16:03 . 2009-11-25 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 12:49 . 2009-11-25 14:15 -------- d-----w- C:\Restore atapi.sys
2009-11-24 12:33 . 2009-11-24 12:33 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-24 12:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 12:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 12:32 . 2009-11-24 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 11:06 . 2009-11-23 11:06 -------- d-----w- c:\program files\Sophos
2009-11-21 20:41 . 2009-11-21 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 19:10 . 2009-11-17 19:10 34816 ----a-w- c:\windows\system32\drivers\rootrepeal1.3.3.sys
2009-11-17 16:08 . 2009-11-17 16:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-17 16:02 . 2009-11-17 16:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-17 16:02 . 2009-11-20 19:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2009-11-16 23:06 . 2009-11-18 23:17 -------- d-----w- c:\program files\ERUNT
2009-11-16 15:34 . 2009-11-16 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-11-10 14:44 . 2009-11-10 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2009-11-04 20:15 . 2009-11-04 20:15 0 ---ha-w- C:\aaw7boot.cmd
2009-11-03 20:56 . 2009-11-03 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 20:55 . 2009-11-03 20:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-03 19:32 . 2009-11-03 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 16:35 . 2009-11-03 16:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 16:35 . 2009-11-03 16:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 16:35 . 2009-11-03 16:35 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 16:35 . 2009-11-03 16:35 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 16:35 . 2009-11-03 16:35 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 15:35 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-03 14:17 . 2009-11-03 14:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 14:17 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-02 21:57 . 2007-12-04 08:59 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll
2009-11-02 21:57 . 2009-11-26 09:36 -------- d-----w- c:\documents and settings\Owner\Application Data\SpamExperts
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\SpamExperts
2009-11-02 00:33 . 2009-11-02 11:49 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-10-27 14:46 . 2009-10-27 14:48 -------- d-----w- C:\RSV3 - Portuguese (Brazil)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 08:46 . 2009-05-07 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-11-24 19:16 . 2005-03-04 13:11 -------- d-----w- c:\program files\PHOTOED
2009-11-22 14:16 . 2005-02-27 15:51 -------- d-----w- c:\program files\Common Files\Lanovation
2009-11-22 14:15 . 2005-02-27 15:31 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-21 23:30 . 2008-02-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 16:20 . 2005-02-27 15:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 02:21 . 2008-10-28 15:51 -------- d-----w- c:\documents and settings\Owner\Application Data\MyHeritage
2009-11-15 17:39 . 2007-07-19 13:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 21:04 . 2009-06-13 20:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-11-09 15:21 . 2006-05-04 20:43 -------- d-----w- c:\program files\7-Zip
2009-11-03 14:17 . 2008-01-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 14:17 . 2005-09-24 15:43 -------- d-----w- c:\program files\Lavasoft
2009-11-03 12:05 . 2005-02-28 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 00:37 . 2009-03-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-24 21:27 . 2009-10-24 21:27 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000009000002i\switch.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000008f00003i\mp3enc.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000001e00002i\mp3el.exe
2009-10-23 19:39 . 2009-09-04 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-10-15 14:12 . 2009-01-29 02:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-09-30 11:41 . 2006-01-13 14:46 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:55 . 2009-09-19 23:55 7168 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\PowerISO\1000000500002i\regsvr32.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 07:47 . 2009-09-08 07:47 33205 ----a-w- c:\program files\Common Files\alg.exet
2009-09-07 14:35 . 2009-09-07 14:35 9454 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{AFDFC350-C142-4790-BE12-8357AECD028F}\_6FEFF9B68218417F98F549.exe
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_21.37.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-26 10:06 . 2009-11-26 10:06 16384 c:\windows\Temp\Perflib_Perfdata_b04.dat
+ 2009-11-26 10:06 . 2009-11-26 10:06 16384 c:\windows\Temp\Perflib_Perfdata_540.dat
+ 2009-11-26 09:39 . 2009-11-26 09:39 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2002-10-24 20:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2009-11-26 08:29 . 2009-11-26 08:29 184320 c:\windows\ERDNT\AutoBackup\11-26-2009\Users\00000002\UsrClass.dat
+ 2009-11-26 08:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-26-2009\ERDNT.EXE
+ 2009-11-26 08:29 . 2009-11-26 08:29 14135296 c:\windows\ERDNT\AutoBackup\11-26-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-25 303180]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-04 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"StartupDelayer"="e:\program files\Startup Delayer\Startup Launcher GUI.exe" [2004-03-01 45056]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-06-13 95960]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-02-27 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-18 282624]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\XSandbox\\Diskeeper ™ Application Launcher\\13.0.3.0\\2008.12.07T11.56\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"e:\\Portable Diskeeper Pro Premier 2009 V.13.0 Build 835\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 11:35 AM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/21/2009 6:16 PM 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/21/2009 6:16 PM 4150840]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [4/18/2007 8:18 PM 55712]
S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 2:39 PM 8704]
S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [5/30/2005 2:32 PM 105124]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 2:39 PM 3072]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/16/2009 10:28 AM 107904]
S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?]
S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [4/21/2006 5:00 PM 122256]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [5/13/2009 10:37 AM 33792]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/27/2005 1:26 PM 15576]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 21:13]

2009-11-23 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-10-09 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
LSP: c:\windows\system32\SpamExpertsLSP.dll
TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 06:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83797A78]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf754af28
\Driver\ACPI -> ACPI.sys @ 0xf7467cb8
\Driver\atapi -> 0x83797a78
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-573735546-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1216)
c:\windows\system32\SpamExpertsLSP.dll

- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
c:\program files\Gateway Utilities\inkpeek.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Sygate\SPF\smc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Norton AntiVirus\SAVScan.exe
c:\windows\System32\snmp.exe
e:\uphclean\uphclean.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-11-26 06:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 10:20
ComboFix2.txt 2009-11-25 21:51

Pre-Run: 1,616,523,264 bytes free
Post-Run: 3,187,396,608 bytes free

- - End Of File - - F3163F4578E7C81C27AE80B03192DF7D

[extremeboy]

Hello.

Can you try running GMER for me and see if it works now?

Install and run MBAM..

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Thanks.

~EB

[JoeGons]

Well I tried GMER and the same problem. Runs for about 10 seconds and crashes. Crash report. <?xml version="1.0" encoding="UTF-16"?> <DATABASE> <EXE NAME="8136he7u.exe" FILTER="GRABMI_FILTER_PRIVACY"> <MATCHING_FILE NAME="8136he7u.exe" SIZE="292352" CHECKSUM="0xA28D6C77" BIN_FILE_VERSION="1.0.15.15252" BIN_PRODUCT_VERSION="1.0.15.15252" FILE_VERSION="1, 0, 15, 15252" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.15.15252" UPTO_BIN_PRODUCT_VERSION="1.0.15.15252" LINK_DATE="11/21/2009 11:17:17" UPTO_LINK_DATE="11/21/2009 11:17:17" VER_LANGUAGE="Polish [0x415]" /> <MATCHING_FILE NAME="ComboFix.exe" SIZE="3576026" CHECKSUM="0x9E983C90" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3694BA" LINKER_VERSION="0x0" LINK_DATE="07/20/2009 08:15:43" UPTO_LINK_DATE="07/20/2009 08:15:43" /> <MATCHING_FILE NAME="RootRepeal.exe" SIZE="472064" CHECKSUM="0x5CB5D60B" BIN_FILE_VERSION="1.3.5.0" BIN_PRODUCT_VERSION="1.3.5.0" PRODUCT_VERSION="1, 3, 5, 0" FILE_DESCRIPTION="RootRepeal" COMPANY_NAME=" " PRODUCT_NAME="RootRepeal" FILE_VERSION="1, 3, 5, 0" ORIGINAL_FILENAME="RootRepeal.exe" INTERNAL_NAME="RootRepeal" LEGAL_COPYRIGHT="Copyright © AD 2007-2009" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x75D7A" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.3.5.0" UPTO_BIN_PRODUCT_VERSION="1.3.5.0" LINK_DATE="08/13/2009 15:12:15" UPTO_LINK_DATE="08/13/2009 15:12:15" VER_LANGUAGE="Language Neutral [0x0]" /> <MATCHING_FILE NAME="Desk_Top\Computer\Malware removal\abcderr.exe" SIZE="472064" CHECKSUM="0x5CB5D60B" BIN_FILE_VERSION="1.3.5.0" BIN_PRODUCT_VERSION="1.3.5.0" PRODUCT_VERSION="1, 3, 5, 0" FILE_DESCRIPTION="RootRepeal" COMPANY_NAME=" " PRODUCT_NAME="RootRepeal" FILE_VERSION="1, 3, 5, 0" ORIGINAL_FILENAME="RootRepeal.exe" INTERNAL_NAME="RootRepeal" LEGAL_COPYRIGHT="Copyright © AD 2007-2009" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x75D7A" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.3.5.0" UPTO_BIN_PRODUCT_VERSION="1.3.5.0" LINK_DATE="08/13/2009 15:12:15" UPTO_LINK_DATE="08/13/2009 15:12:15" VER_LANGUAGE="Language Neutral [0x0]" /> <MATCHING_FILE NAME="Desk_Top\Computer\Malware removal\ATF-Cleaner.exe" SIZE="50688" CHECKSUM="0x64A9D2CD" BIN_FILE_VERSION="3.0.0.2" BIN_PRODUCT_VERSION="3.0.0.2" PRODUCT_VERSION="3.00.0002" FILE_DESCRIPTION="ATF Cleaner.exe" COMPANY_NAME="Atribune.org" PRODUCT_NAME="ATF Cleaner" FILE_VERSION="3.00.0002" ORIGINAL_FILENAME="ATF-Cleaner.exe" INTERNAL_NAME="ATF-Cleaner" LEGAL_COPYRIGHT="© 2005 Atribune.org" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x30000" UPTO_BIN_FILE_VERSION="3.0.0.2" UPTO_BIN_PRODUCT_VERSION="3.0.0.2" LINK_DATE="02/15/2007 13:00:43" UPTO_LINK_DATE="02/15/2007 13:00:43" VER_LANGUAGE="English (United States) [0x409]" /> <MATCHING_FILE NAME="Desk_Top\Computer\Malware removal\mbam-setup.exe" SIZE="2696896" CHECKSUM="0x4C073403" BIN_FILE_VERSION="1.32.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="1.32 " FILE_DESCRIPTION="Malwarebytes' Anti-Malware " COMPANY_NAME="Malwarebytes Corporation " PRODUCT_NAME="Malwarebytes' Anti-Malware " FILE_VERSION="1.32 " LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved. " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x295BF5" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="1.32.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" /> </EXE> <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> <MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" /> </EXE> </DATABASE> ------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.41 Database version: 3245 Windows 5.1.2600 Service Pack 3 11/27/2009 8:34:24 PM mbam-log-2009-11-27 (20-34-21).txt Scan type: Quick Scan Objects scanned: 136339 Time elapsed: 7 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Edited by JoeGons, 27 November 2009 - 06:49 PM.

[extremeboy]

Hello again.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers.
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

---

Download a NEW copy of Combofix by clicking on one of the two links below and save it to your desktop. Please delete the copy of Combofix you have currently.

Link 1
Link 2

Run it and post the log once it's complete for me to review please.

Thanks.

~Extremeboy

[JoeGons]

No errors. -----------

-----------------------------

ComboFix 09-11-28.01 - Owner 11/28/2009 18:48.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.425 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-25 16:03 . 2009-11-25 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 12:49 . 2009-11-25 14:15 -------- d-----w- C:\Restore atapi.sys
2009-11-24 12:33 . 2009-11-24 12:33 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-24 12:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 12:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 12:32 . 2009-11-24 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 11:06 . 2009-11-23 11:06 -------- d-----w- c:\program files\Sophos
2009-11-21 20:41 . 2009-11-21 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 16:08 . 2009-11-17 16:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-17 16:02 . 2009-11-17 16:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-17 16:02 . 2009-11-20 19:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2009-11-16 23:06 . 2009-11-18 23:17 -------- d-----w- c:\program files\ERUNT
2009-11-16 15:34 . 2009-11-16 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-11-10 14:44 . 2009-11-10 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2009-11-04 20:15 . 2009-11-04 20:15 0 ---ha-w- C:\aaw7boot.cmd
2009-11-03 20:56 . 2009-11-03 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 20:55 . 2009-11-03 20:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-03 19:32 . 2009-11-03 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 16:35 . 2009-11-03 16:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 16:35 . 2009-11-03 16:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 16:35 . 2009-11-03 16:35 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 16:35 . 2009-11-03 16:35 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 16:35 . 2009-11-03 16:35 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 15:35 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-03 14:17 . 2009-11-03 14:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 14:17 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-02 21:57 . 2007-12-04 08:59 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll
2009-11-02 21:57 . 2009-11-28 22:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SpamExperts
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\SpamExperts
2009-11-02 00:33 . 2009-11-02 11:49 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 22:13 . 2009-05-07 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-11-28 09:35 . 2005-09-24 15:43 -------- d-----w- c:\program files\Lavasoft
2009-11-27 14:57 . 2008-10-16 15:59 -------- d-----w- c:\program files\RecvMngr
2009-11-26 13:58 . 2009-07-16 14:38 -------- d-----w- c:\program files\Mars
2009-11-24 19:16 . 2005-03-04 13:11 -------- d-----w- c:\program files\PHOTOED
2009-11-22 14:16 . 2005-02-27 15:51 -------- d-----w- c:\program files\Common Files\Lanovation
2009-11-22 14:15 . 2005-02-27 15:31 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-21 23:30 . 2008-02-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 16:20 . 2005-02-27 15:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 02:21 . 2008-10-28 15:51 -------- d-----w- c:\documents and settings\Owner\Application Data\MyHeritage
2009-11-15 17:39 . 2007-07-19 13:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 21:04 . 2009-06-13 20:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-11-09 15:21 . 2006-05-04 20:43 -------- d-----w- c:\program files\7-Zip
2009-11-03 14:17 . 2008-01-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 12:05 . 2005-02-28 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 00:37 . 2009-03-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-24 21:27 . 2009-10-24 21:27 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000009000002i\switch.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000008f00003i\mp3enc.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000001e00002i\mp3el.exe
2009-10-23 19:39 . 2009-09-04 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-10-15 14:12 . 2009-01-29 02:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-09-30 11:41 . 2006-01-13 14:46 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:55 . 2009-09-19 23:55 7168 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\PowerISO\1000000500002i\regsvr32.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 07:47 . 2009-09-08 07:47 33205 ----a-w- c:\program files\Common Files\alg.exet
2009-09-07 14:35 . 2009-09-07 14:35 9454 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{AFDFC350-C142-4790-BE12-8357AECD028F}\_6FEFF9B68218417F98F549.exe
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-25 303180]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-04 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-06-13 95960]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-02-27 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-18 282624]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\XSandbox\\Diskeeper ™ Application Launcher\\13.0.3.0\\2008.12.07T11.56\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"e:\\Portable Diskeeper Pro Premier 2009 V.13.0 Build 835\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SpamExperts\\SpamExperts.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 11:35 AM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/21/2009 6:16 PM 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/21/2009 6:16 PM 4150840]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [4/18/2007 8:18 PM 55712]
S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 2:39 PM 8704]
S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [5/30/2005 2:32 PM 105124]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 2:39 PM 3072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/16/2009 10:28 AM 107904]
S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?]
S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [4/21/2006 5:00 PM 122256]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [5/13/2009 10:37 AM 33792]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/27/2005 1:26 PM 15576]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 21:13]

2009-11-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-10-09 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
LSP: c:\windows\system32\SpamExpertsLSP.dll
TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 19:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8371D008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf750cf28
\Driver\ACPI -> ACPI.sys @ 0xf7429cb8
\Driver\atapi -> 0x8371d008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-573735546-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)
c:\windows\system32\SpamExpertsLSP.dll

- - - - - - - > 'lsass.exe'(1204)
c:\windows\system32\SpamExpertsLSP.dll

- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\program files\Gateway Utilities\inkpeek.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-28 19:12
ComboFix-quarantined-files.txt 2009-11-28 23:10
ComboFix2.txt 2009-11-26 10:20
ComboFix3.txt 2009-11-25 21:51

Pre-Run: 4,808,097,792 bytes free
Post-Run: 4,767,182,848 bytes free

- - End Of File - - 4B3A7057406C2F27C5121CB9EEA60A62

[extremeboy]

Hello.

I suggest you uninstall your Daemon Tools via add/remove.
Then follow the instructions under the "How can I remove SPTD driver on 32-bit OS?" heading and download and run the tool http://www.duplexsecure.com/en/faq

We can always install it back later if you need it as CD Emulators, can interfere with some of our tools.
--

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":
  

  :filefind
  atapi.sys
  :dir
  C:\Restore atapi.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.
• Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Let me know what symptoms or problems you currently have with the system. Also, try downloading a NEW copy of GMER and see if you can run it. If so, post the logs in your next reply.

[JoeGons]

Hi, I think we’re getting a bit paranoid. I created the Folder “C:\Restore atapi.sys” because I read that there could be a problem after running Malwarebytes. I created a Folder “C:\Restore atapi.sys” and recovered the required files and stored them there. The Folder just sits there!!! Those files have been scanned. I even scanned them with Malwarebytes!!! The idea was that if I encountered a problem, I could restore the files. If that is what you are seeing, there is nothing there. If you want me to uninstall Daemon I can do that. I can also remove SPTD driver. I mentioned before, I am having NO symptoms with my System. It’s working just fine. My original question was about a file I found. You know I’m 64 years old and I’m au courant with Windows troubleshooting but surely no expert. Before I do anything, I research just what I am doing. I know you are a person of few words. I am keen to find out why several tools just do not run on my System. I will uninstall Daemon and remove SPDT driver. No Problem. I can also run a new copy of GNER. If you share with me just what we are looking for, I’m sure we will move along a lot faster. Thanks Joe .

[JoeGons]

I got GNER to run. It's been over four hours and still going. I'll post later. J

Edited by JoeGons, 01 December 2009 - 10:01 AM.

[JoeGons]

I searched the Registry for SPTD and it’s not there.
Remember I ran DeFogger before. I don’t know if that is of any importance.
In any case, I ran SPTDinst-v162-x86.exe.
It said “No SPTD version was detected.”
I then tried to run a new GMER.
The odd thing is that it starts to scan as soon as it is launched.
It runs for about 10 seconds and then gets a problem.
There is no “Stop” or “Pause” button so I am unable to deselect any items.
I then tried it in Safe mode.
While “Safe Mode” was booting. I stopped “d347 Bus” from loading.
I ran GMER and all went well. For 8 ½ hours!!!
The problem was that I have a program for BMW parts.
It has over 71000 files. I also have a backup for the same program on my C: Drive.
Anyway, after it finished, there was only three interesting detections on the main screen.
The rest was files from my BMW program with file extension xx.ITW.
In safe mode I could not see a save button.
The resolution does not work for this program in Safe Mode.
I started to see if I could copy the Scan Results and, in short, it crashed.
I had to force a shut down and start again.
I uninstalled Daemon.
I removed the folders with the large file count and ran GMER.
When it started it ran some sort of initial scan.
I am happy to observe that I do not think I have a Root Kit problem.

After starting GMER.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-12-01 18:01:44
Windows 5.1.2600 Service Pack 3
Running: xh9pbsme.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwdoiuoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


I then did a scan as per the instructions.


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 20:34:55
Windows 5.1.2600 Service Pack 3
Running: xh9pbsme.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwdoiuoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF675BB30]
SSDT E1BED498 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF751887E]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF675B6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF675B470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF675BC50]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7518BFE]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF675B990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF675B8D0]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xED81E6D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF675BD60]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Have fun with this but I think we can call this solved!!

J

[extremeboy]

Nice problem solving there. I would of never noticed the large folder unless you mentioned it as none of the logs showed that.

I suggest you run an online scan and see if there's anything...

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

If Kaspersky doesn't work run ESET:

Run ESET Online Scan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

You can refer to this animation by neomage if needed.

Post the results in your next reply and a new DDS log.

Thanks.

~EB

[JoeGons]

My provider notgood up big time. My ADSL has been down for 24 hours. I am using an Emergency Dialup service to let you know. I will do the scan as soon as I am back in business. J

[JoeGons]

Hi, My Service is still down. I have had to use a Dialup service. It will be down for a few more days because there is a piece of equipment at the Telephone Exchange that must be replaced and the technician is not working today. I am getting no PPP link. Kapersky’s scanner is not on line. I did ESET. Took forever to download. I knew it would. It took about 2 ½ hours just to download the definitions. After Scanning for six hours I had to stop because I needed to use the Computer. I am sorry but I will be away from home from Dec.06 until Jan 04. When I get back I will do the scan overnight and see what happens. Thanks, Joe

[extremeboy]

Okay, thanks for the information.

If that doesn't work due to the connection, try running this AVP downloaded tool..

Download and Run Kaspersky Virus Removal Tool

I suggest you read over the instructions and then print/save the instructions onto notepad or somewhere so you can have a reference and follow the instructions correctly when in Safe Mode; since you won't have access to this page anymore

• Please download Kaspersky Virus-Removal Tool and save it to your desktop.
• Alternate Download Mirror 2
• Reboot your computer into SafeMode.
  You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Then, use your up arrow key to highlight SafeMode then hit enter. Additional instructions can be found over here

• Please disable all anti-malware protection before running this tool. Refer to this page if you are not sure how.
• Double click the installer on your desktop and follow the prompts. Kaspersky Virus Removal Tool will open after the installation. If you are using Vista, please right-click and select run as administrator
• Click Next to continue.
• It will by default install it to your desktop folder. Click Next.
• Hit Ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok. Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner. Please be patient while the scan completes. It may take a while.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• When the scan is finished, click the Report... button in the lower middle, select Save to file..., and save it onto your desktop as "KasReport".
• Close out of the program. When asked to uninstall, select Yes. <- Make sure you have save the log file on your desktop before uninstalling it.
• Attach back with the KasReport in your next reply please.