Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » December 28th, 2009, 4:58 pm

Hi, AVG has popped up at me for a while now, maybe a month or so, telling me about this infection, and i havent done anything about it as i could not find anything different about the running of my pc, or any "symptoms", but i have decided i should do something about it as internet searching has proved it can be quite nasty.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:12, on 28/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - D:\Games\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - D:\Games\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6849 bytes




Uninstall list:

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI AVIVO Codecs
AVG Free 9.0
Belkin 54Mbps Wireless Network Adapter
Bonjour
Catalyst Control Center - Branding
Cheat Engine 5.5
Cities XL
Cool & Quiet
Curse Client
DDR - iPod Recovery(Demo) 4.0.1.6
DivX Codec
DivX Converter
DivX Player
Dragon Age: Origins
Dungeons and Dragons Online™ - Eberron Unlimited™ - Live
EA Download Manager
EPSON Printer Software
Evolva
FLV Player 2.0 (build 25)
Free YouTube to MP3 Converter version 3.2
Freelancer
Garry's Mod
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HxD Hex Editor version 1.7.7.0
iPhone/iTouch/iPod to Computer Transfer 5.8.1
iPodRip
iTunes
Java(TM) 6 Update 16
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware
Max Payne 2
Mercenaries 2: World in Flames(tm)
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Choice Guard
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.5.6)
mplayer.com
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OF Dragon Rising
OpenOffice.org 3.1
Peggle Deluxe 1.01
PlayLinc
Pod to PC 3.083
PowerISO
PunkBuster Services
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Requiem
Runes of Magic
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Spyware Doctor 6.1
Star Wars: The Force Unleashed
Station Launcher
Steam
Tansee iPod Transfer Photo v5.0
The Lord of the Rings Online™
The Matrix - Path of Neo
Total Annihilation
Total Annihilation: Kingdoms
Transformers(TM) - Le Jeu Demo
Turbine Download Manager
Two Worlds
Uninstall 1.0.0.1
Unreal Tournament 3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Virtual DJ - Atomix Productions
VLC media player 1.0.3
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
World of Warcraft
X3: Terran Conflict
Xilisoft iPhone Transfer


(There is a lot of un-needed "crap" installed on my PC, i've been busy and im generally lazy)
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm
Advertisement
Register to Remove

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby MWR 3 day Mod » December 31st, 2009, 8:52 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Cypher » January 2nd, 2010, 1:06 pm

Hi and Welcome, sorry for the delay the forum is really busy .
My name is Cypher, and I will be helping you with your malware problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  • Print each set of instructions... if possible...your Internet connection might not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • The logs from the tools we use can take some time to research so please be patient.
  • I am currently reviewing your log, and will return as soon as possible with your next set of instructions.

  • In the meantime please read this topic Rules of this forum where the conditions for receiving help here are explained.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Cypher » January 3rd, 2010, 7:09 am

Hi Ktardin.

Vista Advice:
  • All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.
  • The Operating System(Vista aka Windows 6) in use comes with a inbuilt utility called User Access Control(UAC).
  • When prompted by this with anything I ask you to do carry out please select the option Allow.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    µTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Click on Start > All programs > Accessories > Run.
  • In the open text box copy/paste appwiz.cpl Then click Ok.
  • Uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Next.

Please download GMER Rootkit Scanner from Here.
  • Right click on the .exe file. and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

Next.

RSIT (Random's System Information Tool)

Please download RSIT by random/random... and save it to your desktop.
  • Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... 2 logs files...will be produced.
  • The first one, "log.txt", << will be maximized
  • The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)



Logs/Information to Post in your Next Reply

  • Gmer.txt log.
  • RSIT log.txt file contents and info.txt file contents.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 4th, 2010, 1:20 pm

Hi, thankyou for helping :)

Ok, i uninstalled uTorrent as asked, and have downloaded both tools and have used the second (rsit) to great effect, however the first tool you pointed me towards, Gmer, i have had difficulties with.

I noticed your post last night and so decided to try the Gmer tool... however upon starting a scan, all was fine, untill suddenly my PC slowed right down (about 8minutes into the scan), i could not click on anything or interact at all with my desktop or the scanner window (all programs where shut down as requested). I decided to leave it to see what happened, at which point my screen went totaly black, and i had no control what-so-ever, and after 20mins of waiting i rebooted.

Anyway, here are the two files created via the rsit tool:

log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Ktardin at 2010-01-04 17:07:41
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 347 MB (1%) free of 38 GB
Total RAM: 3326 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:08:09, on 04/01/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Ktardin\Desktop\Skins\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ktardin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - D:\Games\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - D:\Games\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6781 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-12 1484056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-06-16 1144712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-06-16 1144712]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"snpstd"=C:\Windows\vsnpstd.exe [2005-10-11 339968]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE [2009-07-27 180224]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-01-01 2033432]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-10-14 2793304]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"Turbine Download Manager Tray Icon"=D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe [2009-11-05 472568]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-09-18 98304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"CurseClient"=C:\Program Files\Curse\CurseClient.exe [2009-06-08 1934336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE [2006-12-25 177664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D7050v3]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
D:\Apps\iTunes\iTunesHelper.exe [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
d:\games\steam1\steam.exe [2009-10-25 1217808]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-20 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Ktardin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
D:\Apps\OPENOF~1\OPENOF~1.ORG\program\QUICKS~1.EXE []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\SWTFU_Autorun.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-01-04 17:07:41 ----D---- C:\rsit
2010-01-03 19:34:06 ----D---- C:\Users\Ktardin\AppData\Roaming\Electronic Arts
2010-01-01 19:47:49 ----D---- C:\Users\Ktardin\AppData\Roaming\Mount&Blade
2010-01-01 18:27:12 ----SHD---- C:\Users\Ktardin\AppData\Roaming\.#
2009-12-28 22:56:26 ----D---- C:\ATI
2009-12-28 20:46:43 ----D---- C:\Program Files\Trend Micro
2009-12-26 21:20:36 ----D---- C:\Users\Ktardin\AppData\Roaming\InstallShield Installation Information
2009-12-26 21:03:49 ----D---- C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-12-26 18:25:24 ----A---- C:\sat9244.tmp
2009-12-26 18:22:11 ----D---- C:\Users\Ktardin\AppData\Roaming\ATI
2009-12-26 18:22:11 ----D---- C:\ProgramData\ATI
2009-12-26 18:17:30 ----D---- C:\Program Files\My Company Name
2009-12-26 18:15:56 ----D---- C:\Program Files\Common Files\ATI Technologies
2009-12-26 18:15:01 ----A---- C:\Windows\system32\ATIDEMGX.dll
2009-12-22 17:29:24 ----D---- C:\ProgramData\Turbine
2009-12-22 17:26:14 ----D---- C:\Windows\system32\URTTEMP
2009-12-17 00:06:57 ----D---- C:\ProgramData\Trymedia
2009-12-14 17:53:02 ----D---- C:\Users\Ktardin\AppData\Roaming\acccore
2009-12-14 17:48:53 ----D---- C:\Windows\system32\PlayLinc
2009-12-14 17:48:53 ----D---- C:\Program Files\PlayLinc
2009-12-11 16:33:41 ----D---- C:\Users\Ktardin\AppData\Roaming\FOG Downloader
2009-12-11 12:47:19 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-11 12:47:18 ----A---- C:\Windows\system32\httpapi.dll
2009-12-09 16:56:02 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 16:55:55 ----A---- C:\Windows\system32\mshtml.dll
2009-12-09 16:55:55 ----A---- C:\Windows\system32\ieframe.dll
2009-12-09 16:55:53 ----A---- C:\Windows\system32\urlmon.dll
2009-12-09 16:55:53 ----A---- C:\Windows\system32\iertutil.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\wininet.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\occache.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\msfeedssync.exe
2009-12-09 16:55:51 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-09 16:55:51 ----A---- C:\Windows\system32\ieui.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iesysprep.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iesetup.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iernonce.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iepeers.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\ie4uinit.exe
2009-12-09 16:52:26 ----A---- C:\Windows\system32\rastls.dll
2009-12-09 16:52:26 ----A---- C:\Windows\system32\raschap.dll
2009-12-06 15:35:02 ----D---- C:\Program Files\MSXML 4.0

======List of files/folders modified in the last 1 months======

2010-01-04 17:07:53 ----D---- C:\Windows\Prefetch
2010-01-04 17:07:12 ----D---- C:\Windows\Temp
2010-01-03 22:57:10 ----RD---- C:\Program Files
2010-01-03 22:57:09 ----D---- C:\Users\Ktardin\AppData\Roaming\uTorrent
2010-01-03 12:04:52 ----SHD---- C:\System Volume Information
2010-01-01 18:25:54 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-01 18:21:59 ----SHD---- C:\Windows\Installer
2009-12-31 21:24:21 ----D---- C:\Program Files\DivX
2009-12-31 21:24:13 ----D---- C:\Windows\System32
2009-12-31 21:24:11 ----D---- C:\Program Files\Common Files\DivX Shared
2009-12-30 18:32:06 ----D---- C:\Users\Ktardin\AppData\Roaming\vlc
2009-12-28 23:25:11 ----D---- C:\Windows
2009-12-28 22:58:41 ----D---- C:\Windows\system32\drivers
2009-12-28 22:58:26 ----D---- C:\Windows\system32\catroot
2009-12-28 22:58:24 ----D---- C:\Windows\inf
2009-12-28 22:57:34 ----D---- C:\Windows\winsxs
2009-12-28 19:29:48 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-27 13:11:00 ----RSD---- C:\Windows\assembly
2009-12-26 21:03:45 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-26 21:03:27 ----HD---- C:\ProgramData
2009-12-26 18:44:19 ----D---- C:\Program Files\Common Files\BioWare
2009-12-26 18:43:57 ----D---- C:\ProgramData\Media Center Programs
2009-12-26 18:35:38 ----D---- C:\Program Files\Common Files\Steam
2009-12-26 18:17:05 ----D---- C:\Program Files\Mozilla Firefox
2009-12-26 18:16:32 ----D---- C:\Program Files\ATI Technologies
2009-12-26 18:15:56 ----D---- C:\Program Files\Common Files
2009-12-26 18:10:58 ----D---- C:\Windows\system32\catroot2
2009-12-23 13:01:52 ----D---- C:\Users\Ktardin\AppData\Roaming\Mozilla
2009-12-22 23:40:11 ----D---- C:\Users\Ktardin\AppData\Roaming\Adobe
2009-12-22 17:29:41 ----D---- C:\Windows\registration
2009-12-22 17:28:01 ----D---- C:\Program Files\Internet Explorer
2009-12-21 13:05:11 ----D---- C:\Windows\LiveKernelReports
2009-12-18 13:47:06 ----RSD---- C:\Windows\Fonts
2009-12-17 00:08:23 ----D---- C:\ProgramData\PopCap Games
2009-12-13 21:55:41 ----D---- C:\ProgramData\Messenger Plus!
2009-12-11 20:51:36 ----SD---- C:\Windows\Downloaded Program Files
2009-12-11 13:10:02 ----D---- C:\Windows\rescache
2009-12-11 12:51:56 ----D---- C:\Windows\system32\migration
2009-12-11 12:51:56 ----D---- C:\Windows\system32\en-US
2009-12-11 12:47:12 ----A---- C:\Windows\system32\MRT.INI
2009-12-11 12:44:50 ----D---- C:\Program Files\Windows Mail
2009-12-07 20:35:38 ----D---- C:\Windows\Logs

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AsIO;AsIO; C:\Windows\system32\drivers\AsIO.sys [2009-09-20 12400]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-11-14 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-11-14 28424]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-11-14 360584]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2009-07-27 58908]
R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2006-07-24 5632]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\AtiHdmi.sys [2009-08-23 101904]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2009-11-25 5143552]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\Windows\system32\DRIVERS\LVPr2Mon.sys [2009-10-07 25752]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2006-10-20 7680]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista; C:\Windows\system32\DRIVERS\netr73.sys [2009-09-20 464384]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2009-05-25 164864]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 hamachi_oem;PlayLinc Adapter; C:\Windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\Windows\system32\drivers\LVUSBSta.sys [2007-05-09 41888]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-08-16 9545152]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\Windows\system32\DRIVERS\LV302V32.SYS [2007-05-09 1276832]
S3 snpstd;Trust Webcam 14823; C:\Windows\system32\DRIVERS\snpstd.sys [2006-05-03 390784]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\sscdbus.sys [2005-08-17 58352]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter; C:\Windows\system32\DRIVERS\sscdmdfl.sys [2005-08-17 8272]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers; C:\Windows\system32\DRIVERS\sscdmdm.sys [2005-08-17 93872]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-21 73088]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-11-25 172032]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2009-11-14 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2009-11-14 285392]
R2 LiveTurbineMessageService;Turbine Message Service - Live; D:\Games\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-11-05 271856]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 154136]
R2 PnkBstrB;PnkBstrB; C:\Windows\system32\PnkBstrB.exe [2009-10-07 190144]
R3 LiveTurbineNetworkService;Turbine Network Service - Live; D:\Games\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-11-05 218608]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-27 34312]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater; D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-08 545568]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-04-16 91184]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-11-19 348824]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-07-22 1097096]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-12-14 321320]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S4 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-08-17 215584]
S4 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2009-10-05 75064]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-08-17 239648]

-----------------EOF-----------------
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 4th, 2010, 1:22 pm

Info.txt:

info.txt logfile of random's system information tool 1.06 2010-01-04 17:08:12

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
ATI AVIVO Codecs-->MsiExec.exe /I{45E5B130-1883-F543-0FDF-06B142ADC33A}
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
Belkin 54Mbps Wireless Network Adapter-->C:\Program Files\InstallShield Installation Information\{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE}\setup.exe -runfromtemp -l0x0009 -removeonly
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Catalyst Control Center - Branding-->MsiExec.exe /I{A961C6FD-C583-45F6-A0A4-5E4376C29E41}
Cheat Engine 5.5-->"C:\Program Files\Cheat Engine\unins000.exe"
Cities XL-->D:\Games\Cities XL\uninst.exe
Cool & Quiet-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\Setup.exe" -l0x9
Curse Client-->C:\Program Files\Curse\uninstall.exe
DDR - iPod Recovery(Demo) 4.0.1.6-->C:\Windows\UnDeployV.exe "C:\Program Files\DDR - iPod Recovery(Demo)\Deploy.log"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Plus Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dragon Age: Origins-->C:\Program Files\Common Files\BioWare\Uninstall Dragon Age.exe
EA Download Manager-->C:\Program Files\Electronic Arts\EADM\Uninstall.exe
EPSON Printer Software-->C:\Windows\system32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Evolva-->C:\Windows\IsUninst.exe -f"C:\Program Files\Computer Artworks\Evolva\Uninst.isu"
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
Free YouTube to MP3 Converter version 3.2-->"C:\Program Files\DVDVideoSoft\Free YouTube to MP3 Converter\unins000.exe"
Freelancer-->"D:\Games\Freelancer\UNINSTAL.EXE" /runtemp /addremove
Garry's Mod-->"D:\Games\steam1\steam.exe" steam://uninstall/4000
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HxD Hex Editor version 1.7.7.0-->"C:\Program Files\HxD\unins000.exe"
iPhone/iTouch/iPod to Computer Transfer 5.8.1-->"C:\Program Files\Cucusoft\iPod to Computer\unins000.exe"
iPodRip-->MsiExec.exe /X{DABB97A2-5C8B-42A8-AE2F-C587175880D6}
iTunes-->MsiExec.exe /I{EC2A8F27-4FBF-4E41-B27B-FE822511B761}
Java(TM) 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Logitech Webcam Software Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\12.10.1110\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=200 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -arpregkey"lvdrivers_12.10" /clone_wait /hide_progress
Logitech Webcam Software-->MsiExec.exe /I{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Max Payne 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}\setup.exe" -l0x9
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Age of Empires II-->"D:\Games\AoE2\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{20110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
mIRC-->D:\Apps\mIRC\uninstall.exe _?=D:\Apps\mIRC
Mozilla Firefox (3.5.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mplayer.com-->"C:\Program Files\mplayer\System\UNWISE32.EXE" /a C:\PROGRA~1\mplayer\System\install.log
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}
NVIDIA Stereoscopic 3D Driver-->"C:\Program Files\NVIDIA Corporation\3D Vision\nvStInst.exe" /uninstall /ask
OF Dragon Rising-->"C:\Program Files\InstallShield Installation Information\{1A4052AB-BA77-44F7-8EE7-9F9131BFD7A6}\setup.exe" -runfromtemp -l0x0009 -removeonly
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
Peggle Deluxe 1.01-->C:\Program Files\PopCap Games\Peggle Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Peggle Deluxe\Install.log"
PlayLinc-->MsiExec.exe /I{2158685C-E2B3-4026-B0A1-0FFE31837AFD}
Pod to PC 3.083-->"C:\Program Files\Pod to PC\unins000.exe"
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PunkBuster Services-->C:\Windows\system32\pbsvc.exe -u
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
Realtek 8169 8168 8101E 8102E Ethernet Driver-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\Setup.exe -runfromtemp -l0x0009 -removeonly
Requiem-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F9831B39-277F-4F53-BFB0-12DC90C4CB40}\setup.exe" -l0x9 -removeonly
Runes of Magic-->"D:\Games\Runes of Magic\unins000.exe"
SAMSUNG Mobile Composite Device Software-->C:\Windows\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software-->C:\Windows\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\Windows\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\Windows\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sid Meier's Civilization 4 - Beyond the Sword-->C:\Program Files\InstallShield Installation Information\{32E4F0D2-C135-475E-A841-1D59A0D22989}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Spyware Doctor 6.1-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Star Wars: The Force Unleashed-->"D:\Games\Aspyr\Star Wars The Force Unleashed\unins000.exe"
Station Launcher-->D:\Games\Station Launcher\uninstall.exe
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Tansee iPod Transfer Photo v5.0-->"C:\Program Files\Tansee iPod Transfer Photo\unins000.exe"
The Lord of the Rings Online™-->"D:\Games\Turbine\The Lord of the Rings Online\Uninstall.exe" /silent /query 12bbe590-c890-11d9-9669-0800200c9a66_is1
Total Annihilation: Kingdoms-->C:\Windows\IsUninst.exe -fC:\Cavedog\Kingdoms\Uninst.isu
Total Annihilation-->C:\CAVEDOG\TOTALA\setup.exe -u
Transformers(TM) - Le Jeu Demo-->C:\Program Files\InstallShield Installation Information\{52AC37AD-2435-4BD8-A28A-5AF1306EF69B}\setup.exe -runfromtemp -l0x040c
Turbine Download Manager-->"D:\Games\Turbine\Turbine Download Manager\UninstallTDM.exe" /silent /query 62289540-dc30-11dc-95ff-0800200c9a66_is1
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Unreal Tournament 3-->MsiExec.exe /X{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Virtual DJ - Atomix Productions-->C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
VLC media player 1.0.3-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Warhammer Online: Age of Reckoning-->"D:\Games\Warhammer Online - Age of Reckoning\unins000.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft Public Test-PTR\Uninstall.exe
X3: Terran Conflict-->"D:\Games\steam1\steam.exe" steam://uninstall/2820
Xilisoft iPhone Transfer-->C:\Program Files\Xilisoft\iPhone Transfer\Uninstall.exe

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Ktardin-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 48623
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20100104002537.936830-000
Event Type: Error
User:

Computer Name: Ktardin-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 48633
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20100104002553.932200-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Ktardin-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 48644
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20100104165944.278997-000
Event Type: Error
User:

Computer Name: Ktardin-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00173F14262D. The following error occurred:
The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 48648
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20100104170016.000000-000
Event Type: Warning
User:

Computer Name: Ktardin-PC
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
i8042prt
Record Number: 48719
Source Name: Service Control Manager
Time Written: 20100104170115.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Ktardin-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 7603
Source Name: Microsoft-Windows-WMI
Time Written: 20100102193615.000000-000
Event Type: Error
User:

Computer Name: Ktardin-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 7633
Source Name: Microsoft-Windows-WMI
Time Written: 20100103111725.000000-000
Event Type: Error
User:

Computer Name: Ktardin-PC
Event Code: 1010
Message: The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Record Number: 7649
Source Name: Microsoft-Windows-Perflib
Time Written: 20100103225929.000000-000
Event Type: Error
User:

Computer Name: Ktardin-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 7670
Source Name: Microsoft-Windows-WMI
Time Written: 20100103231001.000000-000
Event Type: Error
User:

Computer Name: Ktardin-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 7705
Source Name: Microsoft-Windows-WMI
Time Written: 20100104170114.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Ktardin-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 10014
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100104170808.769069-000
Event Type: Audit Failure
User:

Computer Name: Ktardin-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 10015
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100104170808.815869-000
Event Type: Audit Failure
User:

Computer Name: Ktardin-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 10016
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100104170808.847069-000
Event Type: Audit Failure
User:

Computer Name: Ktardin-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 10017
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100104170808.893869-000
Event Type: Audit Failure
User:

Computer Name: Ktardin-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 10018
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100104170808.940669-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6b02
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 4th, 2010, 2:02 pm

Ah, and i forgot to write in my last post: my PC is running fine, but the avg message pops up every now and again, and as a side-note it popped up when i executed the Rsit program, anyway i have found no symptoms of anything nasty i just dont like the prospect of a rootkit thats white-listed as a critical system file :pale:

Thanks again for your response, i think this site is great and respect "you guys" to the upmost :)
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Cypher » January 5th, 2010, 6:53 am

Hi Ktardin.
Ok lets try a different rootkit scan.

Uninstall programs
  • Click on Start
  • All programs.
  • Accessories.
  • Run.
  • In the open text box copy/paste appwiz.cpl Then click Ok.
  • Uninstall the following

Ask Toolbar
Ask.com


Next.

Punkbuster warning

I see you have Punkbuster installed.( read the section on Published features) This is spyware. Punkbuster can take control over various aspects of your computer, and some gaming tools not unlike Punkbuster also hinder their removals. By the definition we handle here, Punkbuster is actual spyware. Therefore, I now ask you to decide the following:
  • Either we try to leave Punkbuster alone but there is no guarantee a spyware component doesn't 'accidentally' get taken out; so Punkbuster might break. This will, of course, also break your ability to play games using Punkbuster enabled servers.
  • Or we can just remove Punkbuster. You can reinstall it afterwards if you wish, but please keep in mind that It is spyware.
  • Another option is to not clean this computer at all. This ensures Punkbuster will continue to function.
Please let me know what you would like to do.

If you decide to uninstall Punkbuster please do the following.

Uninstall PunkBuster
Please download PBSVC Setup Program. Save it to your desktop.
  1. Double click on pbsvc.exe to start it... then click Uninstall.
    Once that's finished...
  2. Click on Start > All programs > Accessories > Run.
    and copy and paste the following into the open text box:
    Code: Select all
    cmd /c for %i in (A B K) do sc delete PnkBstr%i
  3. Click OK. A black box will flash very briefly, this is normal.
  4. Double click My Computer on your desktop and browse to C:\windows\system32\drivers
  5. Locate the file: PnkBstrK.sys... if found delete it.
Let me know if you performed these steps successfully.

Next.

Please Download SysProt Antirootkit From one of the links below.

Link 1
Link 2
Link 3

Unzip it into a folder on your desktop.
  • Right click Sysprot.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
  • Click on the Log tab.
  • In the Write to log box select all items.
    See images below.

    Image

    And check Hidden objects only at the bottom.
    Image
  • At the bottom of the window.Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Logs/Information to Post in your Next Reply

  • Sysprot log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 5th, 2010, 1:31 pm

Hey Cypher.
Ask Toolbar has been uninstalled, cant find "ask.com" as a program however.
Punkbuster has also been uninstalled, using your method, and while looking in the drivers folder i did not come across the file u wanted me to delete if i did :)

Computer's performance is same as before

I warn you i have no port forwarding on this computer, just basic plug and play secured internet :)

Here is the SysProtLog.txt:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 937C5000
Module End: 937D0000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 937D0000
Module End: 937D8000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateProcess
Address: 807849A6
Driver Base: 8077B000
Driver End: 807B2000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys

Function Name: ZwCreateProcessEx
Address: 80784B98
Driver Base: 8077B000
Driver End: 807B2000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys

Function Name: ZwTerminateProcess
Address: 80784656
Driver Base: 8077B000
Driver End: 807B2000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys

Function Name: ZwCreateUserProcess
Address: 80784DA0
Driver Base: 8077B000
Driver End: 807B2000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: KTARDIN-PC.HOME:49370
Remote Address: 12.130.63.6:2976
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49359
Remote Address: 62.32.97.15:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49357
Remote Address: 62.32.97.15:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49356
Remote Address: WY-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49355
Remote Address: WY-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49353
Remote Address: WY-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49343
Remote Address: 217.41.217.238:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49332
Remote Address: WY-IN-F154.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: KTARDIN-PC.HOME:49320
Remote Address: EY-IN-F102.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49319
Remote Address: PX-IN-F101.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49316
Remote Address: WY-IN-F100.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49315
Remote Address: EZ-IN-F106.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49314
Remote Address: EZ-IN-F106.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49312
Remote Address: WY-IN-F100.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49311
Remote Address: WY-IN-F100.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:49200
Remote Address: BY2MSG4030117.PHX.GBL:MSNP
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: ESTABLISHED

Local Address: KTARDIN-PC.HOME:18046
Remote Address: 0.0.0.0:0
Type: TCP
Process: D:\Games\Turbine\Turbine Download Manager\TurbineNetworkService.exe
State: LISTENING

Local Address: KTARDIN-PC.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KTARDIN-PC:49321
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Windows\explorer.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49308
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Windows\explorer.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49285
Remote Address: LOCALHOST:49284
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49284
Remote Address: LOCALHOST:49285
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49283
Remote Address: LOCALHOST:49282
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49282
Remote Address: LOCALHOST:49283
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49204
Remote Address: LOCALHOST:49202
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49202
Remote Address: LOCALHOST:49204
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:49202
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: LISTENING

Local Address: KTARDIN-PC:27015
Remote Address: LOCALHOST:49321
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:27015
Remote Address: LOCALHOST:49308
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: KTARDIN-PC:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: KTARDIN-PC:10110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\AVG\AVG9\avgemc.exe
State: LISTENING

Local Address: KTARDIN-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: KTARDIN-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: KTARDIN-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: KTARDIN-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: KTARDIN-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: KTARDIN-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KTARDIN-PC:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KTARDIN-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KTARDIN-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: KTARDIN-PC.HOME:60044
Remote Address: NA
Type: UDP
Process: D:\Games\Turbine\Turbine Download Manager\TurbineMessageService.exe
State: NA

Local Address: KTARDIN-PC.HOME:55964
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC.HOME:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: KTARDIN-PC.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: KTARDIN-PC.HOME:DISCARD
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: NA

Local Address: KTARDIN-PC:65110
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Contacts\wlcomm.exe
State: NA

Local Address: KTARDIN-PC:62547
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:62151
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: NA

Local Address: KTARDIN-PC:55965
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:51869
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: NA

Local Address: KTARDIN-PC:51168
Remote Address: NA
Type: UDP
Process: C:\Program Files\Curse\CurseClient.exe
State: NA

Local Address: KTARDIN-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:49152
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:37618
Remote Address: NA
Type: UDP
Process: C:\Program Files\Curse\CurseClient.exe
State: NA

Local Address: KTARDIN-PC:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: KTARDIN-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\SPP
Status: Access denied

Object: C:\System Volume Information\SystemRestore
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{8244BDBD-4AA0-40C4-9C71-1578E1562C98}
Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{775ec7c6-fa19-11de-b2d3-0022158556df}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\Users\Ktardin\AppData\Roaming\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Users\Ktardin\AppData\Roaming\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Cypher » January 6th, 2010, 6:45 am

Hi Ktardin.

Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the fix.


Next.


Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 6th, 2010, 9:02 am

Hiya, Combofix ran fine, its only just completed so i dont know as yet if there are any changes to my PCs performance

heres the combofixlog:

ComboFix 10-01-04.01 - Ktardin 06/01/2010 11:09:54.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3326.2075 [GMT 0:00]
Running from: c:\users\Ktardin\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Cheat Engine\dbk32.sys
c:\recycler\S-1-5-21-329068152-1284227242-682003330-500
C:\sat9244.tmp
c:\users\Ktardin\AppData\Roaming\.#
c:\windows\TEMP\logishrd\LVPrcInj01.dll
D:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-06 11:17 . 2010-01-06 12:52 -------- d-----w- c:\users\Ktardin\AppData\Local\temp
2010-01-04 17:07 . 2010-01-04 17:08 -------- d-----w- C:\rsit
2010-01-03 19:34 . 2010-01-03 19:34 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Electronic Arts
2010-01-01 19:47 . 2010-01-01 20:26 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Mount&Blade
2010-01-01 13:19 . 2009-12-12 11:39 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2009-12-28 22:56 . 2009-12-28 22:56 -------- d-----w- C:\ATI
2009-12-28 20:46 . 2009-12-28 20:46 -------- d-----w- c:\program files\Trend Micro
2009-12-26 21:20 . 2009-12-26 21:20 -------- d-----w- c:\users\Ktardin\AppData\Roaming\InstallShield Installation Information
2009-12-26 21:20 . 2009-12-26 20:59 331776 ----a-w- c:\users\Ktardin\AppData\Roaming\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe
2009-12-26 21:20 . 2007-10-24 11:47 4147031 ----a-w- c:\users\Ktardin\AppData\Roaming\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\ISSetup.dll
2009-12-26 21:03 . 2009-12-26 21:03 -------- d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-12-26 18:22 . 2009-12-26 18:22 -------- d-----w- c:\users\Ktardin\AppData\Roaming\ATI
2009-12-26 18:22 . 2009-12-26 18:22 -------- d-----w- c:\users\Ktardin\AppData\Local\ATI
2009-12-26 18:22 . 2009-12-26 18:22 -------- d-----w- c:\programdata\ATI
2009-12-26 18:17 . 2009-12-26 18:17 -------- d-----w- c:\program files\My Company Name
2009-12-26 18:15 . 2009-12-26 18:15 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-12-26 18:15 . 2009-12-26 18:15 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-26 18:15 . 2009-11-25 03:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-12-22 17:59 . 2009-12-22 17:59 95 ----a-w- c:\users\Ktardin\AppData\Local\fusioncache.dat
2009-12-22 17:59 . 2009-12-23 12:40 -------- d-----w- c:\users\Ktardin\AppData\Local\Turbine
2009-12-22 17:30 . 2009-12-22 17:30 -------- d-----w- c:\users\Ktardin\AppData\Local\Turbine,_Inc
2009-12-22 17:29 . 2009-12-22 17:29 -------- d-----w- c:\programdata\Turbine
2009-12-22 17:28 . 2009-12-26 19:04 -------- d-----w- c:\users\Ktardin\AppData\Local\ApplicationHistory
2009-12-22 17:26 . 2009-12-22 17:26 -------- d-----w- c:\windows\system32\URTTEMP
2009-12-22 12:29 . 2009-12-22 12:29 4043544 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-12-22 12:29 . 2009-12-12 11:39 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2009-12-22 12:29 . 2009-12-22 12:28 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-22 12:29 . 2009-12-19 10:13 294656 ----a-w- c:\programdata\avg9\update\backup\avglngx.dll
2009-12-19 10:13 . 2009-12-12 11:38 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-18 13:56 . 2009-12-18 13:56 -------- d-----w- c:\users\Ktardin\AppData\Local\Freelancer
2009-12-17 00:06 . 2009-12-17 00:06 -------- d-----w- c:\programdata\Trymedia
2009-12-14 17:53 . 2009-12-14 17:53 -------- d-----w- c:\users\Ktardin\AppData\Roaming\acccore
2009-12-14 17:48 . 2009-12-14 17:48 -------- d-----w- c:\program files\PlayLinc
2009-12-14 17:48 . 2009-12-14 17:48 -------- d-----w- c:\windows\system32\PlayLinc
2009-12-11 16:33 . 2009-12-11 16:33 -------- d-----w- c:\users\Ktardin\AppData\Roaming\FOG Downloader
2009-12-11 12:47 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 12:47 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-11 12:47 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 16:56 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 16:52 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 16:52 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-07 19:32 . 2009-12-07 19:32 -------- d-----w- c:\users\Ktardin\AppData\Local\Aspyr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 11:17 . 2009-11-26 20:24 -------- d-----w- c:\program files\Cheat Engine
2010-01-05 17:12 . 2009-10-05 16:08 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-01-04 21:44 . 2009-09-30 18:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-03 22:57 . 2009-10-13 18:04 -------- d-----w- c:\users\Ktardin\AppData\Roaming\uTorrent
2010-01-01 18:25 . 2009-09-19 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 21:24 . 2009-11-09 19:01 -------- d-----w- c:\program files\DivX
2009-12-31 21:24 . 2009-11-09 19:01 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-30 18:32 . 2009-11-09 19:05 -------- d-----w- c:\users\Ktardin\AppData\Roaming\vlc
2009-12-29 23:00 . 2009-09-20 19:38 1 ----a-w- c:\users\Ktardin\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-26 21:03 . 2009-09-19 22:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 18:44 . 2009-11-14 18:39 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-26 18:43 . 2009-11-14 19:02 -------- d-----w- c:\programdata\Media Center Programs
2009-12-26 18:35 . 2009-09-22 18:22 -------- d-----w- c:\program files\Common Files\Steam
2009-12-26 18:16 . 2009-09-19 21:22 -------- d-----w- c:\program files\ATI Technologies
2009-12-26 18:12 . 2009-09-19 21:16 1356 ----a-w- c:\users\Ktardin\AppData\Local\d3d9caps.dat
2009-12-18 13:54 . 2009-09-19 21:16 106472 ----a-w- c:\users\Ktardin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-17 00:08 . 2009-11-30 22:50 -------- d-----w- c:\programdata\PopCap Games
2009-12-13 21:55 . 2009-09-20 18:16 -------- d-----w- c:\programdata\Messenger Plus!
2009-12-11 12:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-06 15:35 . 2009-12-06 15:35 -------- d-----w- c:\program files\MSXML 4.0
2009-12-04 20:30 . 2009-12-04 20:30 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Samsung
2009-12-04 20:15 . 2009-12-04 20:15 -------- d-----w- c:\program files\Samsung
2009-11-30 16:59 . 2009-11-19 21:37 -------- d-----w- c:\program files\Spyware Doctor
2009-11-28 19:29 . 2009-11-27 21:21 -------- d-----w- c:\program files\Silkroad
2009-11-26 20:24 . 2009-11-26 20:24 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Mael
2009-11-26 20:17 . 2009-11-26 20:17 -------- d-----w- c:\program files\HxD
2009-11-25 03:51 . 2009-11-25 03:51 5143552 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2009-11-25 03:17 . 2009-11-25 03:17 368640 ----a-w- c:\windows\system32\atieclxx.exe
2009-11-25 03:17 . 2009-11-25 03:17 172032 ----a-w- c:\windows\system32\atiesrxx.exe
2009-11-25 03:15 . 2009-09-18 14:16 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2009-11-25 03:15 . 2009-09-18 14:15 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:15 . 2009-11-25 03:15 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:15 . 2009-11-25 03:15 11776 ----a-w- c:\windows\system32\atimuixx.dll
2009-11-25 03:14 . 2009-11-25 03:14 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:12 . 2009-11-25 03:12 3055616 ----a-w- c:\windows\system32\atidxx32.dll
2009-11-25 02:55 . 2009-09-18 13:56 3617792 ----a-w- c:\windows\system32\atiumdag.dll
2009-11-25 02:44 . 2009-11-25 02:44 13487616 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:37 . 2009-09-18 13:38 2899968 ----a-w- c:\windows\system32\atiumdva.dll
2009-11-25 02:25 . 2009-11-25 02:25 52224 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:25 . 2009-11-25 02:25 52224 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:25 . 2009-09-18 13:25 225280 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:21 . 2009-11-25 02:21 53248 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:21 . 2009-11-25 02:21 53248 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:20 . 2009-11-25 02:20 3629056 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:10 . 2009-11-25 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-24 19:31 . 2009-11-09 19:06 -------- d-----w- c:\users\Ktardin\AppData\Roaming\dvdcss
2009-11-21 06:40 . 2009-12-09 16:55 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 16:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 16:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 16:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 22:12 . 2009-10-08 19:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 21:38 . 2009-11-19 21:37 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-19 21:37 . 2009-11-19 21:37 -------- d-----w- c:\users\Ktardin\AppData\Roaming\PC Tools
2009-11-19 21:37 . 2009-11-19 21:37 -------- d-----w- c:\programdata\PC Tools
2009-11-19 16:54 . 2009-11-19 16:54 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-19 16:53 . 2009-11-17 22:09 -------- d-----w- c:\programdata\LogiShrd
2009-11-18 20:19 . 2009-11-18 20:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-18 20:16 . 2009-11-18 20:16 -------- d-----w- c:\program files\Microsoft.NET
2009-11-17 22:12 . 2009-11-17 22:12 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Leadertech
2009-11-17 22:10 . 2009-09-24 17:55 -------- d-----w- c:\program files\Common Files\logishrd
2009-11-17 22:09 . 2009-11-17 22:09 -------- d-----w- c:\program files\Logitech
2009-11-17 21:56 . 2009-11-17 21:55 -------- d-----w- c:\program files\VirtualDJ
2009-11-14 19:04 . 2009-11-14 19:04 -------- d-----w- c:\programdata\BioWare
2009-11-14 17:25 . 2009-09-19 21:57 -------- d-----w- c:\program files\AVG
2009-11-14 17:25 . 2009-09-19 23:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 17:25 . 2009-09-19 23:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-14 17:25 . 2009-09-19 23:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-14 17:25 . 2009-09-19 23:14 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-14 17:25 . 2009-11-14 17:25 -------- d-----w- c:\programdata\avg9
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-09 19:05 . 2009-11-09 19:05 -------- d-----w- c:\program files\VideoLAN
2009-11-09 19:02 . 2009-11-09 19:02 -------- d-----w- c:\users\Ktardin\AppData\Roaming\DivX
2009-11-09 19:01 . 2009-11-09 19:01 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-11-08 16:41 . 2009-11-08 16:41 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-07 11:07 . 2009-11-07 11:07 4 ----a-w- C:\timestmp.tmp
2009-11-02 20:42 . 2009-10-03 12:02 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 17:06 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-22 15:59 . 2009-10-22 15:59 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-14 13:40 . 2009-10-14 13:40 296280 ----a-w- c:\programdata\LogiShrd\LQCVFX\Filters\VMSEF.dll
2009-10-14 13:37 . 2009-10-14 13:37 6781272 ----a-w- c:\programdata\LogiShrd\LQCVFX\Filters\MMSEF.dll
.

------- Sigcheck -------

[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[-] 2008-01-21 02:23 . 73A0B56FBA037F402D56939762668EC6 . 21560 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2008-01-21 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-11 339968]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-01 2033432]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Turbine Download Manager Tray Icon"="d:\games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-11-05 472568]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-18 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux6"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Ktardin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Ktardin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D7050v3

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
2006-12-25 04:00 177664 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIAIE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 15:36 305440 ----a-w- d:\apps\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-25 21:45 1217808 ----a-w- d:\games\steam1\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-20 19:32 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [19/11/2009 21:37 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [19/09/2009 23:14 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [19/09/2009 23:14 360584]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [25/11/2009 03:17 172032]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14/11/2009 17:25 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14/11/2009 17:25 285392]
R2 LiveTurbineMessageService;Turbine Message Service - Live;d:\games\Turbine\Turbine Download Manager\TurbineMessageService.exe [22/12/2009 17:29 271856]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;d:\games\Turbine\Turbine Download Manager\TurbineNetworkService.exe [22/12/2009 17:29 218608]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [20/09/2009 18:52 464384]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [14/11/2009 18:53 25832]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\System32\drivers\gan_adapter.sys [28/08/2006 23:54 10664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [19/11/2009 21:37 348824]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [17/08/2009 00:32 239648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ktardin\AppData\Roaming\Mozilla\Firefox\Profiles\vsgdaxkk.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: d:\apps\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
AddRemove-Peggle Deluxe 1.01 - c:\program files\PopCap Games\Peggle Deluxe\PopUninstall.exe
AddRemove-{D3D1D696-84A8-465A-BC61-CDAC852B24CD}_is1 - c:\program files\Pod to PC\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 12:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1480507214-855840707-331760698-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:68,c5,9e,e9,52,c8,9f,f6,cb,f4,a3,28,80,05,bf,5a,34,a2,b7,2e,72,d2,59,
8e,95,5c,82,ae,00,e5,c4,76,ea,3f,fd,e3,b1,1a,04,25,72,78,fb,36,43,f7,8d,82,\
"??"=hex:ec,7f,62,96,57,2c,d6,08,cc,a5,1f,55,b4,c4,7c,48

[HKEY_USERS\S-1-5-21-1480507214-855840707-331760698-1000\Software\SecuROM\License information*]
"datasecu"=hex:a2,93,7b,fe,05,55,55,a4,35,ca,f2,bd,82,f3,92,49,fe,0e,c0,2b,87,
b1,8a,a9,5c,c8,0a,48,cc,f8,40,db,74,05,e6,1f,48,f9,37,59,44,76,64,b4,0d,f3,\
"rkeysecu"=hex:0e,82,4a,75,98,b4,83,9d,e8,ae,1a,8f,39,8d,46,ed

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-01-06 12:55:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 12:55

Pre-Run: 699,019,264 bytes free
Post-Run: 1,710,469,120 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 6907B5A8B7ED7E5079C6F0445677903E
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Cypher » January 6th, 2010, 2:25 pm

Hi Ktardin.

Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the fix.

Next.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    File::
    c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
    c:\windows\system32\pbsvc.exe
    C:\timestmp.tmp
    
    Folder::
    c:\users\Ktardin\AppData\Roaming\uTorrent
    c:\programdata\PopCap Games
    
    FCopy::
    c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys | c:\windows\system32\drivers\atapi.sys
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.



Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 6th, 2010, 3:16 pm

Hi Cypher, may i start by thanking you VERY much for all your invaluable help, and im sorry for taking up your time.

Here is the Combofix log:

ComboFix 10-01-04.01 - Ktardin 06/01/2010 18:50:49.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3326.2289 [GMT 0:00]
Running from: c:\users\Ktardin\Desktop\ComboFix.exe
Command switches used :: c:\users\Ktardin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"C:\timestmp.tmp"
"c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP"
"c:\windows\system32\pbsvc.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\PopCap Games
c:\programdata\PopCap Games\Peggle\cached\sounds\aah.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\applause.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\approval.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\AwardFanfareV2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\ball_add.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\bubbles.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\buckethit.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\button.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\button2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\cannonshot.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\coin_freeball_denied.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\coin_spin.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\cymbal.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\dinghi.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\explode.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\extraball.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\extraball2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\extraball3.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\extremefever2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\feverhit.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\fireballbounce.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\FireBallLoopV4.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\fireballshoot.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\FireworkPop.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\fireworks1.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\fireworks2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\flip.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\flip2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\flipperbounce.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\flipperdown.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\flipperup.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\freeball2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\gapbonus1.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\gong.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\guncock.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\Koka_morning_finaledit.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\miss.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\missile.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\MnE_Dia_n.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\MnE_Dia_neg.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\MnE_Dia_pos.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\mouseoverV1.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\multiball.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\peghit.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\peghit_low.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\peghit_plus_mega9.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\peghit_plus4b.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\pegpop.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\penalty.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_fireball3.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_flippers_4.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_flowerpower2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_guide.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_luckyspin.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_multiball.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_pyramid.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_spaceblast.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_spooky1.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_spooky2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_spooky3.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_spooky4.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\powerup_zen3.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\rainbow.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\scorecounter.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\sigh.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\timpaniroll.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\ting.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\tone.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\tonehi.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\tonelo.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\tonesuperhi.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\typing2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\ultra2.wav
c:\programdata\PopCap Games\Peggle\cached\sounds\xbump_mod2.wav
c:\programdata\PopCap Games\Peggle\userdata\arcade1.sav
c:\programdata\PopCap Games\Peggle\userdata\highscores.dat
c:\programdata\PopCap Games\Peggle\userdata\stat_Jamie_4b144c4d.dat
c:\programdata\PopCap Games\Peggle\userdata\user1.dat
c:\programdata\PopCap Games\Peggle\userdata\users.dat
c:\programdata\PopCap Games\PeggleNights\cached\sounds\aah.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\applause.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\applause_long.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\approval.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\AwardFanfareV2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\ball_add.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\BoardLevelTitleWoosh.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\BoardLevelTitleWooshOut.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\bubbles.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\buckethit.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\button.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\button2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\cannonshot.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\coin_freeball_denied.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\coin_spin.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\CreditsSpotlightOn.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\cymbal.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\DeLune.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\dinghi.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\drumroll.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\explode.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\extraball.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\extraball2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\extraball3.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\extremefever2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\FairyPop.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\fanfare.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\feverhit.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\fireballbounce.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\FireBallLoopV4.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\fireballshoot.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\FireworkPop.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\fireworks1.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\fireworks2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\flip.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\flip2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\flipperbounce.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\flipperdown.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\flipperup.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\freeball2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\gapbonus1.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\gong.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\guncock.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\lightning_shockstart.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\lightning_shockwave.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\LoadLogoBuzzOn.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\miss.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\missile.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\MnE_Dia_n.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\MnE_Dia_neg.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\MnE_Dia_pos.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\mouseoverV1.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\multiball.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\peghit.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\peghit_low.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\peghit_plus_mega9.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\peghit_plus4b.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\pegpop.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\pegspark.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\penalty.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_fireball3.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_flippers_4.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_flowerpower2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_guide.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_lightning.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_luckyspin.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_multiball.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_pyramid.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_spaceblast.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_spooky1.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_spooky2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_spooky3.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_spooky4.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\powerup_zen3.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\PowerupLightningHit.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\rainbow.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\scorecounter.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\sigh.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\SpeechBubblePopup.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\StageDreamyIn.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\StageDreamyOut.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\timpani_long.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\timpaniroll.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\ting.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\tone.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\tonehi.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\tonelo.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\tonesuperhi.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\TrophyCurtains.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\TrophyPhotoIn.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\typing2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\ultra2.wav
c:\programdata\PopCap Games\PeggleNights\cached\sounds\xbump_mod2.wav
c:\programdata\PopCap Games\PeggleNights\userdata\highscores.dat
c:\programdata\PopCap Games\PeggleNights\userdata\replays\awesome.pegn
c:\programdata\PopCap Games\PeggleNights\userdata\replays\Seasickk.pegn
c:\programdata\PopCap Games\PeggleNights\userdata\replays\Seasickkk2.pegn
c:\programdata\PopCap Games\PeggleNights\userdata\replays\Seasickkkk3.pegn
c:\programdata\PopCap Games\PeggleNights\userdata\stat_Jamie_4b297678.dat
c:\programdata\PopCap Games\PeggleNights\userdata\user1.dat
c:\programdata\PopCap Games\PeggleNights\userdata\users.dat
c:\programdata\PopCap Games\popcinfot.dat
c:\programdata\PopCap Games\popcreg.dat
C:\timestmp.tmp
c:\users\Ktardin\AppData\Roaming\uTorrent
c:\users\Ktardin\AppData\Roaming\uTorrent\100 Anthems Drum & Bass.torrent
c:\users\Ktardin\AppData\Roaming\uTorrent\Bassnectar - Underground Communication [2007] VBR 220kbit.torrent
c:\users\Ktardin\AppData\Roaming\uTorrent\dht.dat
c:\users\Ktardin\AppData\Roaming\uTorrent\dht.dat.old
c:\users\Ktardin\AppData\Roaming\uTorrent\Peggle Nights from PopCap Games.zip.torrent
c:\users\Ktardin\AppData\Roaming\uTorrent\Peggle.7z.torrent
c:\users\Ktardin\AppData\Roaming\uTorrent\portableadobephshopcs4.torrent
c:\users\Ktardin\AppData\Roaming\uTorrent\resume.dat
c:\users\Ktardin\AppData\Roaming\uTorrent\resume.dat.old
c:\users\Ktardin\AppData\Roaming\uTorrent\rss.dat
c:\users\Ktardin\AppData\Roaming\uTorrent\rss.dat.old
c:\users\Ktardin\AppData\Roaming\uTorrent\settings.dat
c:\users\Ktardin\AppData\Roaming\uTorrent\settings.dat.old
c:\users\Ktardin\AppData\Roaming\uTorrent\Sub Focus - Sub Focus (Ram Records 2009).torrent
c:\users\Ktardin\AppData\Roaming\uTorrent\utorrent.lng
c:\users\Ktardin\AppData\Roaming\uTorrent\VA--Drum_and_Bass_Arena_Presents_Summer_Selection-WEB-2009-OMA.torrent
c:\windows\system32\pbsvc.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-06 18:58 . 2010-01-06 19:00 -------- d-----w- c:\users\Ktardin\AppData\Local\temp
2010-01-06 18:58 . 2010-01-06 18:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-06 18:58 . 2010-01-06 18:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-04 17:07 . 2010-01-04 17:08 -------- d-----w- C:\rsit
2010-01-03 19:34 . 2010-01-03 19:34 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Electronic Arts
2010-01-01 19:47 . 2010-01-01 20:26 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Mount&Blade
2009-12-28 22:56 . 2009-12-28 22:56 -------- d-----w- C:\ATI
2009-12-28 20:46 . 2009-12-28 20:46 -------- d-----w- c:\program files\Trend Micro
2009-12-26 21:20 . 2009-12-26 21:20 -------- d-----w- c:\users\Ktardin\AppData\Roaming\InstallShield Installation Information
2009-12-26 21:03 . 2009-12-26 21:03 -------- d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-12-26 18:22 . 2009-12-26 18:22 -------- d-----w- c:\users\Ktardin\AppData\Roaming\ATI
2009-12-26 18:22 . 2009-12-26 18:22 -------- d-----w- c:\users\Ktardin\AppData\Local\ATI
2009-12-26 18:22 . 2009-12-26 18:22 -------- d-----w- c:\programdata\ATI
2009-12-26 18:17 . 2009-12-26 18:17 -------- d-----w- c:\program files\My Company Name
2009-12-26 18:15 . 2009-12-26 18:15 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-12-26 18:15 . 2009-12-26 18:15 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-26 18:15 . 2009-11-25 03:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-12-22 17:59 . 2009-12-22 17:59 95 ----a-w- c:\users\Ktardin\AppData\Local\fusioncache.dat
2009-12-22 17:59 . 2009-12-23 12:40 -------- d-----w- c:\users\Ktardin\AppData\Local\Turbine
2009-12-22 17:30 . 2009-12-22 17:30 -------- d-----w- c:\users\Ktardin\AppData\Local\Turbine,_Inc
2009-12-22 17:29 . 2009-12-22 17:29 -------- d-----w- c:\programdata\Turbine
2009-12-22 17:28 . 2009-12-26 19:04 -------- d-----w- c:\users\Ktardin\AppData\Local\ApplicationHistory
2009-12-22 17:26 . 2009-12-22 17:26 -------- d-----w- c:\windows\system32\URTTEMP
2009-12-18 13:56 . 2009-12-18 13:56 -------- d-----w- c:\users\Ktardin\AppData\Local\Freelancer
2009-12-17 00:06 . 2009-12-17 00:06 -------- d-----w- c:\programdata\Trymedia
2009-12-14 17:53 . 2009-12-14 17:53 -------- d-----w- c:\users\Ktardin\AppData\Roaming\acccore
2009-12-14 17:48 . 2009-12-14 17:48 -------- d-----w- c:\program files\PlayLinc
2009-12-14 17:48 . 2009-12-14 17:48 -------- d-----w- c:\windows\system32\PlayLinc
2009-12-11 16:33 . 2009-12-11 16:33 -------- d-----w- c:\users\Ktardin\AppData\Roaming\FOG Downloader
2009-12-11 12:47 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 12:47 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-11 12:47 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 16:56 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 16:52 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 16:52 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-07 19:32 . 2009-12-07 19:32 -------- d-----w- c:\users\Ktardin\AppData\Local\Aspyr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 11:17 . 2009-11-26 20:24 -------- d-----w- c:\program files\Cheat Engine
2010-01-04 21:44 . 2009-09-30 18:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-01 18:25 . 2009-09-19 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 21:24 . 2009-11-09 19:01 -------- d-----w- c:\program files\DivX
2009-12-31 21:24 . 2009-11-09 19:01 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-30 18:32 . 2009-11-09 19:05 -------- d-----w- c:\users\Ktardin\AppData\Roaming\vlc
2009-12-29 23:00 . 2009-09-20 19:38 1 ----a-w- c:\users\Ktardin\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-26 21:03 . 2009-09-19 22:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 20:59 . 2009-12-26 21:20 331776 ----a-w- c:\users\Ktardin\AppData\Roaming\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe
2009-12-26 18:44 . 2009-11-14 18:39 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-26 18:43 . 2009-11-14 19:02 -------- d-----w- c:\programdata\Media Center Programs
2009-12-26 18:35 . 2009-09-22 18:22 -------- d-----w- c:\program files\Common Files\Steam
2009-12-26 18:16 . 2009-09-19 21:22 -------- d-----w- c:\program files\ATI Technologies
2009-12-26 18:12 . 2009-09-19 21:16 1356 ----a-w- c:\users\Ktardin\AppData\Local\d3d9caps.dat
2009-12-22 12:29 . 2009-12-22 12:29 4043544 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-12-22 12:28 . 2009-12-22 12:29 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-19 10:13 . 2009-12-22 12:29 294656 ----a-w- c:\programdata\avg9\update\backup\avglngx.dll
2009-12-18 13:54 . 2009-09-19 21:16 106472 ----a-w- c:\users\Ktardin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-13 21:55 . 2009-09-20 18:16 -------- d-----w- c:\programdata\Messenger Plus!
2009-12-12 11:39 . 2010-01-01 13:19 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2009-12-12 11:39 . 2009-12-22 12:29 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2009-12-12 11:38 . 2009-12-19 10:13 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-11 12:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-06 15:35 . 2009-12-06 15:35 -------- d-----w- c:\program files\MSXML 4.0
2009-12-04 20:30 . 2009-12-04 20:30 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Samsung
2009-12-04 20:15 . 2009-12-04 20:15 -------- d-----w- c:\program files\Samsung
2009-11-30 16:59 . 2009-11-19 21:37 -------- d-----w- c:\program files\Spyware Doctor
2009-11-28 19:29 . 2009-11-27 21:21 -------- d-----w- c:\program files\Silkroad
2009-11-26 20:24 . 2009-11-26 20:24 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Mael
2009-11-26 20:17 . 2009-11-26 20:17 -------- d-----w- c:\program files\HxD
2009-11-25 03:51 . 2009-11-25 03:51 5143552 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2009-11-25 03:17 . 2009-11-25 03:17 368640 ----a-w- c:\windows\system32\atieclxx.exe
2009-11-25 03:17 . 2009-11-25 03:17 172032 ----a-w- c:\windows\system32\atiesrxx.exe
2009-11-25 03:15 . 2009-09-18 14:16 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2009-11-25 03:15 . 2009-09-18 14:15 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:15 . 2009-11-25 03:15 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:15 . 2009-11-25 03:15 11776 ----a-w- c:\windows\system32\atimuixx.dll
2009-11-25 03:14 . 2009-11-25 03:14 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:12 . 2009-11-25 03:12 3055616 ----a-w- c:\windows\system32\atidxx32.dll
2009-11-25 02:55 . 2009-09-18 13:56 3617792 ----a-w- c:\windows\system32\atiumdag.dll
2009-11-25 02:44 . 2009-11-25 02:44 13487616 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:37 . 2009-09-18 13:38 2899968 ----a-w- c:\windows\system32\atiumdva.dll
2009-11-25 02:25 . 2009-11-25 02:25 52224 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:25 . 2009-11-25 02:25 52224 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:25 . 2009-09-18 13:25 225280 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:21 . 2009-11-25 02:21 53248 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:21 . 2009-11-25 02:21 53248 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:20 . 2009-11-25 02:20 3629056 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:10 . 2009-11-25 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-24 19:31 . 2009-11-09 19:06 -------- d-----w- c:\users\Ktardin\AppData\Roaming\dvdcss
2009-11-21 06:40 . 2009-12-09 16:55 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 16:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 16:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 16:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 22:12 . 2009-10-08 19:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 21:38 . 2009-11-19 21:37 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-19 21:37 . 2009-11-19 21:37 -------- d-----w- c:\users\Ktardin\AppData\Roaming\PC Tools
2009-11-19 21:37 . 2009-11-19 21:37 -------- d-----w- c:\programdata\PC Tools
2009-11-19 16:54 . 2009-11-19 16:54 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-19 16:53 . 2009-11-17 22:09 -------- d-----w- c:\programdata\LogiShrd
2009-11-18 20:19 . 2009-11-18 20:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-18 20:16 . 2009-11-18 20:16 -------- d-----w- c:\program files\Microsoft.NET
2009-11-17 22:12 . 2009-11-17 22:12 -------- d-----w- c:\users\Ktardin\AppData\Roaming\Leadertech
2009-11-17 22:10 . 2009-09-24 17:55 -------- d-----w- c:\program files\Common Files\logishrd
2009-11-17 22:09 . 2009-11-17 22:09 -------- d-----w- c:\program files\Logitech
2009-11-17 21:56 . 2009-11-17 21:55 -------- d-----w- c:\program files\VirtualDJ
2009-11-14 19:04 . 2009-11-14 19:04 -------- d-----w- c:\programdata\BioWare
2009-11-14 17:25 . 2009-09-19 21:57 -------- d-----w- c:\program files\AVG
2009-11-14 17:25 . 2009-09-19 23:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 17:25 . 2009-09-19 23:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-14 17:25 . 2009-09-19 23:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-14 17:25 . 2009-09-19 23:14 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-14 17:25 . 2009-11-14 17:25 -------- d-----w- c:\programdata\avg9
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-09 19:05 . 2009-11-09 19:05 -------- d-----w- c:\program files\VideoLAN
2009-11-09 19:02 . 2009-11-09 19:02 -------- d-----w- c:\users\Ktardin\AppData\Roaming\DivX
2009-11-09 19:01 . 2009-11-09 19:01 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-11-08 16:41 . 2009-11-08 16:41 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-02 20:42 . 2009-10-03 12:02 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 17:06 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-22 15:59 . 2009-10-22 15:59 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-14 13:40 . 2009-10-14 13:40 296280 ----a-w- c:\programdata\LogiShrd\LQCVFX\Filters\VMSEF.dll
2009-10-14 13:37 . 2009-10-14 13:37 6781272 ----a-w- c:\programdata\LogiShrd\LQCVFX\Filters\MMSEF.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-11 339968]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-01 2033432]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Turbine Download Manager Tray Icon"="d:\games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-11-05 472568]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-18 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux6"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Ktardin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Ktardin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
2006-12-25 04:00 177664 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIAIE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 15:36 305440 ----a-w- d:\apps\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-25 21:45 1217808 ----a-w- d:\games\steam1\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-20 19:32 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [19/11/2009 21:37 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [19/09/2009 23:14 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [19/09/2009 23:14 360584]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [25/11/2009 03:17 172032]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14/11/2009 17:25 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14/11/2009 17:25 285392]
R2 LiveTurbineMessageService;Turbine Message Service - Live;d:\games\Turbine\Turbine Download Manager\TurbineMessageService.exe [22/12/2009 17:29 271856]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;d:\games\Turbine\Turbine Download Manager\TurbineNetworkService.exe [22/12/2009 17:29 218608]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [20/09/2009 18:52 464384]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [14/11/2009 18:53 25832]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\System32\drivers\gan_adapter.sys [28/08/2006 23:54 10664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [19/11/2009 21:37 348824]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [17/08/2009 00:32 239648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ktardin\AppData\Roaming\Mozilla\Firefox\Profiles\vsgdaxkk.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: d:\apps\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1480507214-855840707-331760698-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:68,c5,9e,e9,52,c8,9f,f6,cb,f4,a3,28,80,05,bf,5a,34,a2,b7,2e,72,d2,59,
8e,95,5c,82,ae,00,e5,c4,76,ea,3f,fd,e3,b1,1a,04,25,72,78,fb,36,43,f7,8d,82,\
"??"=hex:ec,7f,62,96,57,2c,d6,08,cc,a5,1f,55,b4,c4,7c,48

[HKEY_USERS\S-1-5-21-1480507214-855840707-331760698-1000\Software\SecuROM\License information*]
"datasecu"=hex:a2,93,7b,fe,05,55,55,a4,35,ca,f2,bd,82,f3,92,49,fe,0e,c0,2b,87,
b1,8a,a9,5c,c8,0a,48,cc,f8,40,db,74,05,e6,1f,48,f9,37,59,44,76,64,b4,0d,f3,\
"rkeysecu"=hex:0e,82,4a,75,98,b4,83,9d,e8,ae,1a,8f,39,8d,46,ed

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-06 19:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 19:07
ComboFix2.txt 2010-01-06 12:55

Pre-Run: 1,139,077,120 bytes free
Post-Run: 1,218,613,248 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 716B67AC49E15A81F472CD8F981A53F5
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Cypher » January 6th, 2010, 6:12 pm

Hi Ktardin.
thanking you VERY much for all your invaluable help, and im sorry for taking up your time.

Your most welcome and by no means are you taking up my time :)

How is your computer performing any more alerts from AVG?

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
  • Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. ( it will be maximized )
  • Please post ONLY the "log.txt", file contents in your next reply.
    (This log can be lengthy, so a separate post may be needed.)

Logs/Information to Post in your Next Reply

  • RSIT log.txt
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: C:\Windows\System32\drivers\atapi.sys.....Trojan.rootkit

Unread postby Ktardin » January 6th, 2010, 6:24 pm

Truth be known i've been rather indisposed today, having to dash back and forwards from my PC, and i completely forgot to re-activate the AVG resident sheild after following your last set of instructions :( , i will leave AVG running a full scan over-night tonight, and will post my findings in the morning tomorow. After my first alert from AVG i did scan my PC and try to make sense of the whole "critical system file" thing and browse the internet for answers, and AVG did find it again so i have no doubts that if it hasnt been deleted AVG will tell me so in the scan which i will tell you about tomorow, in the meantime here is my RSIT log :)

Logfile of random's system information tool 1.06 (written by random/random)
Run by Ktardin at 2010-01-06 22:18:15
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 1 GB (3%) free of 38 GB
Total RAM: 3326 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:18:27, on 06/01/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Apps\iTunes\iTunes.exe
C:\Users\Ktardin\Desktop\Skins\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ktardin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - D:\Games\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - D:\Games\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5747 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-12 1484056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-20 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"snpstd"=C:\Windows\vsnpstd.exe [2005-10-11 339968]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE [2009-07-27 180224]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-01-01 2033432]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-10-14 2793304]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"Turbine Download Manager Tray Icon"=D:\Games\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe [2009-11-05 472568]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-09-18 98304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"CurseClient"=C:\Program Files\Curse\CurseClient.exe [2009-06-08 1934336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE [2006-12-25 177664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
D:\Apps\iTunes\iTunesHelper.exe [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
d:\games\steam1\steam.exe [2009-10-25 1217808]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-20 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Ktardin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
D:\Apps\OPENOF~1\OPENOF~1.ORG\program\QUICKS~1.EXE []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\Windows\System32\avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-01-06 19:07:42 ----A---- C:\ComboFix.txt
2010-01-06 19:00:44 ----SHD---- C:\$RECYCLE.BIN
2010-01-06 18:58:37 ----D---- C:\Windows\temp
2010-01-06 18:49:24 ----A---- C:\Windows\SWXCACLS.exe
2010-01-06 11:08:43 ----A---- C:\Windows\NIRCMD.exe
2010-01-06 11:08:43 ----A---- C:\Windows\MBR.exe
2010-01-06 11:08:42 ----A---- C:\Windows\zip.exe
2010-01-06 11:08:42 ----A---- C:\Windows\SWSC.exe
2010-01-06 11:08:42 ----A---- C:\Windows\SWREG.exe
2010-01-06 11:08:42 ----A---- C:\Windows\sed.exe
2010-01-06 11:08:42 ----A---- C:\Windows\PEV.exe
2010-01-06 11:08:42 ----A---- C:\Windows\grep.exe
2010-01-06 11:08:37 ----D---- C:\Windows\ERDNT
2010-01-06 11:08:19 ----AD---- C:\Qoobox
2010-01-04 17:07:41 ----D---- C:\rsit
2010-01-03 19:34:06 ----D---- C:\Users\Ktardin\AppData\Roaming\Electronic Arts
2010-01-01 19:47:49 ----D---- C:\Users\Ktardin\AppData\Roaming\Mount&Blade
2009-12-28 22:56:26 ----D---- C:\ATI
2009-12-28 20:46:43 ----D---- C:\Program Files\Trend Micro
2009-12-26 21:20:36 ----D---- C:\Users\Ktardin\AppData\Roaming\InstallShield Installation Information
2009-12-26 21:03:49 ----D---- C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-12-26 18:22:11 ----D---- C:\Users\Ktardin\AppData\Roaming\ATI
2009-12-26 18:22:11 ----D---- C:\ProgramData\ATI
2009-12-26 18:17:30 ----D---- C:\Program Files\My Company Name
2009-12-26 18:15:56 ----D---- C:\Program Files\Common Files\ATI Technologies
2009-12-26 18:15:01 ----A---- C:\Windows\system32\ATIDEMGX.dll
2009-12-22 17:29:24 ----D---- C:\ProgramData\Turbine
2009-12-22 17:26:14 ----D---- C:\Windows\system32\URTTEMP
2009-12-17 00:06:57 ----D---- C:\ProgramData\Trymedia
2009-12-14 17:53:02 ----D---- C:\Users\Ktardin\AppData\Roaming\acccore
2009-12-14 17:48:53 ----D---- C:\Windows\system32\PlayLinc
2009-12-14 17:48:53 ----D---- C:\Program Files\PlayLinc
2009-12-11 16:33:41 ----D---- C:\Users\Ktardin\AppData\Roaming\FOG Downloader
2009-12-11 12:47:19 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-11 12:47:18 ----A---- C:\Windows\system32\httpapi.dll
2009-12-09 16:56:02 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 16:55:55 ----A---- C:\Windows\system32\mshtml.dll
2009-12-09 16:55:55 ----A---- C:\Windows\system32\ieframe.dll
2009-12-09 16:55:53 ----A---- C:\Windows\system32\urlmon.dll
2009-12-09 16:55:53 ----A---- C:\Windows\system32\iertutil.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\wininet.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\occache.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-09 16:55:52 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\msfeedssync.exe
2009-12-09 16:55:51 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-09 16:55:51 ----A---- C:\Windows\system32\ieui.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iesysprep.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iesetup.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iernonce.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\iepeers.dll
2009-12-09 16:55:51 ----A---- C:\Windows\system32\ie4uinit.exe
2009-12-09 16:52:26 ----A---- C:\Windows\system32\rastls.dll
2009-12-09 16:52:26 ----A---- C:\Windows\system32\raschap.dll

======List of files/folders modified in the last 1 months======

2010-01-06 19:07:45 ----D---- C:\Windows\system32\drivers
2010-01-06 19:01:12 ----D---- C:\Windows\Prefetch
2010-01-06 19:00:41 ----D---- C:\Windows
2010-01-06 19:00:41 ----A---- C:\Windows\system.ini
2010-01-06 18:58:06 ----D---- C:\ProgramData
2010-01-06 18:58:05 ----D---- C:\Windows\System32
2010-01-06 18:55:02 ----D---- C:\Windows\AppPatch
2010-01-06 18:55:01 ----D---- C:\Program Files\Common Files
2010-01-06 12:12:31 ----SHD---- C:\System Volume Information
2010-01-06 11:17:06 ----D---- C:\Program Files\Cheat Engine
2010-01-05 17:11:05 ----SHD---- C:\Windows\Installer
2010-01-05 17:11:03 ----RD---- C:\Program Files
2010-01-04 21:48:31 ----D---- C:\Users\Ktardin\AppData\Roaming\Adobe
2010-01-04 21:44:43 ----D---- C:\Program Files\Common Files\Adobe
2010-01-04 20:15:29 ----SD---- C:\Users\Ktardin\AppData\Roaming\Microsoft
2010-01-01 18:25:54 ----HD---- C:\Program Files\InstallShield Installation Information
2009-12-31 21:24:21 ----D---- C:\Program Files\DivX
2009-12-31 21:24:11 ----D---- C:\Program Files\Common Files\DivX Shared
2009-12-30 18:32:06 ----D---- C:\Users\Ktardin\AppData\Roaming\vlc
2009-12-28 22:58:26 ----D---- C:\Windows\system32\catroot
2009-12-28 22:58:24 ----D---- C:\Windows\inf
2009-12-28 22:57:34 ----D---- C:\Windows\winsxs
2009-12-28 19:29:48 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-27 13:11:00 ----RSD---- C:\Windows\assembly
2009-12-26 21:03:45 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-26 18:44:19 ----D---- C:\Program Files\Common Files\BioWare
2009-12-26 18:43:57 ----D---- C:\ProgramData\Media Center Programs
2009-12-26 18:35:38 ----D---- C:\Program Files\Common Files\Steam
2009-12-26 18:17:05 ----D---- C:\Program Files\Mozilla Firefox
2009-12-26 18:16:32 ----D---- C:\Program Files\ATI Technologies
2009-12-26 18:10:58 ----D---- C:\Windows\system32\catroot2
2009-12-23 13:01:52 ----D---- C:\Users\Ktardin\AppData\Roaming\Mozilla
2009-12-22 17:29:41 ----D---- C:\Windows\registration
2009-12-22 17:28:01 ----D---- C:\Program Files\Internet Explorer
2009-12-21 13:05:11 ----D---- C:\Windows\LiveKernelReports
2009-12-18 13:47:06 ----RSD---- C:\Windows\Fonts
2009-12-13 21:55:41 ----D---- C:\ProgramData\Messenger Plus!
2009-12-11 20:51:36 ----SD---- C:\Windows\Downloaded Program Files
2009-12-11 13:10:02 ----D---- C:\Windows\rescache
2009-12-11 12:51:56 ----D---- C:\Windows\system32\migration
2009-12-11 12:51:56 ----D---- C:\Windows\system32\en-US
2009-12-11 12:47:12 ----A---- C:\Windows\system32\MRT.INI
2009-12-11 12:44:50 ----D---- C:\Program Files\Windows Mail
2009-12-07 20:35:38 ----D---- C:\Windows\Logs

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AsIO;AsIO; C:\Windows\system32\drivers\AsIO.sys [2009-09-20 12400]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-11-14 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-11-14 28424]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-11-14 360584]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2009-07-27 58908]
R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2006-07-24 5632]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\AtiHdmi.sys [2009-08-23 101904]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2009-11-25 5143552]
R3 catchme;catchme; \??\C:\Users\Ktardin\AppData\Local\Temp\catchme.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\Windows\system32\DRIVERS\LVPr2Mon.sys [2009-10-07 25752]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\Windows\system32\drivers\LVUSBSta.sys [2007-05-09 41888]
R3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2006-10-20 7680]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista; C:\Windows\system32\DRIVERS\netr73.sys [2009-09-20 464384]
R3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\Windows\system32\DRIVERS\LV302V32.SYS [2007-05-09 1276832]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2009-05-25 164864]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-21 73088]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 hamachi_oem;PlayLinc Adapter; C:\Windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-08-16 9545152]
S3 snpstd;Trust Webcam 14823; C:\Windows\system32\DRIVERS\snpstd.sys [2006-05-03 390784]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\sscdbus.sys [2005-08-17 58352]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter; C:\Windows\system32\DRIVERS\sscdmdfl.sys [2005-08-17 8272]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers; C:\Windows\system32\DRIVERS\sscdmdm.sys [2005-08-17 93872]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-11-25 172032]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2009-11-14 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2009-11-14 285392]
R2 LiveTurbineMessageService;Turbine Message Service - Live; D:\Games\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-11-05 271856]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 154136]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-08 545568]
R3 LiveTurbineNetworkService;Turbine Network Service - Live; D:\Games\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-11-05 218608]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-27 34312]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater; D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-04-16 91184]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-11-19 348824]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-07-22 1097096]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-12-14 321320]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S4 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-08-17 215584]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-08-17 239648]

-----------------EOF-----------------
Ktardin
Active Member
 
Posts: 13
Joined: December 28th, 2009, 4:42 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 69 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware