Not Sure what I got but dont like it!!!

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\iaStor.sys|C:\Windows\System32\Drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
 
Hi,

Run ComboFix again (let it update itself). Post back the log.
 
ComboFix 09-12-04.02 - Brian2 12/04/2009 21:04.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.704 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-02 20:39 . 2009-12-02 20:39 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-02 20:39 . 2009-12-02 20:39 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-12-02 20:38 . 2009-12-02 20:38 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-02 20:14 . 2008-11-25 01:44 34062 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-12-02 20:14 . 2008-11-25 01:44 1011800 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\MoveMediaPlayer_071102000005.exe
2009-12-02 20:14 . 2009-12-02 20:16 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-12-02 20:14 . 2008-10-26 01:38 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-02 20:14 . 2008-10-26 01:38 976248 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071102000005.dll
2009-12-02 20:14 . 2009-02-28 16:04 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\UNINST_Uninstall_A_6C907FAEC47248AAB58EC428360E8FCD.exe
2009-12-02 20:14 . 2009-02-28 16:04 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\ARPPRODUCTICON.exe
2009-12-02 20:14 . 2008-11-08 06:47 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\UNINST_Uninstall_D_81F0161832F944B0B60442148DFCFD8A.exe
2009-12-02 20:14 . 2008-11-08 06:47 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\ARPPRODUCTICON.exe
2009-12-02 20:14 . 2009-12-02 20:14 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-12-02 20:12 . 2009-12-02 20:12 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AdobeUM
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-24 16:41 . 2009-11-24 16:41 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-11-24 16:40 79488 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 02:15 . 2008-11-23 23:33 90786336 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-05 02:01 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-05 02:01 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-05 02:01 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-05 02:01 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-05 02:01 . 2008-11-23 23:33 1216412 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Ventrilo
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\U3
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Teleca
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\teamspeak2
2009-12-02 20:16 . 2009-12-02 20:12 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Sonic
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Leadertech
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\InstallShield
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\GTek
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\EPSON
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\DivX
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Defender Pro
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Corel
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\ArcSoft
2009-12-02 20:13 . 2009-12-02 20:12 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Apple Computer
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-24 16:42 . 2005-02-23 13:37 -------- d-----w- c:\program files\Java
2009-11-24 16:41 . 2009-12-02 20:17 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-12-02 20:17 79488 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:24 . 2008-12-07 23:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-19 01:24 . 2009-12-02 20:17 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-19 01:24 . 2009-09-19 01:24 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-23 03:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-23 03:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-24_19.54.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 02:03 . 2009-12-05 02:03 16384 c:\windows\temp\Perflib_Perfdata_93c.dat
+ 2009-12-05 02:02 . 2009-12-05 02:02 16384 c:\windows\temp\Perflib_Perfdata_1ac.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 429568 c:\windows\Installer\387b6.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-09-13 05:01 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
S3 samhid;samhid;c:\windows\SYSTEM32\DRIVERS\Samhid.sys [1/23/2007 2:42 PM 7548]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\w300mgmt.sys [3/22/2007 7:45 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\w300obex.sys [3/22/2007 7:45 PM 85696]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 21:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8678CF30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x8678cf30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\klogon.dll
.
Completion time: 2009-12-04 21:18
ComboFix-quarantined-files.txt 2009-12-05 02:18
ComboFix2.txt 2009-12-02 20:44
ComboFix3.txt 2009-12-01 05:10
ComboFix4.txt 2009-11-26 14:56
ComboFix5.txt 2009-12-05 01:57

Pre-Run: 104,672,727,040 bytes free
Post-Run: 104,797,941,760 bytes free

- - End Of File - - AF94141505653E0C902DA96E908B49F9
 
Hi,

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Run also a new scan with GMER and post back the log.
 
Last edited:
Here is this one! I will zip the other one when it gets finished.


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:06 on 05/12/2009 by Brian2 (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\I386\atapi.sys --a--c 95360 bytes [14:05 06/03/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\erdnt\cache\atapi.sys --a--- 95360 bytes [20:10 24/11/2009] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a--c 96512 bytes [06:34 27/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys --a--- 95360 bytes [06:00 01/01/1980] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 95360 bytes [06:00 01/01/1980] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\i386\atapi.sys --a--c 95360 bytes [13:27 23/02/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-
 
File atapi.sys received on 2009.12.07 17:46:38 (UTC)
Current status: finished
Result: 1/40 (2.50%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.07 -
AntiVir 7.9.1.102 2009.12.07 -
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 -
AVG 8.5.0.426 2009.12.07 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.07 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.07 -
eTrust-Vet 35.1.7162 2009.12.07 -
F-Prot 4.5.1.85 2009.12.07 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.07 -
GData 19 2009.12.07 -
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5825 2009.12.07 -
McAfee+Artemis 5825 2009.12.07 -
McAfee-GW-Edition 6.8.5 2009.12.07 Heuristic.LooksLike.Win32.NewMalware.H
Microsoft 1.5302 2009.12.07 -
NOD32 4667 2009.12.07 -
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.07 -
Rising 22.25.00.09 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.7.2074 2009.12.07 -
VirusBuster 5.0.21.0 2009.12.07 -
Additional information
File size: 95360 bytes
MD5 : cdfe4411a69c224bd1d11b2da92dac51
SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
SHA256: 0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x155F7
timedatestamp.....: 0x41107B4D (Wed Aug 4 07:59:41 2004)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x9672 0x9680 6.45 70b67d65eb28dcccdcba61a31c4d40e2
NONPAGE 0x9A00 0x18E8 0x1900 6.48 5629c7db94fbcf0123c267ec52f0c942
.rdata 0xB300 0xA54 0xA80 4.37 569d2979d21f645730a1a59fd512d25c
.data 0xBD80 0xD94 0xE00 0.44 77b784be18c5257bf3b9c132a03019db
PAGESCAN 0xCB80 0x154F 0x1580 6.15 d1c7adb0c1e5491b58c485d62076561f
PAGE 0xE100 0x5F54 0x5F80 6.46 0951fe4f10eee3d01d5d5aab9a0472bc
INIT 0x14080 0x22A0 0x2300 6.48 4354ab341533bda39d4f4dc3548ef9bd
.rsrc 0x16380 0x3F0 0x400 3.40 0184b21986944fd39532f818b4c642ab
.reloc 0x16780 0xCF0 0xD00 6.46 ae8fd4a932f7899f6257876856210914

( 3 imports )

> hal.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, PoCallDriver, IoCreateDevice, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, KeCancelTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, RtlCopyUnicodeString, memmove, MmHighestUserAddress
> wmilib.sys: WmiSystemControl, WmiCompleteRequest

( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=cdfe4411a69c224bd1d11b2da92dac51
ssdeep: 1536:BVzXEOXUOyD8HT6OhAVJqNoQrPs2W7IDdXBoDZYkvR5TJWBwEsjG0cXFIQ0bbZPO:BVL/Eiz6OhrNoQzsnwBoDjR51hljrckO
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: ATAPI.SYS, atapi.sys
( Microsoft )

Disc 2438.5: atapi.sysMSDN Disc 2428.4: atapi.sysMSDN Disc 2428.5: atapi.sysMSDN Disc 2428.8: atapi.sysMSDN Disc 2438.7: atapi.sysMSDN Disc 2438.8: atapi.sysMSDN Disc 2439.6: atapi.sysMSDN Disc 2439.7: atapi.sysMSDN Disc 2439.8: atapi.sysMSDN Disc 2440.3: atapi.sysMSDN Disc 2440.4: atapi.sysMSDN Disc 2440.5: atapi.sysMSDN Disc 2441.5: atapi.sysMSDN Disc 2441.6: atapi.sysMSDN Disc 2441.7: atapi.sysMSDN Disc 2442.4: atapi.sysMSDN Disc 2442.6: atapi.sysMSDN Disc 2443.2: atapi.sysMSDN Disc 2443.4: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.4: atapi.sysMSDN Disc 2444.6: atapi.sysMSDN Disc 2455.6: atapi.sysMSDN Disc 2464.5: atapi.sysMSDN Disc 2465.4: atapi.sysMSDN Disc 2465.5: atapi.sysMSDN Disc 2466.2: atapi.sysMSDN Disc 2466.4: atapi.sysMSDN Disc 2476.2: atapi.sysMSDN Disc 2476.4: atapi.sysMSDN Disc 2477.2: atapi.sysOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: atapi.sysVirtual PC for Mac Windows XP Home Edition: atapi.sysVirtual PC for Mac Windows XP Professional Edition: atapi.sys

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
 
File 81A8F62D00532BB84BE6070C4E818100BBBA23ED.SYS received on 2009.07.19 21:29:14 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.19 -
AhnLab-V3 5.0.0.2 2009.07.19 -
AntiVir 7.9.0.222 2009.07.19 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.19 -
Avast 4.8.1335.0 2009.07.19 -
AVG 8.5.0.387 2009.07.19 -
BitDefender 7.2 2009.07.19 -
CAT-QuickHeal 10.00 2009.07.17 -
ClamAV 0.94.1 2009.07.19 -
Comodo 1670 2009.07.19 -
DrWeb 5.0.0.12182 2009.07.19 -
eSafe 7.0.17.0 2009.07.19 -
eTrust-Vet 31.6.6623 2009.07.18 -
F-Prot 4.4.4.56 2009.07.19 -
F-Secure 8.0.14470.0 2009.07.19 -
Fortinet 3.120.0.0 2009.07.19 -
GData 19 2009.07.19 -
Ikarus T3.1.1.64.0 2009.07.19 -
Jiangmin 11.0.800 2009.07.19 -
K7AntiVirus 7.10.796 2009.07.18 -
McAfee 5681 2009.07.19 -
McAfee+Artemis 5681 2009.07.19 -
McAfee-GW-Edition 6.8.5 2009.07.19 -
Microsoft 1.4803 2009.07.19 -
NOD32 4259 2009.07.19 -
Norman 2009.07.17 -
nProtect 2009.1.8.0 2009.07.19 -
Panda 10.0.0.14 2009.07.19 -
PCTools 4.4.2.0 2009.07.19 -
Prevx 3.0 2009.07.19 -
Rising 21.38.62.00 2009.07.19 -
Sophos 4.43.0 2009.07.19 -
Sunbelt 3.2.1858.2 2009.07.19 -
Symantec 1.4.4.12 2009.07.19 -
TheHacker 6.3.4.3.370 2009.07.17 -
TrendMicro 8.950.0.1094 2009.07.18 -
VBA32 3.12.10.8 2009.07.19 -
ViRobot 2009.7.17.1841 2009.07.17 -
VirusBuster 4.6.5.0 2009.07.16 -
Additional information
File size: 477952 bytes
MD5 : d7731536e183b4397402ca6f9e1d52f7
SHA1 : 1bb9158a3634e29c3abe1d88707ba0f1b21d9dff
SHA256: 32c7fbb2f151faa4f0b4a77fd11bf3098b5691d5dbcf1e3648b932d792174241
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3676
timedatestamp.....: 0x40E1B22A (Tue Jun 29 20:17:14 2004)
machinetype.......: 0x14C (Intel I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x37F3E 0x37F80 6.58 b087a0b6145bab659f8ae9db70ed72ba
.rdata 0x38280 0x11A4 0x1200 4.96 dec4ad02df321c919de1d35469dfbfa4
.data 0x39480 0x38574 0x38580 0.11 671f49fab98da90ec610bcef549b3cb1
INIT 0x71A00 0xD2C 0xD80 5.58 b09f4f0968adf979bba0cc6a5a61f374
.rsrc 0x72780 0x448 0x480 3.17 b38228c938a2779e4a9bee57de9af68a
.reloc 0x72C00 0x1EBE 0x1F00 5.99 1ed403ca7ea327de46f73c9f99624e43

( 2 imports )

> hal.dll: ExAcquireFastMutex, ExReleaseFastMutex, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, READ_PORT_ULONG, WRITE_PORT_ULONG, WRITE_PORT_BUFFER_ULONG, READ_PORT_BUFFER_ULONG, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR, READ_PORT_UCHAR, KeStallExecutionProcessor, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, HalGetInterruptVector
> ntoskrnl.exe: memmove, _vsnprintf, KeInsertQueueDpc, MmAllocateNonCachedMemory, KeInitializeSpinLock, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, IoInvalidateDeviceRelations, IoFreeWorkItem, IoRequestDeviceEject, IoQueueWorkItem, IoAllocateWorkItem, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, IofCompleteRequest, IofCallDriver, IoGetDmaAdapter, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwCreateKey, swprintf, KeWaitForSingleObject, KeInitializeEvent, IoDisconnectInterrupt, IoGetConfigurationInformation, IoDeleteDevice, ExDeleteNPagedLookasideList, KeCancelTimer, IoFreeIrp, KeLeaveCriticalRegion, KeEnterCriticalRegion, IoDetachDevice, IoDeleteSymbolicLink, IoConnectInterrupt, IoReleaseRemoveLockAndWaitEx, strstr, strncat, sprintf, IoBuildDeviceIoControlRequest, PoSetPowerState, PoRegisterDeviceForIdleDetection, RtlCompareMemory, KeClearEvent, IoInitializeRemoveLockEx, ObfReferenceObject, KeSetTimer, KeBugCheckEx, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlCopyUnicodeString, IoReleaseRemoveLockEx, KeSetEvent, KeRemoveQueueDpc, ObfDereferenceObject, IoGetAttachedDeviceReference, IoAllocateIrp, IoInvalidateDeviceState, strncpy, strncmp, PoRequestPowerIrp, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, _local_unwind2, MmMapLockedPagesSpecifyCache, PsTerminateSystemThread, KeWaitForMultipleObjects, _allmul, KeBugCheck, KeSetPriorityThread, ObReferenceObjectByHandle, PsCreateSystemThread, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, MmMapIoSpace, IoReportResourceForDetection, MmUnmapIoSpace, RtlCheckRegistryKey, IoAttachDeviceToDeviceStack, IoCreateSymbolicLink, IoCreateDevice, RtlUnicodeStringToInteger, wcsncpy, wcsstr, _wcsupr, IoGetDeviceProperty, ZwCreateDirectoryObject, READ_REGISTER_ULONG, PsGetVersion, _alldiv, PoStartNextPowerIrp, PoCallDriver, ExSystemTimeToLocalTime, KeQuerySystemTime, _purecall, _except_handler3, RtlCreateRegistryKey, DbgPrint, ZwOpenKey, ZwClose, ZwQueryValueKey, RtlWriteRegistryValue, RtlInitUnicodeString, wcslen, ExAllocatePoolWithTag, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, RtlQueryRegistryValues, ExFreePoolWithTag, KeNumberProcessors, MmGetPhysicalAddress, IoAcquireRemoveLockEx, WRITE_REGISTER_ULONG

( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 6144:DzF2q7zhUndlZP4+7ewqZ4Z+1liPqoROGwiSm:lpnhUndc6+1liyuX
PEiD : -
RDS : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
 
Hi,

Those are same results that you sent me via PM. Did you read this message I sent you a few moments ago:
I just want to ensure you uploaded
c:\windows\system32\drivers\atapi.sys.bak and c:\windows\system32\drivers\iastor.sys.bak

Please upload the files once more and select rescan if system says that file has been scanned before. Then post the results into your forum topic (not via private message this time).
Click to expand...
Kindly upload those two bolded files to Virustotal and make sure those are rescanned (you should be asked if you want to rescan).
 
yeah I think I did the same one each time...

File atapi.sys.bak received on 2009.12.07 23:14:20 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.07 -
AntiVir 7.9.1.102 2009.12.07 -
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 -
AVG 8.5.0.426 2009.12.07 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.07 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.07 -
eTrust-Vet 35.1.7163 2009.12.07 -
F-Prot 4.5.1.85 2009.12.07 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.07 -
GData 19 2009.12.07 -
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5825 2009.12.07 -
McAfee+Artemis 5825 2009.12.07 -
McAfee-GW-Edition 6.8.5 2009.12.07 Heuristic.LooksLike.Win32.NewMalware.H
Microsoft 1.5302 2009.12.07 -
NOD32 4668 2009.12.07 -
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.07 -
PCTools 7.0.3.5 2009.12.07 -
Rising 22.25.00.09 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.07 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.088 2009.12.07 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.7.2074 2009.12.07 -
VirusBuster 5.0.21.0 2009.12.07 -
Additional information
File size: 95360 bytes
MD5...: cdfe4411a69c224bd1d11b2da92dac51
SHA1..: a42fbfeb5a4d94118b483d7f18113aa8c329a052
SHA256: 0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d
ssdeep: 1536:BVzXEOXUOyD8HT6OhAVJqNoQrPs2W7IDdXBoDZYkvR5TJWBwEsjG0cXFIQ0<br>bbZPO:BVL/Eiz6OhrNoQzsnwBoDjR51hljrckO<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x155f7<br>timedatestamp.....: 0x41107b4d (Wed Aug 04 05:59:41 2004)<br>machinetype.......: 0x14c (I386)<br><br>( 9 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x380 0x9672 0x9680 6.45 70b67d65eb28dcccdcba61a31c4d40e2<br>NONPAGE 0x9a00 0x18e8 0x1900 6.48 5629c7db94fbcf0123c267ec52f0c942<br>.rdata 0xb300 0xa54 0xa80 4.37 569d2979d21f645730a1a59fd512d25c<br>.data 0xbd80 0xd94 0xe00 0.44 77b784be18c5257bf3b9c132a03019db<br>PAGESCAN 0xcb80 0x154f 0x1580 6.15 d1c7adb0c1e5491b58c485d62076561f<br>PAGE 0xe100 0x5f54 0x5f80 6.46 0951fe4f10eee3d01d5d5aab9a0472bc<br>INIT 0x14080 0x22a0 0x2300 6.48 4354ab341533bda39d4f4dc3548ef9bd<br>.rsrc 0x16380 0x3f0 0x400 3.40 0184b21986944fd39532f818b4c642ab<br>.reloc 0x16780 0xcf0 0xd00 6.46 ae8fd4a932f7899f6257876856210914<br><br>( 3 imports ) <br>> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, PoCallDriver, IoCreateDevice, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, KeCancelTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, RtlCopyUnicodeString, memmove, MmHighestUserAddress<br>> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR<br>> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: (c) Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: IDE/ATAPI Port Driver<br>original name: atapi.sys<br>internal name: atapi.sys<br>file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
packers (Kaspersky): PE_Patch
 
File iastor.sys.bak received on 2009.12.07 23:22:47 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.08 -
AntiVir 7.9.1.102 2009.12.07 -
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 -
AVG 8.5.0.426 2009.12.07 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.07 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.07 -
eTrust-Vet 35.1.7163 2009.12.07 -
F-Prot 4.5.1.85 2009.12.07 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.07 -
GData 19 2009.12.07 -
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5825 2009.12.07 -
McAfee+Artemis 5825 2009.12.07 -
McAfee-GW-Edition 6.8.5 2009.12.07 -
Microsoft 1.5302 2009.12.07 -
NOD32 4668 2009.12.07 -
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.07 -
PCTools 7.0.3.5 2009.12.07 -
Rising 22.25.00.09 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.07 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.088 2009.12.07 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.7.2074 2009.12.07 -
VirusBuster 5.0.21.0 2009.12.07 -
Additional information
File size: 477952 bytes
MD5...: d7731536e183b4397402ca6f9e1d52f7
SHA1..: 1bb9158a3634e29c3abe1d88707ba0f1b21d9dff
SHA256: 32c7fbb2f151faa4f0b4a77fd11bf3098b5691d5dbcf1e3648b932d792174241
ssdeep: 6144:DzF2q7zhUndlZP4+7ewqZ4Z+1liPqoROGwiSm:lpnhUndc6+1liyuX<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x3676<br>timedatestamp.....: 0x40e1b22a (Tue Jun 29 18:17:14 2004)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x300 0x37f3e 0x37f80 6.58 b087a0b6145bab659f8ae9db70ed72ba<br>.rdata 0x38280 0x11a4 0x1200 4.96 dec4ad02df321c919de1d35469dfbfa4<br>.data 0x39480 0x38574 0x38580 0.11 671f49fab98da90ec610bcef549b3cb1<br>INIT 0x71a00 0xd2c 0xd80 5.58 b09f4f0968adf979bba0cc6a5a61f374<br>.rsrc 0x72780 0x448 0x480 3.17 b38228c938a2779e4a9bee57de9af68a<br>.reloc 0x72c00 0x1ebe 0x1f00 5.99 1ed403ca7ea327de46f73c9f99624e43<br><br>( 2 imports ) <br>> ntoskrnl.exe: memmove, _vsnprintf, KeInsertQueueDpc, MmAllocateNonCachedMemory, KeInitializeSpinLock, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, IoInvalidateDeviceRelations, IoFreeWorkItem, IoRequestDeviceEject, IoQueueWorkItem, IoAllocateWorkItem, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, IofCompleteRequest, IofCallDriver, IoGetDmaAdapter, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwCreateKey, swprintf, KeWaitForSingleObject, KeInitializeEvent, IoDisconnectInterrupt, IoGetConfigurationInformation, IoDeleteDevice, ExDeleteNPagedLookasideList, KeCancelTimer, IoFreeIrp, KeLeaveCriticalRegion, KeEnterCriticalRegion, IoDetachDevice, IoDeleteSymbolicLink, IoConnectInterrupt, IoReleaseRemoveLockAndWaitEx, strstr, strncat, sprintf, IoBuildDeviceIoControlRequest, PoSetPowerState, PoRegisterDeviceForIdleDetection, RtlCompareMemory, KeClearEvent, IoInitializeRemoveLockEx, ObfReferenceObject, KeSetTimer, KeBugCheckEx, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlCopyUnicodeString, IoReleaseRemoveLockEx, KeSetEvent, KeRemoveQueueDpc, ObfDereferenceObject, IoGetAttachedDeviceReference, IoAllocateIrp, IoInvalidateDeviceState, strncpy, strncmp, PoRequestPowerIrp, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, _local_unwind2, MmMapLockedPagesSpecifyCache, PsTerminateSystemThread, KeWaitForMultipleObjects, _allmul, KeBugCheck, KeSetPriorityThread, ObReferenceObjectByHandle, PsCreateSystemThread, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, MmMapIoSpace, IoReportResourceForDetection, MmUnmapIoSpace, RtlCheckRegistryKey, IoAttachDeviceToDeviceStack, IoCreateSymbolicLink, IoCreateDevice, RtlUnicodeStringToInteger, wcsncpy, wcsstr, _wcsupr, IoGetDeviceProperty, ZwCreateDirectoryObject, READ_REGISTER_ULONG, PsGetVersion, _alldiv, PoStartNextPowerIrp, PoCallDriver, ExSystemTimeToLocalTime, KeQuerySystemTime, _purecall, _except_handler3, RtlCreateRegistryKey, DbgPrint, ZwOpenKey, ZwClose, ZwQueryValueKey, RtlWriteRegistryValue, RtlInitUnicodeString, wcslen, ExAllocatePoolWithTag, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, RtlQueryRegistryValues, ExFreePoolWithTag, KeNumberProcessors, MmGetPhysicalAddress, IoAcquireRemoveLockEx, WRITE_REGISTER_ULONG<br>> HAL.dll: ExAcquireFastMutex, ExReleaseFastMutex, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, READ_PORT_ULONG, WRITE_PORT_ULONG, WRITE_PORT_BUFFER_ULONG, READ_PORT_BUFFER_ULONG, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR, READ_PORT_UCHAR, KeStallExecutionProcessor, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, HalGetInterruptVector<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Intel Corporation<br>copyright....: Copyright(C) Intel Corporation 1994-2004<br>product......: Intel Application Accelerator driver<br>description..: Intel Application Accelerator driver<br>original name: iaStor.sys<br>internal name: iaStor.sys<br>file version.: 4.5.0.6515<br>comments.....: <br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
 
Hi,

Please post a fresh GMER log too and let me know how's the system running.
 
Here is the new log.

The computer is doing better but internet explorer still wont open and on every start there is a file called helpassistant that creates itself and copies all my files into it causing it to run terribly slow. Firefox after about 10 minuets of being open will bog down and then not respond and shut itself down.
 
Hi,

Please run ComboFix and let it update itself. Post back the report.
 
ComboFix 09-12-09.04 - Brian2 12/10/2009 18:46:17.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.698 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-08 21:07 . 2009-12-08 21:07 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-08 20:42 . 2009-12-08 20:42 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-12-07 23:57 . 2009-12-07 23:57 12487137 ----a-w- c:\program files\Mozilla Firefox.zip
2009-12-07 22:51 . 2009-12-07 22:51 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-12-07 22:51 . 2009-12-07 22:51 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-07 22:43 . 2009-12-07 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\Incomplete
2009-12-07 22:43 . 2009-12-07 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-07 22:43 . 2009-12-07 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-12-07 22:42 . 2009-12-08 21:07 -------- d-----w- c:\documents and settings\HelpAssistant
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-24 16:41 . 2009-11-24 16:41 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-11-24 16:40 79488 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 23:54 . 2008-11-23 23:33 92540704 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-10 23:43 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-10 23:43 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-10 23:43 . 2008-11-23 23:33 1239740 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-10 23:43 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-10 23:43 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-24 16:42 . 2005-02-23 13:37 -------- d-----w- c:\program files\Java
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:24 . 2008-12-07 23:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-19 01:24 . 2009-09-19 01:24 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-24_19.54.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-10 23:45 . 2009-12-10 23:45 16384 c:\windows\temp\Perflib_Perfdata_ad0.dat
+ 2009-12-10 23:44 . 2009-12-10 23:44 16384 c:\windows\temp\Perflib_Perfdata_3d0.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 429568 c:\windows\Installer\387b6.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-09-13 05:01 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
S3 samhid;samhid;c:\windows\SYSTEM32\DRIVERS\Samhid.sys [1/23/2007 2:42 PM 7548]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\w300mgmt.sys [3/22/2007 7:45 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\w300obex.sys [3/22/2007 7:45 PM 85696]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 18:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86794F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x86794f30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\klogon.dll
.
Completion time: 2009-12-10 18:57:41
ComboFix-quarantined-files.txt 2009-12-10 23:57
ComboFix2.txt 2009-12-05 02:18
ComboFix3.txt 2009-12-02 20:44
ComboFix4.txt 2009-12-01 05:10
ComboFix5.txt 2009-12-10 23:28

Pre-Run: 104,895,016,960 bytes free
Post-Run: 104,833,671,168 bytes free

- - End Of File - - 5543C1093DAB9639ECAC0C366DD53158
 
Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
MBR::


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
 
ComboFix 09-12-09.04 - Brian2 12/11/2009 18:27:27.11.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.698 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian2\Desktop\CFScript.txt
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-08 21:07 . 2009-12-08 21:07 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-08 20:42 . 2009-12-08 20:42 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-12-07 23:57 . 2009-12-07 23:57 12487137 ----a-w- c:\program files\Mozilla Firefox.zip
2009-12-07 22:51 . 2009-12-07 22:51 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-12-07 22:51 . 2009-12-07 22:51 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-07 22:43 . 2009-12-07 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\Incomplete
2009-12-07 22:43 . 2009-12-07 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-07 22:43 . 2009-12-07 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-12-07 22:42 . 2009-12-11 23:27 -------- d-----w- c:\documents and settings\HelpAssistant
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 23:53 . 2008-11-23 23:33 92777248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-11 23:47 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-11 23:47 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-11 23:47 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-11 23:47 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-11 23:47 . 2008-11-23 23:33 1243508 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-24 16:42 . 2005-02-23 13:37 -------- d-----w- c:\program files\Java
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-29 07:45 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 11:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-13 10:53 . 2004-08-04 11:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 11:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 11:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 18:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8678DF30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x8678df30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\klogon.dll
c:\program files\Defender Pro\Defender Pro Internet Security 6.0\adialhk.dll

- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\program files\Defender Pro\Defender Pro Internet Security 6.0\scrchpg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTHELPER.EXE
.
**************************************************************************
.
Completion time: 2009-12-11 19:05:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-12 00:04
ComboFix2.txt 2009-12-10 23:57
ComboFix3.txt 2009-12-05 02:18
ComboFix4.txt 2009-12-02 20:44
ComboFix5.txt 2009-12-11 23:16

Pre-Run: 104,746,704,896 bytes free
Post-Run: 104,644,087,808 bytes free

- - End Of File - - AFBDBB81A1964D434F3658C92FC6A81E
 
Hi,

Have you tried to update your antivirus software? Please try and see if it works now (run a scan with it if update was successful). How about slowness, does it still exist?
 
You must log in or register to reply here.
Back
Top