BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
ComboFix on Windows 7 32 bit?
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > ComboFix on Windows 7 32 bit?  
Forum Quick Jump
 
New Topic Post reply to : ComboFix on Windows 7 32 bit? Printable version of : ComboFix on Windows 7 32 bit?
32 posts in this thread.
Viewing Page :
 1  2 
[ << Previous Thread | Next Thread >> ]

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/1/2010 9:43 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
I have found that my atapi.sys is infected with a redirector virus. Hitman Pro 3.5 found it and I was wondering if I could use Combofix on a Windows 7 x86 machine to fix it. I have never used Combofix though I've read that it has worked for some people on Vista machines and I wanted to know if anyone had any experience or ideas. This is certainly a nasty redirector virus. Thank You.

Just another question,
There are four versions of atapi.sys on my c:\ in different directories. The one that's showing infected is in C:\Windows\System32\drivers
Would it be possible to replace this infected one with one of the other files?
Just a thought.

Post Edited (gamaheu) : 01-01-2010 08:01:28 GMT

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/2/2010 1:02 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Welcome to BG forums gamaheu,

Not real sure I would change anything based on what that "Hitman" software indicates. Let's get some scan info to see what all is there.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/2/2010 4:47 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Hi Jintan, Thank you for your responce.
I downloaded the RSIT app though when running RSIT.exe I click Continue it says its running Hijackthis and produces an error "AutoIt Error Line -1: Error: Variable used without being declared. OK Button closes program. In the background it does say listing services and drivers but closes. No logs produced. I did disable all antivirus apps and ran the app in administrator mode. Any other ideas? Thanks again.
Gary
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/2/2010 5:05 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Sorry, I had overlooked it is Windows 7. Few of our tools are set for that just yet, though some like RSIT work on one, and then not on another. And you very much would not want to be running a change making scan like ComboFix on that either.


Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top check "Scan All Users", then click "Quick Scan". Make no other changes at this time.

Once the scan completes the results will open in Notepad - copy/paste those back here please.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/3/2010 12:21 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Hi Jintan
I thought that might be the case with RSIT. I ran the OTL app and below is the report log.

OTL logfile created on: 1/2/2010 4:10:15 PM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Users\Gary\Desktop\VIRUS TOOLS & LOGS
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.71 Gb Total Space | 11.97 Gb Free Space | 17.18% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GARY-PC
Current User Name: Gary
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/31 00:30:42 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Gary\Desktop\VIRUS TOOLS & LOGS\OTL.exe
PRC - [2009/12/30 14:55:18 | 00,235,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/12/30 14:55:16 | 00,429,392 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2009/12/02 09:17:44 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/20 01:34:55 | 00,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
PRC - [2009/07/21 11:50:02 | 00,084,464 | ---- | M] () -- C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
PRC - [2009/07/13 20:14:42 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 20:14:20 | 02,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/06/23 17:40:12 | 00,127,352 | ---- | M] (CinemaNow, Inc.) -- C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
PRC - [2009/06/23 01:18:52 | 00,494,064 | ---- | M] () -- C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2009/06/02 19:05:58 | 00,457,200 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
PRC - [2009/03/24 01:01:00 | 00,113,136 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\PX Storage Engine\VxBlockServer.exe
PRC - [2009/02/16 12:11:44 | 00,269,824 | ---- | M] () -- C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/11/15 19:06:00 | 00,815,104 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


========== Modules (SafeList) ==========

MOD - [2009/12/31 00:30:42 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Gary\Desktop\VIRUS TOOLS & LOGS\OTL.exe
MOD - [2009/07/13 20:16:15 | 00,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 00,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 00,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 00,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 00,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/30 14:55:18 | 00,235,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/10/20 01:34:55 | 00,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe -- (NIS)
SRV - [2009/07/24 08:33:34 | 00,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe -- (RoxWatch12)
SRV - [2009/07/24 08:33:10 | 01,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe -- (RoxMediaDB12)
SRV - [2009/07/13 20:16:21 | 00,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 00,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 00,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 00,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 00,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 00,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 00,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 01,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 00,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 00,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 00,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 00,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 00,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 00,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 00,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 00,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/06/23 17:40:12 | 00,127,352 | ---- | M] (CinemaNow, Inc.) [Auto | Running] -- C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe -- (CinemaNow Service)
SRV - [2009/06/02 19:05:58 | 00,457,200 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe -- (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
IE - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\S-1-5-21-2954347047-1473714683-3424651927-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\S-1-5-21-2954347047-1473714683-3424651927-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.altavista.com/"
FF - prefs.js..extensions.enabledItems: YoutubeDownloader@PeterOlayev.com:1.1
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.5
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {4C0766D3-67A7-45a3-85A2-752F77312F32}:4.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2009/12/24 22:10:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4C0766D3-67A7-45a3-85A2-752F77312F32}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2009/12/24 22:10:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/24 22:06:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/25 00:18:37 | 00,000,000 | ---D | M]

[2009/12/25 00:02:37 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Mozilla\Extensions
[2010/01/01 20:58:48 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions
[2009/12/29 23:17:09 | 00,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/12/29 21:05:20 | 00,000,000 | ---D | M] (No name found) -- C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/01/01 20:58:48 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\smarterwiki@wikiatic.com
[2010/01/01 20:58:48 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\staged-xpis
[2009/12/29 21:08:23 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\YoutubeDownloader@PeterOlayev.com
[2009/12/24 22:06:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (824 bytes) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\IPSBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [CPMonitor] C:\Program Files\Roxio 2010\5.0\CPMonitor.exe ()
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe (Sonic Solutions)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: cinemanow.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: cinemanow.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: qflix.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: roxio.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: sonic.com ([redirect] http in Trusted sites)
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: sonic.com ([redirect2] http in Trusted sites)
O15 - HKU\S-1-5-21-2954347047-1473714683-3424651927-1001\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/01 20:29:58 | 00,000,000 | ---D | C] -- C:\rsit
[2010/01/01 01:26:52 | 00,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/01/01 01:26:50 | 00,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2009/12/31 22:55:53 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/31 01:13:08 | 00,000,000 | ---D | C] -- C:\Users\Gary\Desktop\VIRUS TOOLS & LOGS
[2009/12/31 00:53:41 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/30 23:49:51 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/30 23:49:49 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/30 23:49:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/30 22:05:19 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Malwarebytes
[2009/12/30 22:04:52 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/29 23:25:28 | 00,000,000 | ---D | C] -- C:\Program Files\Xvid
[2009/12/29 23:12:28 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\VideoReDo-TVSuite
[2009/12/29 23:12:28 | 00,000,000 | ---D | C] -- C:\Program Files\VideoReDoTVSuite
[2009/12/28 21:20:44 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/12/28 21:20:19 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Apple
[2009/12/28 21:20:14 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/12/28 21:20:14 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple
[2009/12/28 21:19:48 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\AirMouse
[2009/12/28 21:19:17 | 00,000,000 | ---D | C] -- C:\Program Files\Air Mouse
[2009/12/28 21:18:24 | 00,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2009/12/27 19:10:42 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\Snagit
[2009/12/27 12:18:51 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/12/27 12:11:23 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\TechSmith
[2009/12/27 12:11:12 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\Camtasia Studio
[2009/12/27 12:07:18 | 00,107,864 | ---- | C] (TechSmith Corporation) -- C:\Windows\System32\tsccvid.dll
[2009/12/27 12:07:17 | 00,000,000 | ---D | C] -- C:\Windows\System32\QuickTime
[2009/12/27 12:06:48 | 00,000,000 | ---D | C] -- C:\ProgramData\TechSmith
[2009/12/27 12:06:45 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/27 12:06:27 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\TechSmith Shared
[2009/12/27 12:06:26 | 00,000,000 | ---D | C] -- C:\Program Files\TechSmith
[2009/12/26 12:39:29 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Macrovision
[2009/12/26 12:39:08 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Sonic_Solutions
[2009/12/26 12:37:20 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Roxio
[2009/12/26 12:34:07 | 00,000,000 | ---D | C] -- C:\ProgramData\Uninstall
[2009/12/26 12:29:52 | 00,000,000 | ---D | C] -- C:\ProgramData\CinemaNow
[2009/12/26 12:29:46 | 00,000,000 | ---D | C] -- C:\Program Files\CinemaNow
[2009/12/26 12:28:28 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Simple Star
[2009/12/26 12:28:28 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\My PhotoShows
[2009/12/26 12:28:25 | 00,000,000 | ---D | C] -- C:\ProgramData\PhotoShow Shared Assets
[2009/12/26 12:28:23 | 00,000,000 | ---D | C] -- C:\Program Files\Roxio
[2009/12/26 12:27:40 | 00,000,000 | ---D | C] -- C:\Program Files\InstallShield Installation Information
[2009/12/26 12:27:30 | 00,000,000 | ---D | C] -- C:\ProgramData\eSellerate
[2009/12/26 12:27:29 | 00,000,000 | ---D | C] -- C:\ProgramData\SmartSound Software Inc
[2009/12/26 12:27:29 | 00,000,000 | ---D | C] -- C:\Program Files\SmartSound Software
[2009/12/26 12:26:50 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2009/12/26 12:24:40 | 00,000,000 | ---D | C] -- C:\ProgramData\Sonic
[2009/12/26 12:22:00 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2009/12/26 12:21:03 | 00,000,000 | ---D | C] -- C:\ProgramData\Roxio
[2009/12/26 12:20:47 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic Shared
[2009/12/26 12:20:46 | 00,000,000 | ---D | C] -- C:\Program Files\Roxio 2010
[2009/12/26 12:20:46 | 00,000,000 | ---D | C] -- C:\ProgramData\Macrovision
[2009/12/26 12:20:28 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Roxio Shared
[2009/12/26 12:16:45 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Roxio Log Files
[2009/12/26 10:55:18 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\WinRAR
[2009/12/26 10:55:06 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/12/25 20:21:07 | 00,000,000 | ---D | C] -- C:\Program Files\GrabIt
[2009/12/25 00:38:30 | 00,501,888 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\cchpx86.sys
[2009/12/25 00:38:30 | 00,339,504 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\symtdiv.sys
[2009/12/25 00:38:30 | 00,328,752 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\SymDS.sys
[2009/12/25 00:38:30 | 00,325,168 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\srtsp.sys
[2009/12/25 00:38:30 | 00,171,056 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\SymEFA.sys
[2009/12/25 00:38:30 | 00,114,736 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\Ironx86.sys
[2009/12/25 00:38:30 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1101000.013\srtspx.sys
[2009/12/25 00:38:09 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\NIS\1101000.013
[2009/12/25 00:32:09 | 00,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2009/12/25 00:29:52 | 00,000,000 | ---D | C] -- C:\Windows\Prefetch
[2009/12/25 00:27:22 | 00,000,000 | ---D | C] -- C:\Windows\Panther
[2009/12/25 00:16:38 | 00,000,000 | ---D | C] -- C:\Program Files\Synaptics
[2009/12/25 00:16:15 | 00,196,608 | ---- | C] (Synaptics, Inc.) -- C:\Windows\System32\SynCtrl.dll
[2009/12/25 00:16:15 | 00,179,256 | ---- | C] (Synaptics, Inc.) -- C:\Windows\System32\drivers\SynTP.sys
[2009/12/25 00:16:15 | 00,163,840 | ---- | C] (Synaptics, Inc.) -- C:\Windows\System32\SynCOM.dll
[2009/12/25 00:16:15 | 00,143,360 | ---- | C] (Synaptics, Inc.) -- C:\Windows\System32\SynTPAPI.dll
[2009/12/25 00:16:15 | 00,110,592 | ---- | C] (Synaptics, Inc.) -- C:\Windows\System32\SynTPCo4.dll
[2009/12/25 00:12:42 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Apps
[2009/12/25 00:12:41 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Deployment
[2009/12/25 00:06:58 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Macromedia
[2009/12/25 00:06:58 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Adobe
[2009/12/25 00:06:53 | 00,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2009/12/25 00:06:29 | 00,000,000 | ---D | C] -- C:\ProgramData\NOS
[2009/12/25 00:02:23 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Mozilla
[2009/12/25 00:02:23 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Mozilla
[2009/12/24 22:52:22 | 00,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2009/12/24 22:51:31 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\uTorrent
[2009/12/24 22:47:42 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Movie Label
[2009/12/24 22:46:14 | 00,000,000 | ---D | C] -- C:\Program Files\Movie Label 2010
[2009/12/24 22:39:19 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Publish Providers
[2009/12/24 22:39:03 | 00,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2009/12/24 22:39:00 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Sony
[2009/12/24 22:39:00 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Sony
[2009/12/24 22:29:51 | 00,000,000 | ---D | C] -- C:\ProgramData\Sony
[2009/12/24 22:29:38 | 00,000,000 | ---D | C] -- C:\Program Files\Sony
[2009/12/24 22:27:01 | 00,000,000 | -HSD | C] -- C:\Windows\Installer
[2009/12/24 22:26:29 | 00,000,000 | ---D | C] -- C:\Program Files\Sony Setup
[2009/12/24 22:22:55 | 00,000,000 | ---D | C] -- C:\Program Files\MagicISO
[2009/12/24 22:10:17 | 00,124,976 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2009/12/24 22:10:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2009/12/24 22:10:17 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/12/24 22:08:51 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\NIS
[2009/12/24 22:08:46 | 00,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2009/12/24 22:08:44 | 00,000,000 | ---D | C] -- C:\ProgramData\Norton
[2009/12/24 22:08:24 | 00,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2009/12/24 22:08:24 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2009/12/24 22:06:25 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/12/24 21:57:58 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Diagnostics
[2009/12/24 21:46:08 | 00,000,000 | R--D | C] -- C:\Users\Gary\Searches
[2009/12/24 21:45:53 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Identities
[2009/12/24 21:45:43 | 00,000,000 | R--D | C] -- C:\Users\Gary\Contacts
[2009/12/24 21:45:18 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\VirtualStore
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\AppData\Local\Temporary Internet Files
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Templates
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Start Menu
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\SendTo
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Recent
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\PrintHood
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\NetHood
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Documents\My Videos
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Documents\My Pictures
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Documents\My Music
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\My Documents
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Local Settings
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\AppData\Local\History
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Cookies
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\Application Data
[2009/12/24 21:45:13 | 00,000,000 | -HSD | C] -- C:\Users\Gary\AppData\Local\Application Data
[2009/12/24 21:45:12 | 00,000,000 | --SD | C] -- C:\Users\Gary\AppData\Roaming\Microsoft
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Videos
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Saved Games
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Pictures
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Music
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Links
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Favorites
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Downloads
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Documents
[2009/12/24 21:45:12 | 00,000,000 | R--D | C] -- C:\Users\Gary\Desktop
[2009/12/24 21:45:12 | 00,000,000 | -H-D | C] -- C:\Users\Gary\AppData
[2009/12/24 21:45:12 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Temp
[2009/12/24 21:45:12 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Local\Microsoft
[2009/12/24 21:45:12 | 00,000,000 | ---D | C] -- C:\Users\Gary\AppData\Roaming\Media Center Programs
[2009/12/24 17:32:28 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\PcSetup
[2009/12/24 17:32:27 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\DVDFab
[2009/12/24 01:42:15 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\Xilisoft Corporation
[2009/12/24 00:52:51 | 00,000,000 | ---D | C] -- C:\Users\Gary\Movie Label Database
[2009/12/24 00:50:27 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\Movie Label Reports
[2009/12/22 00:47:15 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\Registry Backup
[2009/12/21 22:09:20 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\Outlook Files
[2009/12/21 08:30:04 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\My Corel Shows
[2009/12/21 00:46:57 | 00,000,000 | ---D | C] -- C:\Users\Gary\Documents\My PSP Files

========== Files - Modified Within 14 Days ==========

[2010/01/02 16:13:51 | 01,835,008 | -HS- | M] () -- C:\Users\Gary\NTUSER.DAT
[2010/01/02 16:07:50 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/02 01:00:27 | 00,000,474 | ---- | M] () -- C:\Windows\tasks\Malwarebytes' Scheduled Update for Gary.job
[2010/01/01 21:48:24 | 00,876,824 | ---- | M] () -- C:\Windows\System32\drivers\NIS\1101000.013\Cat.DB
[2010/01/01 20:49:19 | 00,001,001 | ---- | M] () -- C:\Users\Gary\Desktop\Malwarebytes' Anti-Malware (2).lnk
[2010/01/01 20:43:21 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/01 20:43:21 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/01 20:35:46 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/01 20:35:20 | 16,030,92480 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/01 20:33:15 | 01,492,773 | -H-- | M] () -- C:\Users\Gary\AppData\Local\IconCache.db
[2010/01/01 01:27:14 | 00,013,896 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2009/12/30 23:38:05 | 00,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/30 23:38:05 | 00,615,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/30 23:38:05 | 00,103,702 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/30 20:22:57 | 00,000,759 | ---- | M] () -- C:\Users\Gary\Desktop\Grabit Downloads - Shortcut.lnk
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/29 23:23:31 | 00,001,401 | ---- | M] () -- C:\Users\Gary\Desktop\VirtualDub.exe - Shortcut.lnk
[2009/12/28 21:19:23 | 00,001,995 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Air Mouse.lnk
[2009/12/27 19:40:28 | 00,003,584 | ---- | M] () -- C:\Users\Gary\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/27 18:49:42 | 00,001,975 | ---- | M] () -- C:\Users\Public\Desktop\Snagit 9.lnk
[2009/12/27 12:06:47 | 00,001,126 | ---- | M] () -- C:\Users\Public\Desktop\Camtasia Studio 6.lnk
[2009/12/27 11:37:22 | 00,017,900 | ---- | M] () -- C:\Users\Gary\Desktop\Binsearch -- Usenet search engine.mht
[2009/12/26 12:39:37 | 00,073,008 | ---- | M] () -- C:\Users\Gary\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/12/26 12:36:05 | 00,314,144 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/12/26 12:29:52 | 00,001,776 | ---- | M] () -- C:\Users\Gary\Documents\CinemaNow.lnk
[2009/12/26 12:27:57 | 00,002,069 | ---- | M] () -- C:\Users\Public\Desktop\Roxio Creator 2010 Pro.lnk
[2009/12/26 11:00:11 | 00,002,423 | ---- | M] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2009/12/25 20:21:10 | 00,000,893 | ---- | M] () -- C:\Users\Gary\Desktop\GrabIt.lnk
[2009/12/25 00:33:50 | 00,042,045 | ---- | M] () -- C:\Windows\System32\license.rtf
[2009/12/25 00:27:10 | 00,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2009/12/25 00:16:45 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
[2009/12/24 22:52:25 | 00,000,917 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2009/12/24 22:46:20 | 00,000,967 | ---- | M] () -- C:\Users\Gary\Desktop\Movie Label 2010.lnk
[2009/12/24 22:23:01 | 00,001,773 | ---- | M] () -- C:\Users\Gary\Desktop\MagicISO.lnk
[2009/12/24 22:10:17 | 00,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2009/12/24 22:10:17 | 00,007,443 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2009/12/24 22:10:17 | 00,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2009/12/24 22:06:29 | 00,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/12/24 21:49:10 | 00,524,288 | -HS- | M] () -- C:\Users\Gary\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/12/24 21:49:10 | 00,524,288 | -HS- | M] () -- C:\Users\Gary\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/12/24 21:49:10 | 00,065,536 | -HS- | M] () -- C:\Users\Gary\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/12/24 21:48:18 | 00,000,020 | RHS- | M] () -- C:\winx.ld
[2009/12/24 21:48:17 | 00,208,206 | RHS- | M] () -- C:\VZLEF
[2009/12/24 21:46:47 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2009/12/24 21:45:13 | 00,000,020 | -HS- | M] () -- C:\Users\Gary\ntuser.ini
[2009/12/24 00:40:54 | 01,499,672 | ---- | M] () -- C:\Users\Gary\Documents\MovieLabelUserGuide.pdf
[2009/12/20 14:01:08 | 00,000,000 | -H-- | M] () -- C:\Users\Gary\Documents\Default.rdp

========== Files Created - No Company Name ==========

[2010/01/01 20:49:19 | 00,001,001 | ---- | C] () -- C:\Users\Gary\Desktop\Malwarebytes' Anti-Malware (2).lnk
[2010/01/01 01:27:14 | 00,013,896 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2009/12/30 23:54:03 | 00,000,474 | ---- | C] () -- C:\Windows\tasks\Malwarebytes' Scheduled Update for Gary.job
[2009/12/30 20:22:57 | 00,000,759 | ---- | C] () -- C:\Users\Gary\Desktop\Grabit Downloads - Shortcut.lnk
[2009/12/29 23:25:28 | 00,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/12/29 23:25:28 | 00,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/12/29 23:25:28 | 00,077,824 | ---- | C] () -- C:\Windows\System32\xvid.ax
[2009/12/29 23:23:31 | 00,001,401 | ---- | C] () -- C:\Users\Gary\Desktop\VirtualDub.exe - Shortcut.lnk
[2009/12/28 21:19:18 | 00,001,995 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Air Mouse.lnk
[2009/12/27 19:40:28 | 00,003,584 | ---- | C] () -- C:\Users\Gary\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/27 18:49:39 | 00,001,975 | ---- | C] () -- C:\Users\Public\Desktop\Snagit 9.lnk
[2009/12/27 12:06:46 | 00,001,126 | ---- | C] () -- C:\Users\Public\Desktop\Camtasia Studio 6.lnk
[2009/12/27 11:37:22 | 00,017,900 | ---- | C] () -- C:\Users\Gary\Desktop\Binsearch -- Usenet search engine.mht
[2009/12/26 12:29:49 | 00,001,776 | ---- | C] () -- C:\Users\Gary\Documents\CinemaNow.lnk
[2009/12/26 12:27:56 | 00,002,069 | ---- | C] () -- C:\Users\Public\Desktop\Roxio Creator 2010 Pro.lnk
[2009/12/26 10:59:42 | 00,876,824 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\Cat.DB
[2009/12/25 20:21:10 | 00,000,893 | ---- | C] () -- C:\Users\Gary\Desktop\GrabIt.lnk
[2009/12/25 00:38:30 | 00,007,774 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\symnetv.cat
[2009/12/25 00:38:30 | 00,007,493 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymDS.cat
[2009/12/25 00:38:30 | 00,007,438 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\srtsp.cat
[2009/12/25 00:38:30 | 00,007,431 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymEFA.cat
[2009/12/25 00:38:30 | 00,007,429 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\srtspx.cat
[2009/12/25 00:38:30 | 00,007,424 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\iron.cat
[2009/12/25 00:38:30 | 00,007,396 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\cchpx86.cat
[2009/12/25 00:38:30 | 00,007,355 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymNet.cat
[2009/12/25 00:38:30 | 00,003,373 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymEFA.inf
[2009/12/25 00:38:30 | 00,002,793 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymDS.inf
[2009/12/25 00:38:30 | 00,001,756 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\ccHPx86.inf
[2009/12/25 00:38:30 | 00,001,474 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymNetV.inf
[2009/12/25 00:38:30 | 00,001,446 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\SymNet.inf
[2009/12/25 00:38:30 | 00,001,389 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\srtspx.inf
[2009/12/25 00:38:30 | 00,001,383 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\srtsp.inf
[2009/12/25 00:38:30 | 00,000,743 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\Iron.inf
[2009/12/25 00:38:09 | 00,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1101000.013\isolate.ini
[2009/12/25 00:16:45 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
[2009/12/25 00:16:15 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2009/12/24 22:52:25 | 00,000,917 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2009/12/24 22:46:20 | 00,000,967 | ---- | C] () -- C:\Users\Gary\Desktop\Movie Label 2010.lnk
[2009/12/24 22:23:01 | 00,001,773 | ---- | C] () -- C:\Users\Gary\Desktop\MagicISO.lnk
[2009/12/24 22:10:17 | 00,007,443 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2009/12/24 22:10:17 | 00,000,805 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2009/12/24 22:09:48 | 00,002,423 | ---- | C] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2009/12/24 22:06:29 | 00,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/12/24 21:48:17 | 00,208,206 | RHS- | C] () -- C:\VZLEF
[2009/12/24 21:46:47 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2009/12/24 21:45:13 | 00,000,020 | -HS- | C] () -- C:\Users\Gary\ntuser.ini
[2009/12/24 21:45:12 | 01,835,008 | -HS- | C] () -- C:\Users\Gary\NTUSER.DAT
[2009/12/24 21:45:12 | 00,524,288 | -HS- | C] () -- C:\Users\Gary\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/12/24 21:45:12 | 00,524,288 | -HS- | C] () -- C:\Users\Gary\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/12/24 21:45:12 | 00,065,536 | -HS- | C] () -- C:\Users\Gary\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/12/24 00:40:45 | 01,499,672 | ---- | C] () -- C:\Users\Gary\Documents\MovieLabelUserGuide.pdf
[2009/12/20 14:01:08 | 00,000,000 | -H-- | C] () -- C:\Users\Gary\Documents\Default.rdp
[2009/07/13 18:51:43 | 00,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2004/01/30 15:07:46 | 00,245,408 | ---- | C] () -- C:\Windows\System32\unicows.dll

========== LOP Check ==========

[2009/12/24 22:47:42 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Movie Label
[2009/12/24 22:39:19 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Publish Providers
[2009/12/26 12:28:28 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Simple Star
[2009/12/24 22:39:00 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Sony
[2010/01/01 20:33:32 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\uTorrent
[2009/12/29 23:12:33 | 00,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\VideoReDo-TVSuite
[2009/07/13 23:53:46 | 00,003,398 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 205 bytes -> C:\ProgramData\TEMP:66633281
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:0888F409
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:888AFB86
< End of report >
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/3/2010 6:20 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
No malware in that view. Although the infection can mask it's presence in a file, let's check the file copies you have there. Again, not really sure working from just some Hitman Pro means infection exists.


Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

:filefind
atapi.sys


Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.

------------------

And although it may not work, Download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

cd\
mbr.exe -t


Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/3/2010 10:35 PM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
OK great they both workef. Below are the log files. Thanks again.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:29 on 03/01/2010 by Gary (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--- 95360 bytes [02:23 06/07/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [02:04 28/12/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

_____________________________________________________________________________________

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x85968826]<<
kernel: MBR read successfully
user & kernel MBR OK
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/4/2010 3:46 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
The MBR log suggests a malware altered file, but never certain this indication isn't coming from something like Daemon Tools. Windows 7, so still pretty limited on what we can use there. But let's go ahead and do a file exchange, just to be sure.

Open OTL again.

Copy the script inside the Code box below, then right click and paste it in OTL under "Custom Scans/Fixes", then press the "Run Fix" button. Once OTL makes the exchange it will open a log file - post that back here please.

:files 
C:\WINDOWS\System32\drivers\atapi.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys /replace


Also run and post back a new mbr.exe - t log.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/4/2010 7:22 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
OTL ran without error and required a reboot which also ran, though the report was generated immediately following the reboot yet it says that it cannot perform the replace without a reboot. It looks as though it did not work. I did however run the mbr again as well. The reports are below.

========== FILES ==========
Unable to replace file: C:\WINDOWS\System32\drivers\atapi.sys with C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys without a reboot.

OTL by OldTimer - Version 3.1.20.1 log created on 01032010_230044

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

___________________________________________________________________________________________

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x85968826]<<
kernel: MBR read successfully
user & kernel MBR OK
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/4/2010 7:35 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Im thinking that I can't do the replace while the machine is running because the atapi.sys drive is always in use and the OS can not operate without it. Is this a possibility?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/4/2010 8:10 PM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Are you actually experiencing redirects when using searches, like Google? OTL's log shows file moved on reboot, but I have been concerned from the start here whether or not this system is in fact infected with the Olmarik file exchange malware. There are some softwares, especially Alcohol/Daemon Tools, that mimic this malware effect.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/7/2010 7:39 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
I may have spoke too soon on my last reply. The redirector seems to be gone. Google links are linking properly following the atapi.sys move. That driver was definitely the culprit. I installed and ran the ESET scanner and it found nothing. The log was empty. For the time being, all is well. I want to thank you for all your help.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/7/2010 8:05 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
I do not trust the results of Hitman Pro, but the last mbr.exe log did show the driver file altered. Your choice, but I would suggest you ate least run and post back a new mbr.exe -t scan result to check.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/8/2010 2:12 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
ok sounds good. Ill do that this evening and post back.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/8/2010 3:17 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Good enough - post when ready and we will review then.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/8/2010 5:04 PM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Well unfortunately all is lost once more. Last night I shut down the system which I rarely do, and it did about 17 updates, which took a while, and when it was finally back up, the rootkit was back. Google and Yahoo are totally useless and the infected atapi.sys file is back. The problem with this seems that I need to replace this file with a good one and keep it replaced though, somehow, it reverted back to the infected one following an update.

The reason I was skeptical of the move being successful before was because I checked the dates of the four atapi.sys files on my drive and the one dated 12/27/2009 located in C:\Windows\System32\drivers was infected and this was the same file in that location after the move and its the same file there now. Two of the other files have a date of 7/13/2009 and one has a date of 8/03/2004. The one dated 12/27/2009 is the one that is infected and it is still there.

I need to replace this file permanently and delete the bad one for good
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/8/2010 8:40 PM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
There is a method that I believe will work for Windows 7. Let's get some current info and try it.

Open jpshortstuff's SystemLook again, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

:filefind
atapi.sys


Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.

------------------

And again go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

cd\
mbr.exe -t


Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/11/2010 2:11 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Okay great
Below are the logs.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:07 on 10/01/2010 by Gary (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--- 95360 bytes [02:23 06/07/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [02:04 28/12/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

_______________________________________________________________________________________________________________

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x8595B826]<<
kernel: MBR read successfully
user & kernel MBR OK
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/13/2010 1:45 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Any new ideas?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/13/2010 2:57 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
I only just was made aware that ComboFix can be used on Windows 7 systems. Using it is not without risks, but they might be few if any. Let's use that now and check. It also at times can do this file exchange we have been struggling with.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/14/2010 4:54 PM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Okay I will do this, this evening and post back. Thank you for responding.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/15/2010 2:31 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Just post when ready - I will get the email notification of that.
Back to Top
 

gamaheu
New Member


Date Joined Jan 2010
Total Posts : 16
 
   Posted 1/16/2010 7:01 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
Hi Jintan here is the log.....

ComboFix 10-01-15.01 - Gary 01/15/2010 22:40:45.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.867 [GMT -5:00]
Running from: c:\users\Gary\Desktop\456out.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1956344920-1837760538-879324738-1006

.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-16 03:52 . 2010-01-16 03:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-15 22:39 . 2009-08-29 09:00 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\NAVENG.SYS
2010-01-15 22:39 . 2009-08-29 09:00 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\NAVENG32.DLL
2010-01-15 22:39 . 2009-08-29 09:00 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\NAVEX32A.DLL
2010-01-15 22:39 . 2009-08-29 09:00 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\NAVEX15.SYS
2010-01-15 22:39 . 2009-08-29 09:00 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\EECTRL.SYS
2010-01-15 22:39 . 2009-08-29 09:00 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\ERASER.SYS
2010-01-15 22:38 . 2009-12-25 03:28 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\CCERASER.DLL
2010-01-15 22:38 . 2009-12-25 03:28 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100115.019\ECMSVR32.DLL
2010-01-14 22:25 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100112.001\IDSvix86.sys
2010-01-14 22:25 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100112.001\IDSXpx86.sys
2010-01-14 22:25 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100112.001\Scxpx86.dll
2010-01-14 22:25 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100112.001\IDSxpx86.dll
2010-01-14 22:25 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100112.001\IDSviA64.sys
2010-01-14 04:15 . 2010-01-14 04:15 -------- d-----w- c:\program files\CDisplay
2010-01-12 22:40 . 2010-01-12 22:40 -------- d-----w- c:\users\Gary\AppData\Roaming\AdobeUM
2010-01-12 22:36 . 2010-01-12 22:36 -------- d-----w- c:\programdata\Adobe Systems
2010-01-12 22:36 . 2010-01-12 22:36 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-10 23:49 . 2010-01-12 22:35 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-10 23:37 . 2009-11-20 11:08 38784 ----a-w- c:\users\Gary\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-10 23:37 . 2009-11-20 11:08 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-10 23:37 . 2010-01-10 23:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-10 23:30 . 2010-01-12 22:36 -------- d-----w- c:\users\Gary\AppData\Local\Adobe
2010-01-10 23:29 . 2010-01-10 23:30 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-10 23:29 . 2010-01-10 23:29 -------- d-----w- c:\program files\NOS
2010-01-08 19:13 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100106.001\IDSvix86.sys
2010-01-08 19:13 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100106.001\IDSXpx86.sys
2010-01-08 19:13 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100106.001\Scxpx86.dll
2010-01-08 19:13 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100106.001\IDSxpx86.dll
2010-01-08 19:13 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100106.001\IDSviA64.sys
2010-01-08 04:29 . 2010-01-08 04:29 -------- d-----w- c:\users\Gary\AppData\Local\Cooliris
2010-01-08 04:29 . 2010-01-06 17:08 545280 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-08 04:29 . 2010-01-06 17:08 4726272 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-08 04:29 . 2010-01-06 17:08 4725760 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-08 04:29 . 2010-01-06 17:08 103424 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-08 04:29 . 2010-01-06 17:08 57856 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-08 04:29 . 2010-01-06 17:08 344064 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-08 04:29 . 2010-01-06 17:08 153600 ----a-w- c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-07 23:49 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-07 23:48 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-07 23:47 . 2010-01-07 23:47 -------- d-----w- c:\program files\MSXML 4.0
2010-01-07 22:33 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-01-07 22:33 . 2008-11-10 16:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-07 22:31 . 2010-01-07 22:38 -------- d-----w- c:\program files\Microsoft Works
2010-01-07 22:29 . 2010-01-07 22:29 -------- d-----w- c:\windows\PCHEALTH
2010-01-07 22:29 . 2010-01-07 22:29 -------- d-----w- c:\program files\Microsoft.NET
2010-01-07 22:27 . 2010-01-07 22:27 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-07 22:25 . 2010-01-07 22:25 -------- d-----w- c:\users\Gary\AppData\Local\Microsoft Help
2010-01-07 22:25 . 2010-01-07 22:43 -------- d-----w- c:\programdata\Microsoft Help
2010-01-07 22:22 . 2010-01-07 22:22 -------- d-----w- c:\users\Gary\AppData\Roaming\Apple Computer
2010-01-07 22:22 . 2010-01-07 22:22 -------- d-----w- c:\users\Gary\AppData\Local\Apple Computer
2010-01-07 22:22 . 2010-01-07 22:22 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-07 22:22 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-07 22:22 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-07 22:21 . 2010-01-07 22:21 -------- d-----w- c:\program files\iPod
2010-01-07 22:21 . 2010-01-07 22:21 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-07 22:21 . 2010-01-07 22:21 -------- d-----w- c:\program files\iTunes
2010-01-07 22:20 . 2010-01-07 22:20 -------- d-----w- c:\program files\Bonjour
2010-01-07 22:18 . 2010-01-07 22:21 -------- d-----w- c:\programdata\Apple Computer
2010-01-07 22:18 . 2010-01-07 22:18 -------- d-----w- c:\program files\Apple Software Update
2010-01-07 22:16 . 2010-01-07 22:21 -------- d-----w- c:\program files\Common Files\Apple
2010-01-07 01:25 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091230.004\IDSvix86.sys
2010-01-07 01:25 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091230.004\IDSXpx86.sys
2010-01-07 01:25 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091230.004\Scxpx86.dll
2010-01-07 01:25 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091230.004\IDSxpx86.dll
2010-01-07 01:25 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091230.004\IDSviA64.sys
2010-01-04 04:00 . 2010-01-04 04:00 -------- d-----w- C:\_OTL
2010-01-03 19:31 . 2010-01-03 19:30 77312 ----a-w- C:\mbr.exe
2010-01-02 01:29 . 2010-01-02 01:29 -------- d-----w- C:\rsit
2010-01-01 06:27 . 2010-01-08 03:45 13896 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-01 06:26 . 2010-01-01 06:26 -------- d-----w- c:\programdata\Hitman Pro
2010-01-01 06:26 . 2010-01-01 06:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-01 03:55 . 2010-01-01 03:55 -------- d-----w- c:\program files\CCleaner
2009-12-31 05:53 . 2009-12-31 05:53 -------- d-----w- c:\program files\Trend Micro
2009-12-31 04:50 . 2010-01-08 13:47 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 04:49 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 04:49 . 2010-01-08 13:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 04:49 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 03:05 . 2009-12-31 03:05 -------- d-----w- c:\users\Gary\AppData\Roaming\Malwarebytes
2009-12-31 03:04 . 2009-12-31 03:04 -------- d-----w- c:\programdata\Malwarebytes
2009-12-30 04:25 . 2009-12-30 04:25 -------- d-----w- c:\program files\Xvid
2009-12-30 04:25 . 2009-06-07 21:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-30 04:25 . 2009-06-07 21:16 819200 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-30 04:12 . 2009-12-30 04:12 -------- d-----w- c:\program files\VideoReDoTVSuite
2009-12-30 04:12 . 2009-12-30 04:12 -------- d-----w- c:\users\Gary\AppData\Roaming\VideoReDo-TVSuite
2009-12-29 02:20 . 2009-12-29 02:20 -------- d-----w- c:\users\Gary\AppData\Local\Apple
2009-12-29 02:20 . 2009-12-29 02:20 -------- d-----w- c:\programdata\Apple
2009-12-29 02:19 . 2009-12-29 02:19 -------- d-----w- c:\users\Gary\AppData\Local\AirMouse
2009-12-29 02:19 . 2009-12-29 02:19 -------- d-----w- c:\program files\Air Mouse
2009-12-29 02:18 . 2009-12-29 02:18 -------- d-----w- c:\windows\Downloaded Installations
2009-12-27 17:18 . 2009-12-27 17:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 17:11 . 2009-12-27 23:49 -------- d-----w- c:\users\Gary\AppData\Local\TechSmith
2009-12-27 17:07 . 2009-08-19 10:18 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-12-27 17:06 . 2009-12-27 23:49 -------- d-----w- c:\programdata\TechSmith
2009-12-27 17:06 . 2010-01-07 22:19 -------- d-----w- c:\program files\QuickTime
2009-12-27 17:06 . 2009-12-27 17:06 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-12-27 17:06 . 2009-12-27 23:49 -------- d-----w- c:\program files\TechSmith
2009-12-26 17:39 . 2009-12-26 17:39 -------- d-----w- c:\users\Gary\AppData\Roaming\Macrovision
2009-12-26 17:39 . 2009-12-26 17:39 -------- d-----w- c:\users\Gary\AppData\Local\Sonic_Solutions
2009-12-26 17:37 . 2010-01-07 04:46 -------- d-----w- c:\users\Gary\AppData\Roaming\Roxio
2009-12-26 17:34 . 2009-07-22 03:53 594432 ----a-w- c:\programdata\Uninstall\{89A15676-78AE-4D51-BF5B-DEE3E0D46C94}\bin\setupresENU.dll
2009-12-26 17:34 . 2009-05-26 08:10 190960 ----a-w- c:\programdata\Uninstall\{89A15676-78AE-4D51-BF5B-DEE3E0D46C94}\bin\rsl.dll
2009-12-26 17:34 . 2009-12-26 17:34 -------- d-----w- c:\programdata\Uninstall
2009-12-26 17:34 . 2009-07-22 15:14 4890096 ----a-w- c:\programdata\Uninstall\{89A15676-78AE-4D51-BF5B-DEE3E0D46C94}\setup.exe
2009-12-26 17:30 . 2009-06-02 06:00 25584 ------w- c:\windows\system32\drivers\SaibVd32.sys
2009-12-26 17:30 . 2009-06-02 06:00 21488 ------w- c:\windows\system32\drivers\SahdIa32.sys
2009-12-26 17:30 . 2009-06-02 06:00 15856 ------w- c:\windows\system32\drivers\SaibIa32.sys
2009-12-26 17:29 . 2009-12-26 17:36 -------- d-----w- c:\programdata\CinemaNow
2009-12-26 17:29 . 2009-12-26 17:29 -------- d-----w- c:\program files\CinemaNow
2009-12-26 17:28 . 2009-12-26 17:28 -------- d-----w- c:\users\Gary\AppData\Roaming\Simple Star
2009-12-26 17:28 . 2009-12-26 17:28 -------- d-----w- c:\programdata\PhotoShow Shared Assets
2009-12-26 17:28 . 2009-12-26 17:30 -------- d-----w- c:\program files\Roxio
2009-12-26 17:27 . 2009-12-26 17:33 -------- d-----w- c:\program files\InstallShield Installation Information
2009-12-26 17:27 . 2009-12-26 17:27 -------- d-----w- c:\programdata\eSellerate
2009-12-26 17:27 . 2009-12-26 17:33 -------- d-----w- c:\programdata\SmartSound Software Inc
2009-12-26 17:27 . 2009-12-26 17:27 -------- d-----w- c:\program files\SmartSound Software
2009-12-26 17:26 . 2009-12-26 17:26 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-26 17:24 . 2009-12-26 17:32 -------- d-----w- c:\programdata\Sonic
2009-12-26 17:22 . 2009-12-26 17:33 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-26 17:21 . 2009-12-26 17:23 -------- d-----w- c:\programdata\Roxio
2009-12-26 17:20 . 2009-12-26 17:28 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-26 17:20 . 2009-12-26 17:31 -------- d-----w- c:\program files\Roxio 2010
2009-12-26 17:20 . 2009-12-26 17:20 -------- d-----w- c:\programdata\Macrovision
2009-12-26 17:20 . 2009-12-26 17:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-26 17:16 . 2009-12-26 17:16 -------- d-----w- c:\users\Gary\AppData\Roaming\Roxio Log Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 23:48 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-08 13:48 . 2010-01-08 13:48 696832 ----a-w- c:\windows\isRS-000.tmp
2010-01-07 22:30 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-12-26 17:19 . 2009-12-26 17:19 10134 ----a-r- c:\users\Gary\AppData\Roaming\Microsoft\Installer\{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}\ARPPRODUCTICON.exe
2009-12-25 05:16 . 2009-12-25 05:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-12-25 03:10 . 2009-12-25 03:10 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-25 03:10 . 2009-12-25 03:10 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-25 02:46 . 2009-12-25 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-05 04:54 . 2009-12-05 04:54 529456 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091205.001\BHDrvx86.sys
2009-12-05 04:54 . 2009-12-05 04:54 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091205.001\BHRules.dll
2009-12-05 04:54 . 2009-12-05 04:54 1405840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091205.001\BHEngine.dll
2009-12-05 04:54 . 2009-12-05 04:54 668720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091205.001\BHDrvx64.sys
2009-12-05 04:54 . 2009-12-05 04:54 610704 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091205.001\bbRGen.dll
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-1-12 25214]
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-2-16 269824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R0 SahdIa32;HDD Filter Driver;c:\windows\System32\drivers\SahdIa32.sys [12/26/2009 12:30 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\System32\drivers\SaibIa32.sys [12/26/2009 12:30 PM 15856]
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NIS\1101000.013\SymDS.sys [12/25/2009 12:38 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1101000.013\SymEFA.sys [12/25/2009 12:38 AM 171056]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [12/4/2009 11:54 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1101000.013\cchpx86.sys [12/25/2009 12:38 AM 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100112.001\IDSvix86.sys [1/14/2010 5:25 PM 343088]
R1 SaibVd32;Virtual Disk Driver;c:\windows\System32\drivers\SaibVd32.sys [12/26/2009 12:30 PM 25584]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NIS\1101000.013\Ironx86.sys [12/25/2009 12:38 AM 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NIS\1101000.013\symtdiv.sys [12/25/2009 12:38 AM 339504]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [12/25/2009 12:38 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/24/2009 10:09 PM 102448]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [6/10/2009 4:18 PM 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\System32\drivers\VSTAZL3.SYS [7/13/2009 5:13 PM 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 5:13 PM 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [7/13/2009 5:13 PM 661504]
R4 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [12/30/2009 11:49 PM 19160]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/30/2009 11:49 PM 235344]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\Malwarebytes' Scheduled Update for Gary.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-31 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.altavista.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
FF - ProfilePath - c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.altavista.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\t6eohlu5.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x8595B826]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0x6871424e
SecurityProcedure -> 0x84cc9240
QueryNameProcedure -> 0x4100000
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-01-15 22:57:01
ComboFix-quarantined-files.txt 2010-01-16 03:56

Pre-Run: 19,400,273,920 bytes free
Post-Run: 19,419,971,584 bytes free

- - End Of File - - C33DFE9DCE07E5BC4885C963EEA96314
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/16/2010 8:13 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
ComboFix normally shows when a legit file is altered, and is not picking that up with atapi.sys there at this time. But the MBR portion of ComboFix does still show the unknown boot level driver. Presents a bit of a situation about what file is actually being altered there. I will need to review other threads and situations on this one, and will post back tomorrow after doing that.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/17/2010 12:42 AM (GMT +3)    Quote: ComboFix on Windows 7 32 bit?Alert an admin about: ComboFix on Windows 7 32 bit?
No other indicators in my reviewing that atapi.sys still is not the malware altered file we need to correct. Let's see if the earlier OTL method will work by using it slightly differently.


Open OTL again.

Copy the script inside the Code box below, then right click and paste it in OTL under "Custom Scans/Fixes", then press the "Run Fix" button. Once OTL makes the exchange it will open a log file - post that back here please.

:files 
[override]
C:\WINDOWS\System32\drivers\atapi.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys /replace
:Commands
[REBOOT]


That should provide it's own reboot, and perhaps it doing the file copy then may correct things.

Once the reboot is completed run and post back a new ComboFix scan log, and the OTL log please.
Back to Top
 
New Topic Post reply to : ComboFix on Windows 7 32 bit? Printable version of : ComboFix on Windows 7 32 bit?
32 posts in this thread.
Viewing Page :
 1  2 
 
Forum Information
Currently it is Saturday, August 23, 2014 10:01 PM (GMT +3)
There are a total of 60,571 posts in 13,311 threads.
In the last 3 days there were 2 new threads and 4 reply posts. View Active Threads
Who's Online
This forum has 36262 registered members. Please welcome our newest member, pravintechno.
4 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Computer running snail slow, virus maybe (28)8/23/2014 4:57:30 PM (tbush004)
Bullguard 2014 Firewall and high DPC latency (13)8/22/2014 5:29:40 PM (NorthPole)
Best antivirus features under free licensing (0)8/22/2014 6:30:43 AM (pravintechno)
Malware bytes can not be installed successfully and pricechope adware (0)8/21/2014 10:23:52 PM (petlad)