Can't delete a file to hopefully fix my computer...

My computer is running very slow, and I keep getting pop ups when I open IE. A window opens up from www.thewebsitesurvey.com. I have run Malwarebyte's Anti-Malware and have gotten rid of everything except one file...

Rootkit.Agent C:\WINDOWS\system32\drivers\jccnwb.sys

I have tried to delete the file and a pop up stated, "cannot delete jccnwb: cannot read from the source file or disk"

I tried to delete it from command prompt but i'm kinda confused with command prompt. Especially since when I open command prompt, it shows "C:\Documents and Settings\joe>" When I know that the problem file is NOT in documents and settings. Anyway, I have little knowledge on how to control the command prompt. I did try a million different "del" functions that I saw online, but nȯne worked, until it said, "A device attached to the system is not functioning."

I tried to start my computer in safe mode and it did not allow me. The black screen came up, I pressed the up arrow to highlight, then select "Safe Mode" and it said that something had changed perhaps because of something new installed. I haven't installed anything new. I also tried to click the other 2 Safe Mode options with no luck.

I also tried to find a system restore point. Unfortunately my computer mysteriously had NO restore points before this. (For the record, every time I've tried to use system restore in the past, it's done the same thing. I create a point and have it set to do them every so often, only to find that when I need a restore point, they are all gone.)

I'm not too knowledgeable with regedit, but I was wondering if I should just delete everything that has jccnwb in it??

The only thing that I can think is that I downloaded a song and maybe it was attached to it.

I have also run Spybot - Search and Destroy with no luck.

Thanks in advance for your help.

Please download ComboFix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

ComboFix 09-12-18.02 - joe 12/19/2009 2:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.207 [GMT -5:00]
Running from: c:\documents and settings\joe\desktop\commy.exe
Command switches used :: /stepdel
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Shared
c:\program files\Common\_helper.sig
c:\windows\Temp\126917694.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_WINSTS


((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-18 22:22 . 2009-12-18 22:23 -------- d-----w- C:\879975c547e48e62032894fb4287a386
2009-12-18 22:21 . 2009-12-18 22:22 -------- d-----w- C:\3cb9b192c135617aa56b5cecc3
2009-12-17 21:57 . 2009-12-17 22:22 -------- d-----w- c:\windows\system32\NtmsData
2009-12-17 08:26 . 2009-12-18 23:48 -------- d-----w- c:\windows\system32\KB905474
2009-12-17 08:20 . 2009-12-17 08:20 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-17 08:14 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-17 03:18 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-17 03:10 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-17 02:25 . 2009-12-19 07:34 722432 ----a-w- c:\windows\system32\drivers\jccnwb.sys
2009-12-17 02:24 . 2009-12-17 02:24 157696 ----a-w- C:\enhs.exe
2009-11-29 23:53 . 2009-11-29 23:53 -------- d-----w- c:\program files\iPod
2009-11-29 23:53 . 2009-11-29 23:54 -------- d-----w- c:\program files\iTunes
2009-11-29 23:45 . 2009-11-29 23:47 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 07:02 . 2008-07-22 05:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-19 02:49 . 2009-04-30 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-17 22:25 . 2009-04-30 00:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-17 03:22 . 2008-11-04 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 21:14 . 2008-11-04 07:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-11-04 07:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 23:53 . 2009-07-23 21:58 -------- d-----w- c:\program files\Common Files\Apple
2009-11-16 06:01 . 2009-11-16 06:01 56892 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 07:46 . 2008-04-14 09:42 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2008-04-14 09:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2008-04-14 09:41 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2008-04-14 09:42 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 09:41 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 04:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-14 09:42 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 09:42 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 09:42 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-16 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/28/2008 8:40 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 5:53 PM 102448]
S0 nrgvtllo;nrgvtllo;c:\windows\system32\drivers\mtsd.sys --> c:\windows\system32\drivers\mtsd.sys [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

--- Other Services/Drivers In Memory ---

*Deregistered* - jccnwb
.
------- Supplementary Scan -------
.
uStart Page = hxxp://one.drexel.edu/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
MSConfigStartUp-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
AddRemove-AltoMP3 Gold - c:\documents and settings\joe\Desktop\AltoMP3 Gold\uninst.exe
AddRemove-AntivirusPro2009 - c:\program files\AntivirusPro2009\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 02:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jccnwb]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1292428093-1547161642-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{99121B21-6B46-C2E6-06FB-D4E2D774C32A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaepjgldckcbjninpl"=hex:69,61,64,65,61,61,66,6f,61,68,66,63,63,69,64,65,67,6d,
00,00
"hakopeodpkokkfad"=hex:69,61,64,65,61,61,66,6f,61,68,66,63,63,69,64,65,67,6d,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2628)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-19 02:44:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-19 07:44

Pre-Run: 62,130,872,320 bytes free
Post-Run: 62,216,749,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EF1AAFBAFE4D81DEAD3AFAE1C1BC4EEA

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   File::
   C:\enhs.exe
   c:\windows\system32\mucltui.dll
   c:\windows\system32\drivers\jccnwb.sys
   c:\windows\system32\drivers\mtsd.sys
   
   Folder::
   c:\windows\system32\KB905474
   c:\windows\system32\NtmsData
   c:\program files\Microsoft CAPICOM 2.1.0.2
   C:\3cb9b192c135617aa56b5cecc3
   C:\879975c547e48e62032894fb4287a386
   
   Driver::
   nrgvtllo
   
   Registry::
   [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jccnwb]
   
   [HKEY_USERS\S-1-5-21-854245398-1292428093-1547161642-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{99121B21-6B46-C2E6-06FB-D4E2D774C32A}*]
   "iaepjgldckcbjninpl"=-
   "hakopeodpkokkfad"=-
   
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 09-12-18.02 - joe 12/19/2009 13:40:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.154 [GMT -5:00]
Running from: c:\documents and settings\joe\Desktop\commy.exe
Command switches used :: c:\documents and settings\joe\Desktop\CFscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"C:\enhs.exe"
"c:\windows\system32\drivers\jccnwb.sys"
"c:\windows\system32\drivers\mtsd.sys"
"c:\windows\system32\mucltui.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3cb9b192c135617aa56b5cecc3
c:\3cb9b192c135617aa56b5cecc3\$shtdwn$.req
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\aspnet.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\clr.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\crt.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\dw.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\netfx_ca.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\netfx_core.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\netfx_other.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\netfx20a_x86.msi
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\prexp.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx20\winforms.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\netfx30a_x86.msi
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\rgb9rast_x86.msi
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wcf.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wcs.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wf.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wf_32.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wic_x86_enu.exe
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wpf_other.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wpf_other_32.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wpf1.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wpf2.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\wpf2_32.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\x86\msxml6.msi
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\xps.msp
c:\3cb9b192c135617aa56b5cecc3\dotnetfx30\xpsepsc-x86-en-us.exe
c:\3cb9b192c135617aa56b5cecc3\dotnetfx35\x86\netfx35_x86.exe
c:\3cb9b192c135617aa56b5cecc3\dotnetfx35setup.exe
c:\3cb9b192c135617aa56b5cecc3\tools\clwireg.exe
C:\879975c547e48e62032894fb4287a386
c:\879975c547e48e62032894fb4287a386\baseline.dat
c:\879975c547e48e62032894fb4287a386\deffactory.dat
c:\879975c547e48e62032894fb4287a386\DeleteTemp.exe
c:\879975c547e48e62032894fb4287a386\dlmgr.dll
c:\879975c547e48e62032894fb4287a386\DW20.EXE
c:\879975c547e48e62032894fb4287a386\DWINTL20.DLL
c:\879975c547e48e62032894fb4287a386\eula.1025.rtf
c:\879975c547e48e62032894fb4287a386\eula.1028.rtf
c:\879975c547e48e62032894fb4287a386\eula.1029.rtf
c:\879975c547e48e62032894fb4287a386\eula.1030.rtf
c:\879975c547e48e62032894fb4287a386\eula.1031.rtf
c:\879975c547e48e62032894fb4287a386\eula.1032.rtf
c:\879975c547e48e62032894fb4287a386\eula.1033.rtf
c:\879975c547e48e62032894fb4287a386\eula.1035.rtf
c:\879975c547e48e62032894fb4287a386\eula.1036.rtf
c:\879975c547e48e62032894fb4287a386\eula.1037.rtf
c:\879975c547e48e62032894fb4287a386\eula.1038.rtf
c:\879975c547e48e62032894fb4287a386\eula.1040.rtf
c:\879975c547e48e62032894fb4287a386\eula.1041.rtf
c:\879975c547e48e62032894fb4287a386\eula.1042.rtf
c:\879975c547e48e62032894fb4287a386\eula.1043.rtf
c:\879975c547e48e62032894fb4287a386\eula.1044.rtf
c:\879975c547e48e62032894fb4287a386\eula.1045.rtf
c:\879975c547e48e62032894fb4287a386\eula.1046.rtf
c:\879975c547e48e62032894fb4287a386\eula.1049.rtf
c:\879975c547e48e62032894fb4287a386\eula.1053.rtf
c:\879975c547e48e62032894fb4287a386\eula.1055.rtf
c:\879975c547e48e62032894fb4287a386\eula.2052.rtf
c:\879975c547e48e62032894fb4287a386\eula.2070.rtf
c:\879975c547e48e62032894fb4287a386\eula.3082.rtf
c:\879975c547e48e62032894fb4287a386\gencomp.dll
c:\879975c547e48e62032894fb4287a386\HtmlLite.dll
c:\879975c547e48e62032894fb4287a386\locdata.1025.ini
c:\879975c547e48e62032894fb4287a386\locdata.1028.ini
c:\879975c547e48e62032894fb4287a386\locdata.1029.ini
c:\879975c547e48e62032894fb4287a386\locdata.1030.ini
c:\879975c547e48e62032894fb4287a386\locdata.1031.ini
c:\879975c547e48e62032894fb4287a386\locdata.1032.ini
c:\879975c547e48e62032894fb4287a386\locdata.1035.ini
c:\879975c547e48e62032894fb4287a386\locdata.1036.ini
c:\879975c547e48e62032894fb4287a386\locdata.1037.ini
c:\879975c547e48e62032894fb4287a386\locdata.1038.ini
c:\879975c547e48e62032894fb4287a386\locdata.1040.ini
c:\879975c547e48e62032894fb4287a386\locdata.1041.ini
c:\879975c547e48e62032894fb4287a386\locdata.1042.ini
c:\879975c547e48e62032894fb4287a386\locdata.1043.ini
c:\879975c547e48e62032894fb4287a386\locdata.1044.ini
c:\879975c547e48e62032894fb4287a386\locdata.1045.ini
c:\879975c547e48e62032894fb4287a386\locdata.1046.ini
c:\879975c547e48e62032894fb4287a386\locdata.1049.ini
c:\879975c547e48e62032894fb4287a386\locdata.1053.ini
c:\879975c547e48e62032894fb4287a386\locdata.1055.ini
c:\879975c547e48e62032894fb4287a386\locdata.2052.ini
c:\879975c547e48e62032894fb4287a386\locdata.2070.ini
c:\879975c547e48e62032894fb4287a386\locdata.3082.ini
c:\879975c547e48e62032894fb4287a386\locdata.ini
c:\879975c547e48e62032894fb4287a386\logo.bmp
c:\879975c547e48e62032894fb4287a386\setup.exe
c:\879975c547e48e62032894fb4287a386\setup.sdb
c:\879975c547e48e62032894fb4287a386\setupres.1025.dll
c:\879975c547e48e62032894fb4287a386\setupres.1028.dll
c:\879975c547e48e62032894fb4287a386\setupres.1029.dll
c:\879975c547e48e62032894fb4287a386\setupres.1030.dll
c:\879975c547e48e62032894fb4287a386\setupres.1031.dll
c:\879975c547e48e62032894fb4287a386\setupres.1032.dll
c:\879975c547e48e62032894fb4287a386\setupres.1035.dll
c:\879975c547e48e62032894fb4287a386\setupres.1036.dll
c:\879975c547e48e62032894fb4287a386\setupres.1037.dll
c:\879975c547e48e62032894fb4287a386\setupres.1038.dll
c:\879975c547e48e62032894fb4287a386\setupres.1040.dll
c:\879975c547e48e62032894fb4287a386\setupres.1041.dll
c:\879975c547e48e62032894fb4287a386\setupres.1042.dll
c:\879975c547e48e62032894fb4287a386\setupres.1043.dll
c:\879975c547e48e62032894fb4287a386\setupres.1044.dll
c:\879975c547e48e62032894fb4287a386\setupres.1045.dll
c:\879975c547e48e62032894fb4287a386\setupres.1046.dll
c:\879975c547e48e62032894fb4287a386\setupres.1049.dll
c:\879975c547e48e62032894fb4287a386\setupres.1053.dll
c:\879975c547e48e62032894fb4287a386\setupres.1055.dll
c:\879975c547e48e62032894fb4287a386\setupres.2052.dll
c:\879975c547e48e62032894fb4287a386\setupres.2070.dll
c:\879975c547e48e62032894fb4287a386\setupres.3082.dll
c:\879975c547e48e62032894fb4287a386\setupres.dll
c:\879975c547e48e62032894fb4287a386\SITSetup.dll
c:\879975c547e48e62032894fb4287a386\vs_setup.dll
c:\879975c547e48e62032894fb4287a386\vs_setup.MS_
c:\879975c547e48e62032894fb4287a386\vs_setup.pdi
c:\879975c547e48e62032894fb4287a386\vs70uimgr.dll
c:\879975c547e48e62032894fb4287a386\vsbasereqs.dll
c:\879975c547e48e62032894fb4287a386\vsscenario.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1025.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1028.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1029.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1030.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1031.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1032.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1035.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1036.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1037.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1038.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1040.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1041.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1042.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1043.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1044.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1045.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1046.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1049.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1053.dll
c:\879975c547e48e62032894fb4287a386\WapRes.1055.dll
c:\879975c547e48e62032894fb4287a386\WapRes.2052.dll
c:\879975c547e48e62032894fb4287a386\WapRes.2070.dll
c:\879975c547e48e62032894fb4287a386\WapRes.3082.dll
c:\879975c547e48e62032894fb4287a386\WapRes.dll
c:\879975c547e48e62032894fb4287a386\WapUI.dll
C:\enhs.exe
c:\program files\Microsoft CAPICOM 2.1.0.2
c:\program files\Microsoft CAPICOM 2.1.0.2\Lib\X86\capicom.dll
c:\program files\Microsoft CAPICOM 2.1.0.2\License\license.mht
c:\program files\Microsoft CAPICOM 2.1.0.2\License\license.rtf
c:\program files\Microsoft CAPICOM 2.1.0.2\License\license.txt
c:\program files\Microsoft CAPICOM 2.1.0.2\readme.txt
c:\windows\system32\drivers\jccnwb.sys
c:\windows\system32\KB905474
c:\windows\system32\KB905474\wga_eula.txt
c:\windows\system32\mucltui.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_nrgvtllo
-------\Legacy_jccnwb
-------\Service_jccnwb


((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 08:11 . 2009-12-19 08:30 -------- d-----w- c:\documents and settings\joe\Local Settings\Application Data\emthjo
2009-12-17 21:57 . 2009-12-17 22:22 -------- d-----w- c:\windows\system32\NtmsData
2009-12-17 08:14 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-17 03:18 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-29 23:53 . 2009-11-29 23:53 -------- d-----w- c:\program files\iPod
2009-11-29 23:53 . 2009-11-29 23:54 -------- d-----w- c:\program files\iTunes
2009-11-29 23:45 . 2009-11-29 23:47 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 07:02 . 2008-07-22 05:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-19 02:49 . 2009-04-30 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-17 22:25 . 2009-04-30 00:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-17 03:22 . 2008-11-04 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-17 03:10 . 2009-08-25 22:31 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2008-11-04 07:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-11-04 07:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 23:53 . 2009-07-23 21:58 -------- d-----w- c:\program files\Common Files\Apple
2009-11-29 23:32 . 2009-11-29 23:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-16 06:01 . 2009-11-16 06:01 56892 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 07:46 . 2008-04-14 09:42 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2008-04-14 09:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2008-04-14 09:41 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2008-04-14 09:42 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 09:41 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 04:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-14 09:42 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 09:42 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 09:42 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-05 19:10 . 2009-12-18 04:09 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll
2009-10-05 19:10 . 2009-12-18 04:09 172840 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe
2009-10-05 19:10 . 2009-12-18 04:09 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe
2009-10-05 19:10 . 2009-12-18 04:09 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2009-10-05 19:10 . 2009-12-18 04:09 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-16 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/28/2008 8:40 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 5:53 PM 102448]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://one.drexel.edu/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 13:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1292428093-1547161642-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{99121B21-6B46-C2E6-06FB-D4E2D774C32A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaepjgldckcbjninpl"=hex:69,61,64,65,61,61,66,6f,61,68,66,63,63,69,64,65,67,6d,
00,00
"hakopeodpkokkfad"=hex:69,61,64,65,61,61,66,6f,61,68,66,63,63,69,64,65,67,6d,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(596)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-19 13:58:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-19 18:58
ComboFix2.txt 2009-12-19 07:44

Pre-Run: 62,218,297,344 bytes free
Post-Run: 62,162,309,120 bytes free

- - End Of File - - CE6A9D85510B67E293C2F96C7A20A452

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Hey, thanks so much for your help. Right now, my computer seems to be working. Should I still download SystemLook?

Yes.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 01:43 on 21/12/2009 by joe (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [07:42 19/12/2009] [09:42 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 181248 bytes [09:42 14/04/2008] [09:42 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll ------ 181248 bytes [09:42 14/04/2008] [09:42 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [07:42 19/12/2009] [09:42 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c 407040 bytes [09:42 14/04/2008] [09:42 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [09:42 14/04/2008] [09:42 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 56320 bytes [07:42 19/12/2009] [09:41 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\dllcache\eventlog.dll --a--c 56320 bytes [09:41 14/04/2008] [09:41 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll ------ 56320 bytes [09:41 14/04/2008] [09:41 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "winlogon.exe"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 507904 bytes [07:42 19/12/2009] [09:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c 507904 bytes [09:42 14/04/2008] [09:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe ------ 507904 bytes [09:42 14/04/2008] [09:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

Searching for "comres.dll"
C:\WINDOWS\system32\comres.dll --a--- 792064 bytes [09:41 14/04/2008] [09:41 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D
C:\WINDOWS\system32\dllcache\comres.dll --a--c 792064 bytes [09:41 14/04/2008] [09:41 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D

Searching for "crypt32.dll"
C:\WINDOWS\system32\crypt32.dll --a--- 599040 bytes [09:41 14/04/2008] [09:41 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\dllcache\crypt32.dll --a--c 599040 bytes [09:41 14/04/2008] [09:41 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77

Searching for "gpedit.dll"
C:\WINDOWS\system32\dllcache\gpedit.dll --a--c 566784 bytes [09:39 14/04/2008] [09:39 14/04/2008] 65F8DA8424AD27A365F61CCC8621FED2
C:\WINDOWS\system32\gpedit.dll --a--- 566784 bytes [09:39 14/04/2008] [09:39 14/04/2008] 65F8DA8424AD27A365F61CCC8621FED2

Searching for "rundll32.exe"
C:\WINDOWS\system32\dllcache\rundll32.exe --a--c 33280 bytes [09:42 14/04/2008] [09:42 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\rundll32.exe --a--- 33280 bytes [09:42 14/04/2008] [09:42 14/04/2008] 037B1E7798960E0420003D05BB577EE6

Searching for "sfc.dll"
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 5120 bytes [07:42 19/12/2009] [09:42 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\dllcache\sfc.dll --a--c 5120 bytes [09:42 14/04/2008] [09:42 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\sfc.dll ------ 5120 bytes [09:42 14/04/2008] [09:42 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3

Searching for "svchost.exe"
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [07:42 19/12/2009] [09:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\dllcache\svchost.exe --a--c 14336 bytes [09:42 14/04/2008] [09:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe ------ 14336 bytes [09:42 14/04/2008] [09:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 4224 bytes [07:42 19/12/2009] [19:22 09/02/2006] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--c 4224 bytes [19:22 09/02/2006] [19:22 09/02/2006] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys ------ 4224 bytes [19:22 09/02/2006] [19:22 09/02/2006] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a--- 13824 bytes [07:42 19/12/2009] [09:42 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\dllcache\wscntfy.exe --a--c 13824 bytes [09:42 14/04/2008] [09:42 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [09:42 14/04/2008] [09:42 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [07:42 19/12/2009] [04:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [04:10 14/04/2008] [04:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [04:10 14/04/2008] [04:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

sorry for the delay... holidays and such...

Malwarebytes' Anti-Malware 1.42
Database version: 3442
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/27/2009 10:38:35 PM
mbam-log-2009-12-27 (22-38-35).txt

Scan type: Full Scan (A:\|C:\|D:\|G:\|H:\|I:\|J:\|)
Objects scanned: 161665
Time elapsed: 1 hour(s), 44 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Symantec AntiVirus
Antivirus out of date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Secunia PSI
CCleaner (remove only)
Java(TM) 6 Update 15
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

I tried to download the Java "online" version and it said it was corrupt. So I downloaded the "offline" one.

Thanks a lot for all of your help.

You are welcome.