I am a bit "over-extended," so hopefully another volunteer can jump in and run with this, but to get started, please do the following:

FIRST:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.



THEN:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.


Please post the requested logs and I or another volunteer will check back as time permits.

PP

GMER didn't seem to detect anything ..

Here are the logs

DDS.txt:

DDS (Ver_09-10-26.01) - NTFSx86
Run by puyo at 22:01:47.71 on 11/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1650 [GMT 0:00]

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\puyo\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Loader Class: {f880a4a8-c436-4ac4-afd1-aa0bdc9552dd} - c:\documents and settings\puyo\my documents\downloads\findexer nightly v1.1.0.4b538\FindeXer.dll
EB: FindeXer: {377d8121-efaa-4d1c-981b-8bfad9f10de3} - c:\documents and settings\puyo\my documents\downloads\findexer nightly v1.1.0.4b538\FindeXer.dll
uRun: [Google Update] "c:\documents and settings\puyo\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Bandwidth Monitor Pro] "c:\program files\bandwidth monitor pro\Bandwidth Monitor Pro.exe" /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\puyo\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\puyo\applic~1\mozilla\firefox\profiles\xatx04dk.default\
FF - component: c:\documents and settings\puyo\application data\mozilla\firefox\profiles\xatx04dk.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\puyo\application data\mozilla\firefox\profiles\xatx04dk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\puyo\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-11 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-11 25160]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-10-10 4463400]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-10-10 16168]

=============== Created Last 30 ================

2009-11-11 21:04:43 0 d-sh--w- c:\documents and settings\puyo\PrivacIE
2009-11-11 20:41:55 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 20:41:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-11 20:36:31 0 d-sh--w- c:\documents and settings\puyo\IETldCache
2009-11-11 20:30:43 873 ----a-w- c:\windows\system32\spupdsvc.inf
2009-11-11 20:27:39 0 dc-h--w- c:\windows\ie8
2009-11-10 21:36:22 0 d-----w- c:\docume~1\puyo\applic~1\Malwarebytes
2009-11-10 21:36:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 21:36:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 21:36:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 21:36:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-10 21:01:21 0 d-----w- c:\program files\Trend Micro
2009-11-10 20:49:32 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-10 20:49:32 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-10 20:49:32 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-09 21:47:35 0 d-----w- c:\docume~1\puyo\applic~1\Launchy
2009-11-09 21:47:03 0 d-----w- c:\program files\Launchy
2009-11-09 21:24:50 0 d-----w- c:\docume~1\puyo\applic~1\SlickRun
2009-11-09 21:24:39 0 d-----w- c:\program files\SlickRun
2009-11-09 21:20:55 0 d-----w- c:\program files\RSSOwl
2009-11-08 12:14:02 0 d-----w- c:\docume~1\puyo\applic~1\Spotify
2009-11-08 12:13:32 0 d-----w- c:\program files\Spotify
2009-10-26 17:05:55 0 d-----w- C:\ani
2009-10-25 20:42:21 0 d-----w- c:\program files\mIRC
2009-10-25 20:42:21 0 d-----w- c:\docume~1\puyo\applic~1\mIRC
2009-10-25 17:24:55 0 d-----w- C:\Sakuga
2009-10-25 17:21:59 0 d-----w- c:\documents and settings\puyo\dwhelper
2009-10-25 17:09:39 0 d-----w- C:\FirefoxPortable
2009-10-23 15:42:28 86016 ----a-w- c:\windows\unvise32.exe
2009-10-23 15:40:48 0 d-----w- c:\program files\Bandwidth Monitor Pro
2009-10-23 12:49:14 0 d-----w- c:\windows\system32\NtmsData
2009-10-23 12:31:50 0 d-----w- c:\program files\Western Digital Corporation
2009-10-23 10:41:15 0 d-----w- c:\program files\Greasemetal
2009-10-21 21:23:07 0 ----a-w- C:\Documents
2009-10-20 22:16:30 754 ----a-w- c:\windows\WORDPAD.INI
2009-10-20 20:59:26 44 ----a-w- c:\windows\MSYS.INI
2009-10-20 20:59:24 0 d-----w- C:\msys
2009-10-20 20:44:34 324096 ----a-w- c:\windows\system32\SDL.dll
2009-10-20 18:05:36 0 d-----w- C:\MinGW
2009-10-20 14:55:20 0 d-----w- C:\lcc
2009-10-19 20:14:05 0 d-----w- c:\program files\PSCS2
2009-10-19 20:04:51 0 d-----w- c:\program files\common files\Adobe Systems Shared
2009-10-19 17:26:49 0 d-----w- c:\docume~1\puyo\applic~1\FindeXer
2009-10-18 23:55:42 0 d-----w- c:\docume~1\puyo\applic~1\.bsnes
2009-10-16 20:19:45 0 d-----w- c:\program files\Microsoft Games
2009-10-16 00:44:01 0 d-----w- C:\games
2009-10-16 00:41:55 0 d-----w- c:\program files\Doomsday
2009-10-14 23:31:52 0 d-----w- c:\program files\FlashFXP
2009-10-14 23:31:51 0 d-----w- c:\docume~1\alluse~1\applic~1\FlashFXP

==================== Find3M ====================

2009-10-05 20:20:23 507904 ----a-w- c:\windows\system32\winlogon.exe
2009-09-28 15:06:02 4463400 ----a-w- c:\windows\system32\Wacom_Tablet.exe
2009-09-28 15:06:00 411432 ----a-w- c:\windows\system32\Wacom_Tablet.dll
2009-09-28 15:01:40 285184 ----a-w- c:\windows\system32\Wintab32.dll
2009-09-13 13:39:17 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-11 20:04:55 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-11 17:53:29 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-11 17:53:29 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-09-11 17:53:29 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 07:34:57 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 15:08:36 178176 ----a-w- c:\windows\system32\unrar.dll
2009-08-14 13:21:25 1850624 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 22:02:01.18 ===============


thank you =)

Something else, might be useful:
A couple of minutes comodo firewall warned me that sevices.exe was trying to modify the windows service registry root HKLM\system\controlset002\services\BITS\start

I'm in the process of trying to find out what it means but a quick google search did turn anything particularly useful.

Needless to say I blocked the request, for now at least.

No log at all from GMER?
Try running it again. Select the Rootkit/Malware Tab and just click the Scan button.

Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.


PP

Sorry I thought I wasn't meant to post that one =)

Oh and apparently that BITS I mentioned earlier is the Background Intelligent Transfer Service, although you probably knew that.

I had to zip it since I got an "invalid file" error when trying to upload it (?)

thanks ;D

My fault - this forum doesn't support .log attachments - I should've had you change it to .txt.
No worries.

Could you click START > RUN > type cmd ENTER
At the command prompt type dir /a /s atapi.sys >> C:\Logit.txt ENTER

Then please post the C:\Logit.txt

PP

It's so small that I guess it's easier if I just paste it :

Directory of C:\WINDOWS\system32\drivers

13/04/2008 22:10 96,512 atapi.sys
1 File(s) 96,512 bytes

only that

That's odd - there should be more.

What about C:\I386\atapi.sys - anything there?
How about C:\WINDOWS\ServicePackFiles\i386\atapi.sys - Any luck?

PP

I don't have those folders I'm afraid. I do have C:\WINDOWS\Driver Cache\i386, but no atapi.sys there either.