Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Insidious Trojan


  • Please log in to reply
11 replies to this topic

#1 shoelaces

shoelaces

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 29 July 2009 - 04:12 PM

I have been unable to rid my laptop of a sneaky Trojan over the last week.
Symptoms were originally browser hijacking, and then became progressive worse. Threat warnings on start up with and blue screens.
Was able to continue in safe mode - ran MWB, avast and SAS multiple times. Threats were identified and removed, but I have had no success with a fresh start-up. Thought one of the scans indicated a 'ertfor' infection, but I have followed all of the manual steps to remove this threat and do not identifiy the presence of any of the registry key files in the instructions.


Handed the machine off to our network/IT guy, and much of the same occurred while he had it over the weekend. Multiple anti-spyware programs were run, but nothing has worked definitively.

Here are the last 2 scans, the most recont MWB scan appears first. I ran ATF immediately after the most recent MWB scan and rebooted in normal mode with some success. Currently re-running SAS with no new evidence of threat activity.

Would anyone have time we able to look at the scan logs and make any suggestions?

Many thanks!


Malwarebytes' Anti-Malware 1.39
Database version: 2511
Windows 5.1.2600 Service Pack 3

2009-07-29 14:25:33
mbam-log-2009-07-29 (14-25-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 312685
Time elapsed: 41 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Domain Master.BIOSTRATEGIES\reader_s.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\domain master.biostrategies\local settings\temporary internet files\Content.IE5\95JXP5Z9\abb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\fthqngdrsm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.39
Database version: 2511
Windows 5.1.2600 Service Pack 3

2009-07-27 10:37:26
mbam-log-2009-07-27 (10-37-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 241618
Time elapsed: 54 minute(s), 46 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
C:\WINDOWS\system32\do_not_delete.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms18_word (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms18_word (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Christine S\Application Data\pridl (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Christine S\reader_s.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\christine s\local settings\temporary internet files\Content.IE5\D7V8DXJV\mr[1].txt (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\christine s\local settings\temporary internet files\Content.IE5\F6XQU7BG\abb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\christine s\local settings\temporary internet files\Content.IE5\F6XQU7BG\mr[1].txt (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\christine S\local settings\temporary internet files\Content.IE5\OD9QJR6E\mr[1].txt (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\domain master.biostrategies\reader_s.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\domain master.biostrategies\local settings\temporary internet files\Content.IE5\CAXT2U23\abb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temp\VRT1.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\1F.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\WVWB4DO3\abb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\WVWB4DO3\mr[1].txt (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\VRT1.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
c:\documents and settings\ChristineS\application data\pridl\pridl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ChristineS\ms18_word.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\do_not_delete.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christine Schultheis\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ms18_word.exe (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 29 July 2009 - 05:48 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 shoelaces

shoelaces
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 30 July 2009 - 11:32 AM

Hello Budapest,

Thank you so very much for taking the time to reply!

The computer is unable to connect directly to the internet as it is now missing .dll files to enable wireless configuration to run correctly, and I am hesitant to connect the beastly thing to my company network directly. Nonetheless, it can somewhat function in normal mode.

The file (and driver) scan report results are below



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/30 11:33
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8DB4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA846D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\documents and settings\all users\application data\symantec\ghost\template\catc usb ethernet\elndis.sys
Status: Size mismatch (API: 182656, Raw: 8544)

Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Christine Schultheis\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Domain Master\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Domain Master.BIOSTRATEGIES\Application Data\Macromedia\Flash Player\#SharedObjects\LN2YVY3Q\video.google.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Domain Master.BIOSTRATEGIES\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Hidden Services
-------------------
Service Name: geyekrroawuhtx
Image Path: C:\WINDOWS\system32\drivers\geyekrydjvqibf.sys

==EOF==


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/30 11:26
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA0C8000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA8F54000 Size: 138112 File Visible: - Signed: -
Status: -

Name: Apfiltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Address: 0xB9635000 Size: 147456 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xB9480000 Size: 16128 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBA2D8000 Size: 60800 File Visible: - Signed: -
Status: -

Name: Aspi32.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aspi32.SYS
Address: 0xA8CA4000 Size: 16096 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F13000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA7FB000 Size: 3072 File Visible: - Signed: -
Status: -

Name: AvgArCln.sys
Image Path: C:\WINDOWS\System32\DRIVERS\AvgArCln.sys
Address: 0xBA6F1000 Size: 3968 File Visible: - Signed: -
Status: -

Name: avgarkt.sys
Image Path: avgarkt.sys
Address: 0xBA5AC000 Size: 5632 File Visible: - Signed: -
Status: -

Name: b57xp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xB9659000 Size: 176128 File Visible: - Signed: -
Status: -

Name: BASFND.sys
Image Path: C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
Address: 0xBA650000 Size: 5312 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBA4C0000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xB9684000 Size: 1287552 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA5CC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA2E8000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA198000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA108000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBA568000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBA4BC000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0F8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DLABMFSM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLABMFSM.SYS
Address: 0xBA410000 Size: 30720 File Visible: - Signed: -
Status: -

Name: DLABOIOM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLABOIOM.SYS
Address: 0xBA418000 Size: 26208 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: DLACDBHM.SYS
Address: 0xBA5AE000 Size: 7936 File Visible: - Signed: -
Status: -

Name: DLADResM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLADResM.SYS
Address: 0xBA700000 Size: 2464 File Visible: - Signed: -
Status: -

Name: DLAIFS_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS
Address: 0xA8C0B000 Size: 102112 File Visible: - Signed: -
Status: -

Name: DLAOPIOM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS
Address: 0xBA408000 Size: 20576 File Visible: - Signed: -
Status: -

Name: DLAPoolM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAPoolM.SYS
Address: 0xA8CB8000 Size: 9664 File Visible: - Signed: -
Status: -

Name: DLARTL_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
Address: 0xBA468000 Size: 23424 File Visible: - Signed: -
Status: -

Name: DLAUDF_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS
Address: 0xA8BDE000 Size: 91808 File Visible: - Signed: -
Status: -

Name: DLAUDFAM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS
Address: 0xA8BF5000 Size: 86912 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA248000 Size: 61440 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: DRVMCDB.SYS
Address: 0xB9EDC000 Size: 90976 File Visible: - Signed: -
Status: -

Name: DRVNDDM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
Address: 0xA8E1C000 Size: 43008 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8DB4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA903A000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA75C000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA8B92000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA278000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xB9EF3000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA5C8000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F2B000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xBA1B8000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ghpciscan.sys
Image Path: C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
Address: 0xBA470000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB97BF000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA480000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xA9052000 Size: 731264 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xA9105000 Size: 985472 File Visible: - Signed: -
Status: -

Name: HSFHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xA91F6000 Size: 210688 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xB9606000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA168000 Size: 52480 File Visible: - Signed: -
Status: -

Name: igxpdv32.DLL
Image Path: C:\WINDOWS\System32\igxpdv32.DLL
Address: 0xBF04E000 Size: 1613824 File Visible: - Signed: -
Status: -

Name: igxpdx32.DLL
Image Path: C:\WINDOWS\System32\igxpdx32.DLL
Address: 0xBF1D8000 Size: 2605056 File Visible: - Signed: -
Status: -

Name: igxpgd32.dll
Image Path: C:\WINDOWS\System32\igxpgd32.dll
Address: 0xBF024000 Size: 172032 File Visible: - Signed: -
Status: -

Name: igxpmp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
Address: 0xB981F000 Size: 5707744 File Visible: - Signed: -
Status: -

Name: igxprd32.dll
Image Path: C:\WINDOWS\System32\igxprd32.dll
Address: 0xBF012000 Size: 73728 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA188000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA148000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA8FF7000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA390000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB9612000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9EC5000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xA8C7C000 Size: 12672 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA5D0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA420000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA388000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0D8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA8B3D000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA8E6C000 Size: 456576 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA498000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA1F8000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA59C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9DEA000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0x8A345000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA578000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA8C58000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB95D3000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA218000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA268000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA8F76000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA158000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA4A8000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E38000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA6EA000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA0B8000 Size: 61696 File Visible: - Signed: -
Status: -

Name: oz776.sys
Image Path: C:\WINDOWS\System32\Drivers\oz776.sys
Address: 0xBA298000 Size: 62208 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: PBADRV.sys
Image Path: PBADRV.sys
Address: 0xBA128000 Size: 45056 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xB9F4A000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xA922A000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9522000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA3D0000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA118000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB95F2000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA1C8000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA1D8000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA1E8000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA3E0000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA8EDC000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA5D4000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB94F2000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA1A8000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA846D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBA4B0000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xA8F2F000 Size: 151552 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA554000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBA178000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sfloppy.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sfloppy.sys
Address: 0xA8859000 Size: 11392 File Visible: - Signed: -
Status: -

Name: SMCLIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\SMCLIB.SYS
Address: 0xB9478000 Size: 16384 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xA924E000 Size: 1169728 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5BA000 Size: 4352 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA8F9E000 Size: 361344 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA3C0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA208000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9494000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5C2000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA370000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA238000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB97E7000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xBA458000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA368000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA488000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB980B000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0E8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA2B8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA3A8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: WaveFDE.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WaveFDE.sys
Address: 0xBA400000 Size: 18176 File Visible: - Signed: -
Status: -

Name: WavxDMgr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
Address: 0xA8C24000 Size: 161280 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBA570000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Edited by shoelaces, 30 July 2009 - 11:50 AM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:11 PM

Posted 30 July 2009 - 11:42 AM

Excuse me for jumping in but I did notice 2 things in the MBAM logs


do_not_delete.exe

reader_s


Both of these are Virut
Chewy

No. Try not. Do... or do not. There is no try.

#5 shoelaces

shoelaces
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 30 July 2009 - 12:44 PM

Hello DaChew,

Thanks for the assist. Would you have any recommendations for dealing with the .exe files? I am fairly adept at following instructions, but beyond that I am a not an expert, just a 'user'.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:11 PM

Posted 30 July 2009 - 12:58 PM

You really should warn your IT man, this infection is very dangerous and requires a complete reinstall.
Chewy

No. Try not. Do... or do not. There is no try.

#7 shoelaces

shoelaces
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 30 July 2009 - 01:18 PM

Thank you for the heads up.

I will get all of the local documents off of the harddrive ASAP in prep for a re-format and reinstall of the OS. Are there any file types or extensions or I should avoid removing?

Are there any specific other instruction I could give him to insure that it is wiped as clean as possible? and will it be clean after re-formatting?

Thank you DaChew. I have searched the forum a bit since your note about Virut and realize that am unlikely to get rid of this myself without a re-format. :thumbsup:

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:11 PM

Posted 30 July 2009 - 01:37 PM

Here's an excellent post where the pertinent info is readable

http://www.bleepingcomputer.com/forums/ind...t&p=1360446
Chewy

No. Try not. Do... or do not. There is no try.

#9 shoelaces

shoelaces
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 30 July 2009 - 06:23 PM

Thank you, DaChew.

Getting the files dropped to CD is proving futile; none of the programs are really working effectively.

As I am forced to back up to a newly-reformatted external harddrive, I have a few quick questions.. Many thanks for your patience.

Once the primary drive is reformatted, can I effectively re-scan the external hardrive (with the dropped files) and determine if the contents are clean enough to re-load back onto the 'top?
Which is the best tool or combination of tools to scan for this particular Trojan?
If any virus shows on the scan, should I post the log here and solicit any further advice or just start over and re-format (again)?

Thanks for the help to date...

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:11 PM

Posted 30 July 2009 - 06:26 PM

Scanning for virut I trust this online one the most, it's a little tricky but you can scan an external drive.

Let's run an online virus scan called Kaspersky or KAV for short

http://www.kaspersky.com/virusscanner

using Internet Explorer.

Please disable your resident Antivirus before performing the scan and re-enable it afterward.

Choose the online scanner option

1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.

Please post the KAV scan report in your next reply.
Chewy

No. Try not. Do... or do not. There is no try.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:11 PM

Posted 30 July 2009 - 06:28 PM

What extensions do the files have that you are saving?


There's very little that virut won't infect, you won't know it till you open or access that saved file.

You will be starting all over when you do.
Chewy

No. Try not. Do... or do not. There is no try.

#12 shoelaces

shoelaces
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 30 July 2009 - 07:11 PM

Ugh, that is exceedingly scary. Referencing the file extensions, most are Windows app files and some goofy extensions for other applications that are similarly windows based.

Decided I could do without a large number of files and I specifically 'deleted' anything in the saved document folders with extensions that contained;

.exe, .scr, .htm, .html, .xml, .zip, .rar, .pif, .asp, .php, and .iso - as per the forum posted link you suggested earlier.

The contract-IT guy is now out of town for the weekend, so unless I can re-format it myself I may be in limbo for a few days.
Can manage the re-format on my own? And if it is worth the attempt, what might I need to accomplish it?

I can likely complete the re-scan steps and post the log but only when I can re-format the sucker. I really don't want to attempt connecting the external drive to another machine until I know the contents are (possibly) safe. Perhaps I am being paranoid, but this experience has been exhausting.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users