Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Win32 virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 brent55

brent55

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 13 August 2009 - 02:17 PM

Running Windows XP with all updates (as of 8/13/09). McAfee (up to date) reported a number of events, most with the name New Win32 (virus), but also W32/Virut!host, W32/Virunt.n.gen (jdstartup.exe, bsilentcleanup.exe) and program mbam.exe.

I have rolled back to a previous uninfected restore point, I have clean the computer with Adaware, Sbybot & Malwarebytes and am getting a clean bill of health from all of them and McAfee. Would like to double check and see that I'm clean. I have attached my DDS log.

Attached Files

  • Attached File  DDS.txt   14.95KB   24 downloads


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:27 AM

Posted 24 August 2009 - 05:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:27 AM

Posted 29 August 2009 - 10:32 PM

Topic reopened.

@ brent55,

Please post back with current logs and an updated description of your computer issues as requested in the previous post.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 30 August 2009 - 12:22 AM

After the infection my in box on one of my email accounts (I'm using Thunderbird) was full of bogus duplicate emails. (Ever email was duplicated, showing the same subject, sender, date, etc. but were filled with ads. I was not using a Master Password at the time) My computer appears to be running normally at this time. I am getting a detection at c:/windows/system32/drivers/pgpsdk.sys, albeit I do have PGP installed.

I ran Combofix, ATF-Cleaner, Kaspersky 2010 & online scan, which all had deletions. I had also run Malwarebytes Anti Malware and Ad-Aware (which I had perviously installed but deleted for the install of Kaspersky 2010).

Here is the DSS log from this evening.

DDS (Ver_09-07-30.01) - NTFSx86
Run by me at 20:15:16.73 on Sat 08/29/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1450 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\Adobe CS4\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe cs4\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe cs4\/Adobe Contribute CS4/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [GBB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE
mRun: [Adobe Acrobat Speed Launcher] "e:\program files\adobe cs4\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe cs4\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/36.22/uploader2.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {B7BC356B-9C47-4186-848A-2EF4F0916AAD} = 68.87.76.178,68.87.78.130
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\default.7el\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\me\application data\mozilla\firefox\profiles\default.7el\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: e:\program files\adobe cs4\acrobat 9.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-28 296976]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-7-3 303376]
R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2006-1-29 169120]
R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2006-1-29 26624]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S2 gupdate1c90ed38f21ac37;Google Update Service (gupdate1c90ed38f21ac37);c:\program files\google\update\GoogleUpdate.exe [2008-9-4 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 Ldrpic;Ldrpic; [x]

=============== Created Last 30 ================

2009-08-28 13:03 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-08-28 13:02 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-08-28 13:02 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-08-28 13:02 <DIR> --d----- c:\program files\Kaspersky Lab
2009-08-28 13:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-28 12:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-08-27 20:59 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-27 20:43 <DIR> a-dshr-- C:\cmdcons
2009-08-14 11:15 <DIR> --d----- c:\program files\ESET
2009-08-12 23:44 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 23:44 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-12 23:38 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-12 22:56 <DIR> --d----- c:\docume~1\me\applic~1\Malwarebytes
2009-08-12 22:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-12 22:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 20:09 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-12 20:09 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 20:09 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-07 23:36 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 23:35 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 23:35 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 23:35 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 23:35 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 23:35 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 23:35 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 23:35 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-05 02:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-29 12:13 17,244 a------- c:\windows\system32\tablet.dat
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-20 12:15 46,552 a---h--- c:\windows\system32\mlfcache.dat
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 15:48 219,664 a------- c:\windows\system32\klogon.dll
2009-07-03 15:45 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-06-29 09:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-11 15:01 61,968 a------- c:\docume~1\me\applic~1\GDIPFONTCACHEV1.DAT
2008-08-27 11:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 20:15:55.42 ===============

Edited by brent55, 30 August 2009 - 12:30 AM.


#5 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 01 September 2009 - 06:59 PM

I got a illegal use on my credit card today, so looks like the first clean up didn't work. (This was before I had run combofix.) Any help I can get ASAP would be apperciated.

Edited by brent55, 01 September 2009 - 07:00 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:27 AM

Posted 03 September 2009 - 03:33 PM

Hi brent55,

Welcome to BC HijackThis forum. I am farbar. I'm afraid I have got bad news.

Your computer is infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes could be now the virus agent.

The only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php

#7 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 03 September 2009 - 08:45 PM

farbar, thanks for the reply. That indeed sounds troublesome. A couple questions.

You see from the DSS log that the computer is infected with Virut? As I mentioned in the first post McAfee mentioned Virut only as a program trying to install (and caught it). It did not show up on a scan - it showed up as a block alert.

In looking at F-secure web site says "All the recent versions of F-Secure Anti-Virus should be able to remove the Virut infection". A scan with F-secure Anti-virus 2010 shows no sign of Virut. Why do they suggest the infection can be removed?

While I understand the safest answer to the virus is reformatting and reinstalling windows, it would be very problematic and in no way "fast". With 180 gig of files, with over 10 gig of html & php files (client web sites) I would be losing over 5 years of work. Simple installing Windows and hunting down all the drivers would take several days, and there are some 60+ programs installed over a period of many years it would take weeks to get the computer back.

I would most definitely want to make 100% the compute has been infected and can not be cleaned before I start down that road.

And just an aside the illegal use on my credit card turned out NOT to be connected to the computer. After contacting the CC company it turns out a merchant was compromised and they assured me it had nothing to do with my computer.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:27 AM

Posted 04 September 2009 - 05:52 AM

brent55,

You see from the DSS log that the computer is infected with Virut? As I mentioned in the first post McAfee mentioned Virut only as a program trying to install (and caught it). It did not show up on a scan - it showed up as a block alert.

You mentioned McAfee reported at least two instances of Virut. That might have biased my judgment. Usually when the antivirus reports instances of Virut it might be too late. I didn't see any particular file related to Virut on the DDS log. But absence of Virut files on a computer that is infected with Virut doesn't mean the computer is not infected any more. Virut infects the legit files, even when an antivirus removes the related Virut files, the virus remains active by using legit processes as its agent.
You mentioned Virut at the beginning and illegal issue with the credit card at the end. We see some times Virut is not the primary infection. Sometime they use backdoors steal sensitive information and then infect the system with Virut to create chaos or perhaps to cover the traces.

In looking at F-secure web site says "All the recent versions of F-Secure Anti-Virus should be able to remove the Virut infection". A scan with F-secure Anti-virus 2010 shows no sign of Virut. Why do they suggest the infection can be removed?

Because they want to sell their product. How many people come to this forum, a majority of them for infections less destructive than Virut, almost all of them have an antivirus. Have you ever seen an antivirus saying they are not able to detect and remove viruses?

After reading your recent post I realize it is not so easy for you to reformat and it could be that Virut was not spread.

We run a couple of scans and make a couple of more logs if you want. I might be able to make a better judgment after that. If you wanted it please follow the instructions below.

I need to see the ComboFix.txt from the first run. Please copy/paste the log the first run located at C:\Qoobox\combofixX.txt where X is a number. Please post the log with the highest number.

Kaspersky online scanner detects but not deletes. Have you save its log? If not pleas do another on line scan and post the log:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#9 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 04 September 2009 - 12:07 PM

Thanks farbar, Here is the first Combofix log

ComboFix 09-08-27.02 - me 08/27/2009 20:45.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1555 [GMT -7:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-796845957-515967899-839522115-500
c:\windows\Fonts\Postal Bar Codes 12pt.TTF
c:\windows\Installer\37b191.msi
c:\windows\Installer\482fbd6.msp
c:\windows\Installer\482fbea.msp
c:\windows\Installer\482fbfe.msp
c:\windows\Installer\482fc16.msp
c:\windows\Installer\4a163f.msi
c:\windows\Installer\701b76.msi
c:\windows\Installer\70f35.msi
c:\windows\Installer\70f3c.msi
c:\windows\Installer\70f43.msi
c:\windows\Installer\b02fad.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\dumphive.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\ssprs.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-14 18:15 . 2009-08-14 18:15 -------- d-----w- c:\program files\ESET
2009-08-13 06:44 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 06:44 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 06:38 . 2009-08-13 06:38 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-13 05:56 . 2009-08-13 05:56 -------- d-----w- c:\documents and settings\me\Application Data\Malwarebytes
2009-08-13 05:56 . 2009-08-13 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-13 05:56 . 2009-08-13 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 03:09 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 00:07 . 2009-08-12 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-08 06:36 . 2009-08-08 06:36 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 06:36 . 2009-08-08 06:36 -------- d-----w- c:\program files\MSBuild
2009-08-08 06:36 . 2009-08-08 06:36 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 06:35 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-08 06:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-08 06:35 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-08 06:35 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-08 06:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-08 06:35 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-08 06:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-05 20:34 . 2009-08-05 20:34 152576 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 03:54 . 2008-12-31 22:54 17244 ----a-w- c:\windows\system32\tablet.dat
2009-08-28 03:31 . 2004-10-28 21:00 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-13 07:03 . 2007-09-07 23:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 05:18 . 2005-08-10 19:40 -------- d-----w- c:\program files\Google
2009-08-09 18:54 . 2004-07-20 01:08 61968 ----a-w- c:\documents and settings\me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 20:35 . 2007-09-08 18:03 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-11-24 19:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 19:15 . 2009-07-20 19:15 46552 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-20 19:15 . 2004-11-27 20:13 -------- d-----w- c:\documents and settings\me\Application Data\Apple Computer
2009-07-20 19:14 . 2009-07-20 19:14 -------- d-----w- c:\program files\Safari
2009-07-19 23:26 . 2009-07-19 23:26 -------- d-----w- c:\program files\Adobe Media Player
2009-07-19 23:25 . 2009-02-11 04:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-19 23:25 . 2008-12-21 02:57 38208 ----a-w- c:\documents and settings\me\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-09-27 02:07 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-02 03:17 . 2009-07-02 03:17 69632 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-06-29 16:12 . 2001-08-23 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2006-08-20 13:08 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2001-08-23 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2001-08-23 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 23:26 . 2009-06-09 23:26 152576 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2001-08-23 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-07-12 01:44 . 2004-12-10 09:16 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe CS4\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="e:\program files\Adobe CS4\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-27 16208384]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-12-31 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.lnk
backup=c:\windows\pss\PGPtray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Games\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"f:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\Program Files\\Adobe CS4\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/26/2009 7:57 PM 64160]
R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [1/29/2006 8:35 PM 169120]
R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [1/29/2006 8:35 PM 26624]
S2 gupdate1c90ed38f21ac37;Google Update Service (gupdate1c90ed38f21ac37);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2008 2:16 PM 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S3 Ldrpic;Ldrpic; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-12 00:07]

2009-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-04 19:55]

2009-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-04 19:55]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2001-08-23 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-11-21 20:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
HKCU-Run-Steam - (no file)
HKCU-Run-AdobeBridge - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: turbotax.com
TCP: {B7BC356B-9C47-4186-848A-2EF4F0916AAD} = 68.87.76.178,68.87.78.130
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\default.7el\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\default.7el\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: e:\program files\Adobe CS4\Acrobat 9.0\Acrobat\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-515967899-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:66,12,4b,03,7f,c4,bb,b2,43,82,97,2f,5f,6a,9c,2a,f9,c2,5e,6f,ee,b0,27,
35,4d,34,c2,32,cc,d8,82,bc,41,2a,9c,aa,45,82,d8,f9,fb,1b,48,32,60,c6,2d,8d,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:f2,06,a9,4e,3a,4a,fb,a4,18,d1,7a,a5,43,99,a2,d4,14,6a,5f,e2,c8,
40,7e,bf,c1,08,11,fa,37,b9,13,e7,ec,9d,43,45,d8,61,f9,f9,db,48,57,11,e1,d7,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:f2,06,a9,4e,3a,4a,fb,a4,18,d1,7a,a5,43,99,a2,d4,14,6a,5f,e2,c8,
40,7e,bf,c1,08,11,fa,37,b9,13,e7,ec,9d,43,45,d8,61,f9,f9,db,48,57,11,e1,d7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\windows\system32\tabhook.dll
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PGPServ.exe
c:\windows\system32\Tablet.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-08-28 21:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 04:00

Pre-Run: 866,840,576 bytes free
Post-Run: 693,329,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

305 --- E O F --- 2009-08-27 04:12


>Kaspersky online scanner detects but not deletes. Have you save its log? If not pleas do another on line scan and post the log:
>
>Please do a scan with Kaspersky Online Scanner

I had actually downloaded the free trial copy (but subsequently uninstalled it). I will run the online scan.

Edited by brent55, 04 September 2009 - 12:36 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:27 AM

Posted 04 September 2009 - 12:19 PM

The only worry on the Combofix log is a trojan password stealer. It might not be as bad as it looked.

I'll wait for the Kaspersky log.

#11 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 04 September 2009 - 01:55 PM

It's chugging away - been running for an hour and only 8% done. (I think it will pick up once it gets off the C: drive). I'll post as soon as it finishes

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:27 AM

Posted 04 September 2009 - 02:06 PM

Either it should scan a large amount of files or there are corrupted files it should get through. If it took extra long stop it. We will do a disk check for corrupted files and volume errors (that could take a few hours too, but you need not sit there) and then run the scan.

#13 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 04 September 2009 - 08:59 PM

Well that took a while

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 4, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 04, 2009 18:49:23
Records in database: 2746095
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
K:\

Scan statistics:
Objects scanned: 355549
Threats found: 2
Infected objects found: 1
Suspicious objects found: 1
Scan duration: 07:13:29


File name / Threat / Threats count
C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Outlook\Outlookimap.aol.com-00000010.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
F:\Software\Photodex ProShow Gold 4.0.2442.rar Infected: Trojan.Win32.Chifrax.d 1

Selected area has been scanned.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:27 AM

Posted 05 September 2009 - 02:41 AM

It looks good. KOS found no Virut. It detected an e-mail with attachment as suspicious. This one you should remove: F:\Software\Photodex ProShow Gold 4.0.2442.rar

Let's also check for rootkit hidden stuff to make sure.

Download RootRepeal.exe from one of these download locations and save it to your desktop:
http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Click Ok.
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


#15 brent55

brent55
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 05 September 2009 - 12:06 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 09:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6B5F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE5A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2CCE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\me\local settings\temp\~df718.tmp
Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: c:\documents and settings\me\local settings\temp\~dff179.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "Vax347b.sys" at address 0xba739c58

#: 041 Function Name: NtCreateKey
Status: Hooked by "Vax347b.sys" at address 0xba739c10

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "Vax347b.sys" at address 0xba72dc70

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaaacd6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaaacf0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa9e8c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "Vax347b.sys" at address 0xba72e4fe

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "Vax347b.sys" at address 0xba739d50

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaaa1bc

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa9bcc

#: 119 Function Name: NtOpenKey
Status: Hooked by "Vax347b.sys" at address 0xba739bd4

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaaa5ee

#: 160 Function Name: NtQueryKey
Status: Hooked by "Vax347b.sys" at address 0xba72e51e

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "Vax347b.sys" at address 0xba739ca6

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaab88c

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaaa43e

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "Vax347b.sys" at address 0xba7394f0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa9a4c

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa9ec0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaaa042

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa99a6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa9b06

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaa9f86

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a8b9a20 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89417ca0 Size: 11

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0x8a53f008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a6700c8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLOSE]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_READ]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_WRITE]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_EA]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLEANUP]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_POWER]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_PNP]
Process: System Address: 0x8a684008 Size: 99

Object: Hidden Code [Driver: UDFReadrࠆఎ扏济NetBT_Tcpip_{B7B, IRP_MJ_READ]
Process: System Address: 0x8a6c5cc0 Size: 11

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x89bdc7f0 Size: 11

Object: Hidden Code [Driver: DVDVRRdr_xp, IRP_MJ_READ]
Process: System Address: 0x8a62a3e0 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x8947ccd0 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89b77760 Size: 11

Object: Hidden Code [Driver: NpfsЅః瑎て, IRP_MJ_READ]
Process: System Address: 0x8a6b2438 Size: 11

Object: Hidden Code [Driver: cdudf_xpІఆ晌⁳ࠁ(⺤⺤⺘, IRP_MJ_READ]
Process: System Address: 0x8a6a0d60 Size: 11

Object: Hidden Code [Driver: Msfsȅః瑎て, IRP_MJ_READ]
Process: System Address: 0x8a4721a0 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a392228 Size: 11

Object: Hidden Code [Driver: Cdfs؅఍敓੠, IRP_MJ_READ]
Process: System Address: 0x89b6c730 Size: 11

Shadow SSDT
-------------------
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\F-Secure\HIPS\drivers\fshs.sys" at address 0xbaaac646

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users