hi garmanma
I did as suggested.
I used the recovery wizard on a hidden partition on the hard drive and restored to factory settings. Unfortunately I have not been able to format the C drive as the hidden partition is in the C drive and I am wondering if this will be also deleted if I format.
Soon after getting factory settings, I have installed norton internet security and then connected up the broad band modem.
I downloaded updates for norton. I then downloaded some updates for windows. When I installed win XP service pack 3 and rebooted I was down loading some more updates when the computer reverted back to powersave mode and the screen went blank except for the windows icon.
When I moved the mouse I got back the windows page with the user accounts displayed. When i tried to get into my account the password that I had set did not work!!! The other accounts were also asking for passwords again although none were set.
I rebooted to safe mode and luckily was able to get in through the administrator account with no password set. I have since removed all passwords and have generated a password reset disk for my account.
I have downloaded DDS and Root Repeal and have generated logs which I have attached. One other thing: after I ran these two scans I notice a new icon on the desktop named settings. It is a .DAT file and cant be opened. Is this something expected to happen with either of these two files?
I am worried that the infection is not completely gone. Please look at the logs and let me know what you think. I will download malware bytes and run a scan later as well.
Many thanks again for your help.
DDS (Ver_09-07-30.01) - NTFSx86
Run by ashoka at 21:12:09.06 on 08/09/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1579 [GMT 1:00]
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\ashoka\Desktop\dds.scr
============== Pseudo HJT Report ===============
uDefault_Page_URL = hxxp://www.skybroadband.com
uWindow Title = Windows Internet Explorer provided by Sky Broadband
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_04\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [CARPService] carpserv.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} -
http://www.skybroadband.comIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252434280562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
============= SERVICES / DRIVERS ===============
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1000000.07d\SymEFA.sys [2009-9-8 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1000000.07d\BHDrvx86.sys [2009-9-8 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1000000.07d\ccHPx86.sys [2009-9-8 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090904.002\IDSXpx86.sys [2009-9-8 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2009-9-8 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-7 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090907.050\NAVENG.SYS [2009-9-7 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090907.050\NAVEX15.SYS [2009-9-7 1323568]
S3 cpuz;cpuz;\??\f:\cpuz.sys --> f:\cpuz.sys [?]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-21 89749]
=============== Created Last 30 ================
2009-09-08 20:21 <DIR> --d----- c:\program files\MSXML 4.0
2009-09-08 20:20 512,000 -c------ c:\windows\system32\dllcache\jscript.dll
2009-09-08 20:19 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 20:17 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-08 20:16 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-08 20:11 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-09-08 20:09 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-08 20:09 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-09-08 20:09 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-09-08 20:09 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-09-08 20:08 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-09-08 20:08 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-08 20:07 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-09-08 19:53 <DIR> --d----- c:\windows\system32\scripting
2009-09-08 19:53 <DIR> --d----- c:\windows\l2schemas
2009-09-08 19:53 <DIR> --d----- c:\windows\system32\en
2009-09-08 19:53 <DIR> --d----- c:\windows\system32\bits
2009-09-08 19:50 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-08 19:47 <DIR> --d----- c:\windows\network diagnostic
2009-09-08 19:44 <DIR> --d----- c:\windows\EHome
2009-09-08 19:25 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-09-08 19:25 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-09-08 19:25 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-09-08 19:25 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-09-08 19:25 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-08 19:13 463 a------- c:\windows\system32\CTHELPER.RPT
2009-09-08 19:09 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-09-08 19:05 12,598 a------- c:\windows\system32\wpa.bak
2009-09-08 19:02 <DIR> --d----- c:\program files\Sky Broadband
2009-09-08 18:47 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-09-08 18:47 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-08 18:47 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-08 18:47 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-08 18:47 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-08 18:47 <DIR> --d----- c:\program files\Symantec
2009-09-08 18:47 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-08 18:46 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-09-08 18:46 <DIR> --d----- c:\program files\Norton Internet Security
2009-09-08 18:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-09-08 18:45 <DIR> --d----- c:\program files\NortonInstaller
2009-09-08 18:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-09-08 18:32 <DIR> --d----- c:\documents and settings\ashoka
==================== Find3M ====================
2009-09-08 19:55 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 05:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 05:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 17:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
============= FINISH: 21:12:22.51 ===============
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 21:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA90BA000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5D3C000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9EB0000 Size: 323584 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090907.050\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a3b1c08
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a3a1710
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a3ed630
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a3f07c0
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x891362b0
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9423020
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89f84c78
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8a6742c8
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89fee330
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a3ef640
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa94232a0
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9423800
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a389cc0
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89fcf120
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a3e7f68
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a3b06f0
#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a3805d8
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89fc97a0
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a3d5310
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89d3a800
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a344ab0
#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a3e0240
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89fb94e0
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a6970c8
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a32c228
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a38ca90
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89fa9b38
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a40d8a0
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9423a50
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a3dd5c0
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a39efa8
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a33a350
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a38ec50
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a3481d0
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a40f608
Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a3c13e8
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a3c35b0
#: 415 Function Name: NtUserGetKeyNameText
Status: Hooked by "<unknown>" at address 0x8a3443e8
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8a3c7700
#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x89fc5100
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x89fc0550
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89061668
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8a29ac08
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8a3bf380
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x89fc2518
==EOF==