Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SecurityCenter 2009 Infection/registry hijacked?


  • This topic is locked This topic is locked
3 replies to this topic

#1 arhetue

arhetue

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 23 October 2009 - 10:24 AM

I had a rather nasty trojan that showed up as a "Security Center 2009" or some such, I though I had it removed, but I am still getting locked out of regedit and task manager. Malwarebytes continues to find two registry entries that reappear every time I get rid of them. I am also getting random redirects in Firefox when clicking links from google.

Here is what Malwarebytes continues to find:

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


DDS report:


DDS (Ver_09-10-13.01) - NTFSx86
Run by hetuea at 9:40:01.52 on Fri 10/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.2317 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LexisNexis\Front Office Exchange Synchronization\TmExSync.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\hetuea\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Time Matters: {00f17ece-12da-46a0-b541-bde4eb7df027} - c:\tmw9e\TMIETB.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Internet Explorer Plugin: {1fcc2563-f07f-4962-8f3d-7668c3f2010c} - pcfr32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.32.0\gears.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Time Matters: {00f17ece-12da-46a0-b541-bde4eb7df027} - c:\tmw9e\TMIETB.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: &Search - ?p=ZUxdm080YYUS
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.32.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hetuea\applic~1\mozilla\firefox\profiles\4sic6ikl.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\mozilla firefox\components\TMFFTB.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-21 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-3-8 61440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1170768]
R2 LNFOExchangeSync;Lexis Front Office Exchange Synchronization;c:\program files\lexisnexis\front office exchange synchronization\TmExSync.exe [2008-12-15 188232]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
R2 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [2008-8-21 705024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-12 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]
S3 GoogleDesktopManager-051608-133132;Google Desktop Manager 5.7.805.16405;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-6 29744]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-10-22 17:55 <DIR> --d----- c:\program files\iPod
2009-10-22 17:55 <DIR> --d----- c:\program files\iTunes
2009-10-22 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-22 12:18 <DIR> --d----- c:\program files\Trend Micro
2009-10-21 15:39 15,688 a------- c:\windows\system32\lsdelete.exe
2009-10-21 14:04 64,288 a------- c:\windows\system32\drivers\Lbd.sys
2009-10-21 13:51 <DIR> --d----- c:\program files\Lavasoft
2009-10-21 13:46 <DIR> --d----- c:\docume~1\hetuea\applic~1\Malwarebytes
2009-10-21 13:46 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 13:46 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-21 13:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 13:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-21 12:40 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-10-21 12:37 3 a------- c:\windows\system32\o6.dat
2009-10-21 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-21 10:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-21 10:48 <DIR> --d----- c:\docume~1\hetuea\applic~1\SUPERAntiSpyware.com
2009-10-21 10:48 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-21 10:09 223 a------- c:\windows\wininit.ini
2009-10-19 14:00 43,520 a------- c:\windows\system32\pcfr32.dll
2009-10-19 14:00 6,967 a------- c:\windows\system32\lknm
2009-10-14 10:59 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-10-06 10:02 54,308 a---h--- c:\windows\system32\mlfcache.dat
2009-09-27 18:03 558 a------- C:\tempwmi-av.vbs

==================== Find3M ====================

2009-10-20 15:00 1,863 a------- C:\WORDDATA.DAT
2009-09-25 00:49 668,672 a------- c:\windows\system32\wininet.dll
2009-09-25 00:49 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 00:49 668,672 -------- c:\windows\system32\dllcache\wininet.dll
2009-09-25 00:49 628,224 -------- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 00:49 474,112 -------- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 00:49 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 00:49 532,480 -------- c:\windows\system32\dllcache\mstime.dll
2009-09-25 00:49 449,024 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-09-25 00:49 146,432 -------- c:\windows\system32\dllcache\msrating.dll
2009-09-25 00:49 39,424 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-09-25 00:48 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-25 00:48 251,904 -------- c:\windows\system32\dllcache\iepeers.dll
2009-09-25 00:48 96,256 -------- c:\windows\system32\dllcache\inseng.dll
2009-09-25 00:48 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 00:48 55,808 -------- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 00:48 16,384 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-09-25 00:48 1,054,208 -------- c:\windows\system32\dllcache\danim.dll
2009-09-25 00:48 357,888 -------- c:\windows\system32\dllcache\dxtmsft.dll
2009-09-25 00:48 205,312 -------- c:\windows\system32\dllcache\dxtrans.dll
2009-09-25 00:48 151,040 -------- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 00:48 1,024,000 -------- c:\windows\system32\dllcache\browseui.dll
2009-09-18 04:46 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-09-16 10:35 2,713 a------- c:\docume~1\hetuea\applic~1\SAS7_000.DAT
2009-09-11 09:03 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:03 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 15:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 04:46 450,560 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 07:51 2,185,984 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 07:49 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 07:49 2,142,720 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 07:02 2,062,976 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-04 07:02 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 07:02 2,020,864 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-29 10:23 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 10:23 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 23:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-28 23:53 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-01-20 13:59 92,064 a------- c:\documents and settings\hetuea\mqdmmdm.sys
2009-01-20 13:59 79,328 a------- c:\documents and settings\hetuea\mqdmserd.sys
2009-01-20 13:59 66,656 a------- c:\documents and settings\hetuea\mqdmbus.sys
2009-01-20 13:59 25,600 a------- c:\documents and settings\hetuea\usbsermptxp.sys
2009-01-20 13:59 22,768 a------- c:\documents and settings\hetuea\usbsermpt.sys
2009-01-20 13:59 9,232 a------- c:\documents and settings\hetuea\mqdmmdfl.sys
2009-01-20 13:59 6,208 a------- c:\documents and settings\hetuea\mqdmcmnt.sys
2009-01-20 13:59 5,936 a------- c:\documents and settings\hetuea\mqdmwhnt.sys
2009-01-20 13:59 4,048 a------- c:\documents and settings\hetuea\mqdmcr.sys

============= FINISH: 9:45:14.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 arhetue

arhetue
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 27 October 2009 - 11:39 AM

OK, I have successfully removed these two reproducing registry keys, not sure how, but after re-running Malwarebytes, SAS and ATF cleaner form safe mode Spybot found about 9 viruses pertaining to Smitfraud and got rid of them.

now I am left with no viruses, but the redirect in all internet browsers remains. I have run GMER to see if there is a rootkit but none showed up. I have re-run SAS, Spybot, Malwarebytes, Adaware, and ATF cleaner, to no avail.

Every time I use a search engine, if I click on links I will get random redirects. Using stopscript in Firefox lts me see where they are going and it is all going to initial site: h**p://r3953724.cn ... anyone familiar with this?

Edited by Orange Blossom, 21 October 2010 - 08:38 PM.
Removed no longer relevant content. ~ OB


#3 arhetue

arhetue
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 30 October 2009 - 11:19 AM

RESOLVED

There was a rootkit - the latest version of ComboFix found it

Infected copy of WINDOWS\system32\DRIVERS\atapi.sys

Mods, please close. thanks.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:12 PM

Posted 31 October 2009 - 05:47 PM

Thanks for letting us know :(

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users