Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit virus keeps coming back str.sys


  • This topic is locked This topic is locked
24 replies to this topic

#1 jobarb

jobarb

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 28 November 2009 - 12:42 AM

The computer is running Xp service pack 2.
When I first tried to fix a popup problem with symantec, the user (my daughter) couldn't log on anymore.
Safemode would begin to load and then rebooted.

I fixed several registry entries using knoppix under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
and copied over a copy of userinit.exe, and ntldr from another Xp installation.

Now the user can logon, but the web pages are redirected to advertisements for removal tools and other things.
A file called str.sys was removed by several malware and antivirus programs and kept coming back.

I still can't boot into safemode. I see a list of drivers loading and then the computer reboots. I would be grateful for any help, thanks.

Here is the report from Rootrepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/27 22:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00002984
Image Path: 00002984
Address: 0xB2A8F000 Size: 71424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2BC3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091127.003\EraserUtilDrvI9.sys
Status: Locked to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x862172e0]!

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a61e518

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x8628c390, TID: 1768]
Process: svchost.exe (PID: 916) Address: 0x00a51f3c Size: -

Hidden Services
-------------------
Service Name: xiehhlsyjlr
Image Path: C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys

==EOF==

------------------------------------
Here is the report from DDS
------------------------------------

DDS (Ver_09-11-24.02) - NTFSx86
Run by daisy at 22:36:31.83 on Fri 11/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1282 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\daisy\Desktop\RootRepeal.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\daisy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [VTTimer] VTTimer.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\AVR.exe
StartupFolder: c:\docume~1\daisy\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\diner dash - flo on the go\images\stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157311276508
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\diner dash - flo on the go\images\armhelper.ocx
TCP: {493D8F3D-475B-4084-9726-C5214FBBB60F} = 192.169.1.1
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: SysNet - {342BB978-EEB1-4C81-9D07-1CCB7267987D} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daisy\applic~1\mozilla\firefox\profiles\6olyzd17.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R3 S3G700;S3G700;c:\windows\system32\drivers\S3G700m.sys [2002-1-1 792576]
S2 xiehhlsyjlr;xiehhlsyjlr;c:\windows\system32\drivers\nunrfrpsbfanhl.sys []
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2001-12-31 20160]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [2006-8-3 3584]

=============== Created Last 30 ================

2009-11-27 19:13:30 98816 ----a-w- c:\windows\sed.exe
2009-11-27 19:13:30 77312 ----a-w- c:\windows\MBR.exe
2009-11-27 19:13:30 260608 ----a-w- c:\windows\PEV.exe
2009-11-27 19:13:30 161792 ----a-w- c:\windows\SWREG.exe
2009-11-27 19:13:00 0 d-s---w- C:\ComboFix
2009-11-27 16:25:02 0 d-----w- c:\windows\pss
2009-11-27 16:01:57 0 d-----w- c:\docume~1\daisy\applic~1\Malwarebytes
2009-11-27 16:01:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 16:01:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 16:01:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 16:01:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-27 15:45:25 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-26 20:14:27 250032 --sha-r- C:\ntldr
2009-11-26 19:53:15 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2009-11-26 19:53:13 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2009-11-26 19:26:11 0 d-----w- c:\windows\system32\Lang
2009-11-26 19:25:42 0 d-----w- C:\c31fa9a8d8261c4821757231
2009-11-26 19:06:46 24576 ----a-w- c:\windows\system32\userinit.exe
2009-11-01 16:07:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-11-01 16:07:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-11-01 16:06:29 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-11-01 15:59:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-11-01 15:59:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-11-01 15:59:08 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-11-01 15:54:17 62592 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-11-01 15:54:17 464384 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-11-01 15:54:17 464384 ------w- c:\windows\system32\imapi2fs.dll
2009-11-01 15:54:17 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-11-01 15:54:17 317952 ------w- c:\windows\system32\imapi2.dll
2009-11-01 15:53:48 764868 -c----w- c:\windows\system32\dllcache\apph_sp.sdb
2009-11-01 15:53:48 217118 -c----w- c:\windows\system32\dllcache\apphelp.sdb
2009-11-01 15:53:48 1197294 -c----w- c:\windows\system32\dllcache\sysmain.sdb

==================== Find3M ====================


============= FINISH: 22:37:13.23 ===============


The attach.txt filed was zipped and is attachedAttached File  Attach.zip   3.17KB   2 downloads

BC AdBot (Login to Remove)

 


m

#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 28 November 2009 - 08:27 AM

Hi jobarb,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I see you have Combofix. Please post the log(s) it has produced. If you have run it more than once Please attach all of them.

The latest log is located at: c:\Combofix.txt
The earlier logs are located at C:\Qoobox\combofixX.txt where X is a number.

#3 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 30 November 2009 - 07:43 PM

Thank you.

I ran combofix twice and it did not produce a log file.
there was no c:\combofix.txt. There was Qoobox directory but no c:\qoobox\combofixn.txt.

Rather than running for ten minutes, each run took five hours, and combofix seemed to want to repair dozens and dozens of exe files in C:\WINDOWS and C:\WINDOWS\system32.

By the way, I did not have the recovery console installed yet, but I found an SP2 installation disk and can do it, if it is supposed to make a difference.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 01 December 2009 - 03:56 AM

I assume you agree not to change anything from now on.

Good to know you have Windows CD in case we needed the Recovery Console.

ComboFix should not take that long. There was something wrong.
  • Let's look if it has removed anything. Go to Start => Run => Copy and paste the following in the run box and OK:

    cmd /c dir /a /s C:\QooBox >log.txt&start log.txt

    A log file will, please post the contents it.

  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t 
    start mbr.log
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop.
    • A notepad opens, copy and paste the content (mbr.log) to your reply.


#5 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 December 2009 - 09:48 AM

Qoobox listing as requested:
Volume in drive C is MAIN
Volume Serial Number is A62A-C201

Directory of C:\QooBox

11/29/2009 06:49 <DIR> .
11/29/2009 06:49 <DIR> ..
11/29/2009 06:50 <DIR> BackEnv
11/27/2009 14:13 <DIR> LastRun
11/27/2009 14:17 <DIR> Quarantine
11/29/2009 06:57 <DIR> Test
11/27/2009 14:13 <DIR> TestC
0 File(s) 0 bytes

Directory of C:\QooBox\BackEnv

11/29/2009 06:50 <DIR> .
11/29/2009 06:50 <DIR> ..
11/29/2009 06:50 399 appdata.folder.dat
11/29/2009 06:50 565 cache.folder.dat
11/29/2009 06:50 341 Cookies.folder.dat
11/29/2009 06:50 234 desktop.folder.dat
11/29/2009 06:50 296 favorites.folder.dat
11/29/2009 06:50 433 localappdata.folder.dat
11/29/2009 06:50 390 localsettings.folder.dat
11/29/2009 06:50 266 mypictures.folder.dat
11/29/2009 06:50 256 personal.folder.dat
11/29/2009 06:49 308 Profiles.Folder.dat
11/29/2009 06:50 509 Profiles.Folder.folder.dat
11/29/2009 06:50 358 programs.folder.dat
11/29/2009 06:49 5,508 SetPath.bat
11/29/2009 06:50 249 startmenu.folder.dat
11/29/2009 06:50 334 startup.folder.dat
11/29/2009 06:49 1,898 SysPath.dat
11/29/2009 06:50 244 templates.folder.dat
17 File(s) 12,588 bytes

Directory of C:\QooBox\LastRun

11/27/2009 14:13 <DIR> .
11/27/2009 14:13 <DIR> ..
11/29/2009 13:02 115,272,315 ndis_log.old
1 File(s) 115,272,315 bytes

Directory of C:\QooBox\Quarantine

11/27/2009 14:17 <DIR> .
11/27/2009 14:17 <DIR> ..
11/27/2009 14:29 <DIR> C
11/29/2009 06:48 102 catchme.log
11/27/2009 14:28 <DIR> Registry_backups
1 File(s) 102 bytes

Directory of C:\QooBox\Quarantine\C

11/27/2009 14:29 <DIR> .
11/27/2009 14:29 <DIR> ..
11/28/2008 12:48 84,120 log.txt.vir
11/27/2009 14:29 <DIR> WINDOWS
1 File(s) 84,120 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

11/27/2009 14:29 <DIR> .
11/27/2009 14:29 <DIR> ..
11/29/2009 07:00 <DIR> system32
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

11/29/2009 07:00 <DIR> .
11/29/2009 07:00 <DIR> ..
08/18/2008 12:19 82,432 404Fix.exe.vir
12/12/2008 01:57 78,336 Agent.OMZ.Fix.exe.vir
07/31/2004 18:50 51,200 dumphive.exe.vir
11/29/2008 18:58 82,944 IEDFix.C.exe.vir
05/18/2008 21:40 82,944 IEDFix.exe.vir
11/20/2001 14:36 1,462,353 MYDLL.dll.vir
09/20/2008 12:45 80,384 o4Patch.exe.vir
06/05/2003 21:13 53,248 Process.exe.vir
12/31/2002 02:00 23,040 setup.exe.vir
04/27/2006 17:49 288,417 SrchSTS.exe.vir
11/28/2009 02:21 2,870 tmp.reg.vir
10/01/2008 15:51 87,552 VACFix.exe.vir
09/06/2007 00:22 289,144 VCCLSID.exe.vir
06/02/2009 11:17 75,776 WS2Fix.exe.vir
14 File(s) 2,740,640 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

11/27/2009 14:28 <DIR> .
11/27/2009 14:28 <DIR> ..
11/29/2009 06:59 1,432 Legacy_XIEHHLSYJLR.reg.dat
11/29/2009 06:58 9,093 tcpip.reg
2 File(s) 10,525 bytes

Directory of C:\QooBox\Test

11/29/2009 06:57 <DIR> .
11/29/2009 06:57 <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\TestC

11/27/2009 14:13 <DIR> .
11/27/2009 14:13 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
36 File(s) 118,120,290 bytes
29 Dir(s) 126,652,571,648 bytes free
==============================================
gmer.log
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 07:06:36
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\daisy\LOCALS~1\Temp\kwldapoc.sys

==================================================
zipped version of gmer.log is attached -- post was too long

Attached File  gmer.zip   25.57KB   9 downloads

===================================================
mbr.log as requested
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

Thank you.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 01 December 2009 - 02:52 PM

We have everything we need to start with.
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      Drivers to delete:
      xiehhlsyjlr
      
      Files to delete:
      C:\WINDOWS\system32\drivers\str.sys
      C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys
      
      Registry values to delete:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | SFCDisable
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.


#7 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 December 2009 - 07:56 PM

Thanks for your help.
Here is the Avenger log
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "xiehhlsyjlr" deleted successfully.
File "C:\WINDOWS\system32\drivers\str.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|SFCDisable" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 01 December 2009 - 08:34 PM

The step 1 and 2 are based on earlier version of Norton. The settings might be different here. You need to disable Script Blocking and Auto-Protect before running ComboFix and enable them again after ComboFix produced its log.
  • Please disable Norton AntiVirus Script Blocking so it will not interfere with the fixes we are going to make. To do that:
    • Start Norton AntiVirus.
      If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
    • Click Options.
    • If you see a menu, click Norton AntiVirus.
    • In the left pane, click Script Blocking.
    • On the right pane, uncheck theEnable Script Blocking (recommended) check box. Click OK.
  • Please disable Norton Antivirus, to do that
    • Please navigate to the system tray on the bottom right hand corner and look for the Norton system tray icon sign.
    • Right-click it -> chose "Disable Auto-Protect."
    • Select a duration of at least 2 hours (this assures no interference with the cleanup of your pc).
    • Click "Ok."
    • A popup will warn that protection will now be disabled. Then you see a rec circle with with cross on the system tray icon.
    • You successfully disabled the Norton Antivirus Guard.
  • Delete your copy of ComboFix from the desktop and download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#9 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 December 2009 - 08:41 AM

I was unable to send the zipped combofix log because it was 1,547K. Here is the top of the log... followed by listing of many other infected system files. and the bottom of the log. Is this ok, or is there a way to send you the rest.

ComboFix 09-12-01.01 - daisy 12/01/2009 19:24.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1255 [GMT -5:00]
Running from: c:\documents and settings\daisy\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\hh.exe . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\hh.exe . . . is infected!!

c:\windows\NOTEPAD.EXE . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\hh.exe . . . is infected!!

c:\windows\NOTEPAD.EXE . . . is infected!!

c:\windows\winhlp32.exe . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\hh.exe . . . is infected!!

c:\windows\NOTEPAD.EXE . . . is infected!!

c:\windows\winhlp32.exe . . . is infected!!

c:\windows\mui\muisetup.exe . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\hh.exe . . . is infected!!

c:\windows\NOTEPAD.EXE . . . is infected!!

c:\windows\winhlp32.exe . . . is infected!!

c:\windows\mui\muisetup.exe . . . is infected!!

c:\windows\pchealth\helpctr\binaries\HelpCtr.exe . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.....====================
skipping here
======================

c:\windows\system32\wbem\wmiapsrv.exe . . . is infected!!

c:\windows\system32\wbem\wmic.exe . . . is infected!!

c:\windows\system32\wbem\wmiprvse.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-01 22:22 . 2009-12-01 22:22 -------- d-----w- c:\windows\system32\wbem\snmp
2009-12-01 22:22 . 2009-12-01 22:22 -------- d-----w- c:\windows\system32\xircom
2009-12-01 22:22 . 2009-12-01 22:22 -------- d-----w- c:\windows\system32\1033
2009-12-01 22:22 . 2009-12-01 22:22 -------- d-----w- c:\program files\microsoft frontpage
2009-11-28 06:35 . 2009-11-28 06:35 -------- d-----w- c:\program files\Trend Micro
2009-11-28 05:46 . 2009-11-28 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-28 05:46 . 2009-11-28 05:46 -------- d-----w- c:\program files\Java
2009-11-28 05:46 . 2009-11-28 05:46 152576 ----a-w- c:\documents and settings\daisy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 05:45 . 2009-11-28 05:45 79488 ----a-w- c:\documents and settings\daisy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 16:01 . 2009-11-27 16:01 -------- d-----w- c:\documents and settings\daisy\Application Data\Malwarebytes
2009-11-27 16:01 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 16:01 . 2009-11-27 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 16:01 . 2009-11-27 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 16:01 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 15:45 . 2009-11-27 15:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-26 19:26 . 2009-12-02 00:18 -------- d-----w- c:\windows\system32\Lang
2009-11-26 19:25 . 2009-11-26 19:27 -------- d-----w- C:\c31fa9a8d8261c4821757231
2009-11-26 19:06 . 2004-08-04 07:56 24576 ----a-w- c:\windows\system32\userinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 00:19 . 2006-09-10 14:54 -------- d-----w- c:\documents and settings\daisy\Application Data\OpenOffice.org2
2009-12-02 00:14 . 2006-08-04 05:07 40 ----a-w- c:\windows\system32\profile.dat
2009-12-02 00:12 . 2006-08-04 05:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-27 16:22 . 2009-06-25 14:55 15152 ----a-w- c:\documents and settings\daisy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 13:07 . 2006-09-03 22:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 13:03 . 2008-07-05 00:47 -------- d-----w- c:\program files\Frets on Fire
2009-11-01 16:07 . 2009-11-01 16:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-11-01 16:07 . 2009-11-01 16:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-11-01 16:06 . 2009-11-01 16:06 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-11-01 16:00 . 2009-11-01 15:58 -------- d-----w- c:\program files\Zune
2009-11-01 15:59 . 2009-11-01 15:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-11-01 15:59 . 2009-11-01 15:59 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-10-22 23:29 . 2009-10-22 23:29 -------- d-----w- c:\documents and settings\daisy\Application Data\U3
2009-10-18 16:52 . 2009-10-18 16:52 -------- d-----w- c:\documents and settings\daisy\Application Data\PC-FAX TX
2009-10-04 16:00 . 2008-07-13 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-10-04 15:58 . 2009-10-04 15:58 64 ----a-w- c:\windows\GPlrLanc.dat
2009-10-04 15:58 . 2009-10-04 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Free Ride Games
.

------- Sigcheck -------

[-] 2004-08-04 03:59 . 7B91D6C523BC85721EE55DEF09768D95 . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

[-] 2002-12-31 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2002-12-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2002-12-31 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2002-12-31 . 2490B30D416A96AC96603D7844CA5C0F . 574592 . . [5.1.2600.2562] . . c:\windows\system32\drivers\ntfs.sys

[-] 2002-12-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2002-12-31 . 39128B5A743545BAEDD3984C210F00A8 . 77824 . . [5.1.2600.2586] . . c:\windows\system32\browser.dll

[-] 2002-12-31 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2002-12-31 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2002-12-31 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll

[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2002-12-31 . 22C645433071CB5EBB529E2F28A6343E . 396288 . . [5.1.2600.2651] . . c:\windows\$NtUninstallKB894391$\rpcss.dll

[-] 2002-12-31 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\services.exe

[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2002-12-31 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2002-12-31 . B66DBC40D428FE1293041D621D836AC8 . 502784 . . [5.1.2600.2524] . . c:\windows\system32\winlogon.exe

[-] 2002-12-31 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll

[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\es.dll
[-] 2002-12-31 07:00 . B38C4E273E317BBD0676C12987C31CA2 . 243200 . . [2001.12.4414.302] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2002-12-31 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll

[-] 2002-12-31 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll

[-] 2002-12-31 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll

[-] 2002-12-31 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\mswsock.dll

[-] 2002-12-31 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll

[-] 2002-12-31 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2002-12-31 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll

[-] 2002-12-31 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll

[-] 2002-12-31 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[-] 2002-12-31 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2002-12-31 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll

[-] 2002-12-31 . 98D45EFDDD1A67F90353BE8D28ED72DB . 1032192 . . [6.00.2900.2527] . . c:\windows\explorer.exe

[-] 2002-12-31 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\system32\srsvc.dll

[-] 2002-12-31 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2002-12-31 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2002-12-31 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll

[-] 2002-12-31 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

[-] 2002-12-31 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

[-] 2002-12-31 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll

[-] 2002-12-31 . 086C3B973758AAE5A585DCEC27265ACB . 190976 . . [5.1.2600.2508] . . c:\windows\system32\schedsvc.dll

[-] 2002-12-31 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll

[-] 2002-12-31 . 972063211CB1CE503E7CB0AE48955145 . 295424 . . [5.1.2600.2620] . . c:\windows\system32\termsrv.dll

[-] 2002-12-31 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll

[-] 2002-12-31 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\Driver Cache\i386\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
[-] 2004-08-04 02:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2002-12-31 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2002-12-31 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll

[-] 2002-12-31 07:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-12-31 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-03 180269]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2005-04-05 159744]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-11 15961088]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\daisy\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Wyyo Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Brother\\Brmfl07a\\FAXRX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner

R3 S3G700;S3G700;c:\windows\system32\drivers\S3G700m.sys [1/1/2002 12:02 AM 792576]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/31/2001 11:43 PM 20160]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [8/3/2006 9:42 PM 3584]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI9
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2006-08-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-08-04 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: {493D8F3D-475B-4084-9726-C5214FBBB60F} = 192.169.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\daisy\Application Data\Mozilla\Firefox\Profiles\clrt536z.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\AVR.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta
AddRemove-{83d96ed0-98aa-4515-8ddc-816f3efdd104} - c:\program files\InstallShield Installation Information\{83d96ed0-98aa-4515-8ddc-816f3efdd104}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 21:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-01 22:01
ComboFix-quarantined-files.txt 2009-12-02 03:01

Pre-Run: 126,618,464,256 bytes free
Post-Run: 105,023,889,408 bytes free

- - End Of File - - F511728FC6C8714A1E55F069313D217D

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 02 December 2009 - 12:20 PM

As the log concerns it is okay for now. If needed I'll ask for it. But I'm afraid it doesn't look good at all. It seems there is a file infector on the system that patches the exe files.

Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

c:\windows\regedit.exe
c:\windows\explorer.exe
c:\windows\system32\wbem\wmiprvse.exe


If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#11 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 December 2009 - 07:40 PM

so I should I just copy over my windows and system32 directories from another xp2 installation?
Here is the output from VirusTotal

thanks.


File regedit.exe received on 2009.11.21 08:23:34 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.21 -
AhnLab-V3 5.0.0.2 2009.11.20 -
AntiVir 7.9.1.72 2009.11.20 -
Antiy-AVL 2.0.3.7 2009.11.20 -
Authentium 5.2.0.5 2009.11.20 -
Avast 4.8.1351.0 2009.11.20 -
AVG 8.5.0.425 2009.11.20 -
BitDefender 7.2 2009.11.21 -
CAT-QuickHeal 10.00 2009.11.20 -
ClamAV 0.94.1 2009.11.21 -
Comodo 2983 2009.11.19 -
DrWeb 5.0.0.12182 2009.11.20 -
eSafe 7.0.17.0 2009.11.19 -
eTrust-Vet 35.1.7133 2009.11.20 -
F-Prot 4.5.1.85 2009.11.20 -
F-Secure 9.0.15370.0 2009.11.20 -
Fortinet 3.120.0.0 2009.11.21 -
GData 19 2009.11.21 -
Ikarus T3.1.1.74.0 2009.11.21 -
Jiangmin 11.0.800 2009.11.21 -
K7AntiVirus 7.10.901 2009.11.20 -
Kaspersky 7.0.0.125 2009.11.21 -
McAfee 5808 2009.11.20 -
McAfee+Artemis 5808 2009.11.20 -
McAfee-GW-Edition 6.8.5 2009.11.20 Heuristic.LooksLike.Win32.Downloader.L
Microsoft 1.5302 2009.11.21 -
NOD32 4626 2009.11.21 -
Norman 6.03.02 2009.11.21 -
nProtect 2009.1.8.0 2009.11.21 -
Panda 10.0.2.2 2009.11.20 -
PCTools 7.0.3.5 2009.11.21 -
Prevx 3.0 2009.11.21 -
Rising 22.22.05.03 2009.11.21 -
Sophos 4.47.0 2009.11.21 -
Sunbelt 3.2.1858.2 2009.11.21 -
Symantec 1.4.4.12 2009.11.21 -
TheHacker 6.5.0.2.075 2009.11.20 -
TrendMicro 9.0.0.1003 2009.11.21 -
VBA32 3.12.12.0 2009.11.20 -
ViRobot 2009.11.20.2047 2009.11.20 -
VirusBuster 5.0.21.0 2009.11.20 -
Additional information
File size: 146432 bytes
MD5 : 783afc80383c176b22dbf8333343992d
SHA1 : 8829b5a655b9d480d0d4a8ab4faf219c89368ac1
SHA256: 694590952296bd3127823fa36da6d6401e1c8772473d9f7c719548330dd5f138
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x168EC
timedatestamp.....: 0x41107C0F (Wed Aug 4 08:02:55 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x178D2 0x17A00 6.36 2683166d6cc4b68ef1729739de720e2f
.data 0x19000 0x40DA0 0x400 1.20 608604848080cee7338324c4556bee35
.rsrc 0x5A000 0xB8C0 0xBA00 3.68 3cde9226969baa16e77721ee9064750d

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...2dbf8333343992d
ssdeep: 3072:LveatQxJtrK4LSZqLckUem27ri1vwBI+huFdb8MuTLTiD9w:LvePPMqLckUet72FwBI+AFdb8Mu
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: REGEDIT.EXE
( Microsoft )

MSDN Disc 2428.4: REGEDIT.EXEMSDN Disc 2428.5: REGEDIT.EXEMSDN Disc 2428.8: REGEDIT.EXEOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: REGEDIT.EXEVirtual PC for Mac Windows XP Home Edition: REGEDIT.EXEVirtual PC for Mac Windows XP Professional Edition: REGEDIT.EXE

=========================================================
File explorer.exe received on 2009.09.22 15:51:06 (UTC)
Current status: finished
Result: 1/39 (2.56%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.22 -
AhnLab-V3 5.0.0.2 2009.09.22 -
AntiVir 7.9.1.23 2009.09.22 -
Antiy-AVL 2.0.3.7 2009.09.22 -
Authentium 5.1.2.4 2009.09.21 -
Avast 4.8.1351.0 2009.09.21 -
AVG 8.5.0.412 2009.09.22 -
BitDefender 7.2 2009.09.22 -
CAT-QuickHeal 10.00 2009.09.22 -
ClamAV 0.94.1 2009.09.22 -
Comodo 2403 2009.09.22 -
DrWeb 5.0.0.12182 2009.09.22 -
eSafe 7.0.17.0 2009.09.22 -
eTrust-Vet 31.6.6753 2009.09.22 -
F-Prot 4.5.1.85 2009.09.21 -
Fortinet 3.120.0.0 2009.09.22 -
GData 19 2009.09.22 -
Ikarus T3.1.1.72.0 2009.09.22 -
K7AntiVirus 7.10.851 2009.09.22 -
Kaspersky 7.0.0.125 2009.09.22 -
McAfee 5749 2009.09.22 -
McAfee+Artemis 5749 2009.09.22 -
McAfee-GW-Edition 6.8.5 2009.09.22 Heuristic.LooksLike.Win32.Luder.K
Microsoft 1.5005 2009.09.22 -
NOD32 4447 2009.09.22 -
Norman 6.01.09 2009.09.22 -
nProtect 2009.1.8.0 2009.09.22 -
Panda 10.0.2.2 2009.09.22 -
PCTools 4.4.2.0 2009.09.22 -
Prevx 3.0 2009.09.22 -
Rising 21.48.14.00 2009.09.22 -
Sophos 4.45.0 2009.09.22 -
Sunbelt 3.2.1858.2 2009.09.22 -
Symantec 1.4.4.12 2009.09.22 -
TheHacker 6.5.0.2.014 2009.09.21 -
TrendMicro 8.950.0.1094 2009.09.22 -
VBA32 3.12.10.10 2009.09.21 -
ViRobot 2009.9.22.1948 2009.09.22 -
VirusBuster 4.6.5.0 2009.09.22 -
Additional information
File size: 1032192 bytes
MD5 : 98d45efddd1a67f90353be8d28ed72db
SHA1 : 451d27cf5c15cf687cb714ce1510a028b9896af9
SHA256: 41e13d26e6ecb6010636a57de897748b0ca53426e6444b9ed6bb681183972295
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1A4DF
timedatestamp.....: 0x416D8FF7 (Wed Oct 13 22:28:39 2004)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x446C9 0x44800 6.36 3a4c66cde3b5dfb063ea294315b79a75
.data 0x46000 0x1DB0 0x1800 1.30 c1fcd85baaad3874d93af93edf92c5b4
.rsrc 0x48000 0xB2268 0xB2400 6.63 f5b76aafcd37aeafa22fd82b085f4410
.reloc 0xFB000 0x36CC 0x3800 6.76 eebbeea80eb2279c3eb39c0da44e9cf8

( 13 imports )

> advapi32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> browseui.dll: -, -, -, -
> gdi32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> kernel32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> oleaut32.dll: -, -
> shdocvw.dll: -, -, -
> shell32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> shlwapi.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> user32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> uxtheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
TrID : File type identification
60.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.6% (.EXE) Win32 Executable Generic (8527/13/3)
14.7% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
3.9% (.EXE) Generic Win/DOS Executable (2002/3)
3.8% (.EXE) DOS Executable Generic (2000/1)
ssdeep: 12288:B7yEo+D63te1/8ndr/7SoHWr2Rkf8I+skza71/g/J/vaa:B7r1G3te1/smakf8I+skY1/g/J/S
PEiD : -
RDS : NSRL Reference Data Set
-
=======================================================

File wmiprvse.exe received on 2009.12.03 00:35:52 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 60 and 85 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.02 -
AhnLab-V3 5.0.0.2 2009.12.02 -
AntiVir 7.9.1.92 2009.12.02 -
Antiy-AVL 2.0.3.7 2009.12.02 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.02 -
AVG 8.5.0.426 2009.12.02 -
BitDefender 7.2 2009.12.02 -
CAT-QuickHeal 10.00 2009.12.02 -
ClamAV 0.94.1 2009.12.02 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.02 -
eSafe 7.0.17.0 2009.12.02 -
eTrust-Vet 35.1.7153 2009.12.02 -
F-Prot 4.5.1.85 2009.12.02 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.03 -
GData 19 2009.12.02 -
Ikarus T3.1.1.74.0 2009.12.02 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.910 2009.12.02 -
Kaspersky 7.0.0.125 2009.12.03 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.03 -
Microsoft 1.5302 2009.12.02 -
NOD32 4656 2009.12.02 -
Norman 6.03.02 2009.12.02 -
nProtect 2009.1.8.0 2009.12.02 -
Panda 10.0.2.2 2009.12.02 -
PCTools 7.0.3.5 2009.12.02 -
Prevx 3.0 2009.12.03 -
Rising 22.24.02.09 2009.12.02 -
Sophos 4.48.0 2009.12.02 -
Sunbelt 3.2.1858.2 2009.12.02 -
Symantec 1.4.4.12 2009.12.03 -
TheHacker 6.5.0.2.083 2009.12.01 -
TrendMicro 9.100.0.1001 2009.12.02 -
VBA32 3.12.12.0 2009.12.02 -
ViRobot 2009.12.2.2068 2009.12.02 -
VirusBuster 5.0.21.0 2009.12.02 -
Additional information
File size: 218112 bytes
MD5...: 075ea6c849ab0fe416a3d6dd65c3cf41
SHA1..: 56a88f845a9ff89f038a57ee47800fec9e3eb511
SHA256: cbc897a4e7768967a9ecbde2de9651d59dd7fd6c0017d922d35d600aa6881b2c
ssdeep: 3072:B9P0b6Uqvb/M8Om6p0kcCVQTYTaayFWbb9q1gwpLIcKZHWQxUjT:ba0kcCV
mYTaaZY+qEHWcU
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6168
timedatestamp.....: 0x3b0ecabf (Fri May 25 21:12:31 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5cec 0x5e00 6.29 54ba0af44f6fdc0376a0f9ba1fe38a21
.data 0x7000 0x1fb0 0x1a00 4.94 afd0225d328bc041280438ce4552476e
.rsrc 0x9000 0x129c 0x1400 4.90 74595467042073303d051c65525fb9a1

( 9 imports )
> UNIANSI.dll: RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, PostThreadMessageW, RegCreateKeyExW, RegEnumValueW, DispatchMessageW, lstrcpynW, CharNextW, CreateEventW, lstrlenW, PeekMessageW, wsprintfW, LoadStringW, lstrcpyW, LoadLibraryW, RegDeleteValueW, CreateMutexW, lstrcatW, FindWindowW, FormatMessageW, CompareStringW, RegDeleteKeyW, GetShortPathNameW, GetModuleFileNameW, LoadLibraryExW, lstrcmpiW
> KERNEL32.dll: EnterCriticalSection, LoadLibraryA, GetProcAddress, GetModuleHandleA, GetStartupInfoA, InterlockedExchange, LeaveCriticalSection, HeapFree, GetProcessHeap, HeapAlloc, SetLastError, GetUserDefaultLangID, WideCharToMultiByte, InterlockedIncrement, InitializeCriticalSection, DeleteCriticalSection, HeapDestroy, FreeLibrary, MultiByteToWideChar, lstrlenA, SizeofResource, LoadResource, FindResourceW, GetLastError, SetEvent, InterlockedDecrement, CloseHandle, WaitForSingleObject, CreateThread, Sleep, GetCurrentThreadId, GetCommandLineW
> ole32.dll: CoRevokeClassObject, CoRegisterClassObject, CoInitialize, CoCreateInstance, CoTaskMemRealloc, CoUninitialize, CoTaskMemAlloc, CoTaskMemFree
> OLEAUT32.dll: -, -, -, -, -
> COMCTL32.dll: InitCommonControlsEx
> MSVCRT.dll: __p__commode, __dllonexit, _except_handler3, __setusermatherr, _initterm, _adjust_fdiv, _acmdln, exit, __getmainargs, _exit, memcmp, _XcptFilter, memcpy, realloc, memset, _onexit, __p__fmode, __set_app_type, malloc, free, _controlfp
> ADVAPI32.dll: RegCloseKey
> GDI32.dll: DeleteObject
> USER32.dll: MsgWaitForMultipleObjects, MessageBoxW, TranslateMessage, ShowWindow, BringWindowToTop, SetForegroundWindow

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: WMI
original name: Wmiprvse.exe
internal name: Wmiprvse.exe
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 02 December 2009 - 08:45 PM

So it doesn't look that bad. There is something wrong and I'm going to look into it. Meanwhile please give me the following logs:
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please download the following tool on your desktop.
  • Please copy the following file from the clean computer and put it on the root of the C drive of the infected computer.

    c:\windows\system32\drivers\atapi.sys

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a c:\atapi.sys >log.txt&start log.txt

    A text file (log.txt) will be opened. Please post its content to your reply.


#13 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 December 2009 - 10:22 PM

here are the results

mbam-log
Malwarebytes' Anti-Malware 1.41
Database version: 3283
Windows 5.1.2600 Service Pack 2

12/2/2009 7:29:00 PM
mbam-log-2009-12-02 (19-29-00).txt

Scan type: Quick Scan
Objects scanned: 116494
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=========================================
------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
CoInitializeSecurityParam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 8192 (0x2000)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 12320 (0x3020)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 2 (0x2)
AuthenticationCapabilities REG_DWORD 64 (0x40)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: BITS : Background Intelligent Transfer Service
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: NtmsSvc : Removable Storage
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: HidServ : Human Interface Device Access
STOPPED: DISABLED: Messenger : Messenger
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access

------ SVCHOST CURRENTLY RUNNING:

912- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1024- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1192- C:\WINDOWS\System32\svchost.exe -k netsvcs
- AudioSrv : Windows Audio
- Browser : Computer Browser
- CryptSvc : CryptSvc
- Dhcp : DHCP Client
- dmserver : Logical Disk Manager
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- FastUserSwitchingCompatibility : Fast User Switching Compatibility
- helpsvc : Help and Support
- lanmanserver : Server
- lanmanworkstation : Workstation
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- RasMan : Remote Access Connection Manager
- Schedule : Task Scheduler
- seclogon : Secondary Logon
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- ShellHWDetection : Shell Hardware Detection
- srservice : System Restore Service
- TapiSrv : Telephony
- Themes : Themes
- TrkWks : Distributed Link Tracking Client
- W32Time : Windows Time
- winmgmt : Windows Management Instrumentation
- wscsvc : Security Center
- wuauserv : Automatic Updates
- WZCSVC : Wireless Zero Configuration

1260- C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
- WudfSvc : Windows Driver Foundation - User-mode Driver Framework

1344- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

1472- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- RemoteRegistry : Remote Registry
- SSDPSRV : SSDP Discovery Service
- WebClient : WebClient

1784- C:\WINDOWS\system32\svchost.exe -k imgsvc
- stisvc : Windows Image Acquisition (WIA)

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: ZuneNetworkSvc: Zune Network Sharing Service

upnphost = 1
STOPPED: ZuneNetworkSvc: Zune Network Sharing Service

SSDPSRV = 2
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: ZuneNetworkSvc: Zune Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

LanmanServer = 1
RUNNING: Browser: Computer Browser

LanmanWorkstation = 5
RUNNING: Browser: Computer Browser
STOPPED: Alerter: Alerter
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 2
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: RasAuto: Remote Access Auto Connection Manager

winmgmt = 2
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: wscsvc: Security Center

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 50
RUNNING: AudioSrv: Windows Audio
RUNNING: ccEvtMgr: Symantec Event Manager
RUNNING: ccSetMgr: Symantec Settings Manager
RUNNING: COMSysApp: COM+ System Application
RUNNING: CryptSvc: CryptSvc
RUNNING: dmserver: Logical Disk Manager
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility
RUNNING: helpsvc: Help and Support
RUNNING: iPod Service: iPod Service
RUNNING: MSDTC: Distributed Transaction Coordinator
RUNNING: Netman: Network Connections
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: RemoteRegistry: Remote Registry
RUNNING: SamSs: Security Accounts Manager
RUNNING: Schedule: Task Scheduler
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: ShellHWDetection: Shell Hardware Detection
RUNNING: Spooler: Print Spooler
RUNNING: srservice: System Restore Service
RUNNING: stisvc: Windows Image Acquisition (WIA)
RUNNING: SymSecurePort: Symantec SecurePort
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: wscsvc: Security Center
RUNNING: WZCSVC: Wireless Zero Configuration
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: CiSvc: Indexing Service
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: HidServ: Human Interface Device Access
STOPPED: Messenger: Messenger
STOPPED: MSIServer: Windows Installer
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RSVP: QoS RSVP
STOPPED: SPBBCSvc: Symantec SPBBCSvc
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: TlntSvr: Telnet
STOPPED: VSS: Volume Shadow Copy
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: xmlprov: Network Provisioning Service
STOPPED: ZuneWlanCfgSvc: Zune Wireless Configuration Service

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

==============================
installation of driver in c drive

Volume in drive C is MAIN
Volume Serial Number is A62A-C201

Directory of c:\

08/04/2004 00:59 95,360 atapi.sys
1 File(s) 95,360 bytes
0 Dir(s) 126,142,976,000 bytes free

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:17 PM

Posted 03 December 2009 - 02:36 AM

Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Comment:
    start to process
    
    Files to delete:
    C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys
    
    Files to move:
    C:\atapi.sys | c:\windows\system32\drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#15 jobarb

jobarb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 03 December 2009 - 08:48 AM

It turns out that that file nunrfrpsbfanhl.sys
was reported deleted two days ago, Dec. 1, by Symantec antivirus, which described it as a Hacktool.Rootkit. (Symantec keeps turning itself on, do I want to keep in on while we are doing this?).

And last night, Symantec antivirus also reported deleting another Hacktool.Rootkit file A0072697.sys
here is the log

Risk Action Filename Threat Type Original Location Status Primary Action Secondary Action Logged By Action Description Date
Hacktool.Rootkit Deleted A0072697.sys File C:\SYSTEM~1\_RESTO~1\RP505\ Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully. 12/02/09 09:03 PM
Hacktool.Rootkit Deleted nunrfrpsbfanhl.sys File C:\WINDOWS\system32\drivers\ d Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully. 12/01/09 05:18 PM
============================================

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************



Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File move operation "C:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users