Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.TDSS.565


  • This topic is locked This topic is locked
14 replies to this topic

#1 kris_h

kris_h

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 November 2009 - 01:25 AM

Like a few others that have been before me, I have feel victim to the Backdoor.TDSS.565 virus, at least that is what Dr. Web is calling it. Like the others, Dr. Web claims to remove it, but it returns in the very next process that is run on the machine. Also I am be re-directed from any favorites or any clicks from a google search.

Others with a similar problems have claimed to fix it but their post do not give an indication on what needed to be done to make that happen. :(



Here is the requested DDS log:
--------------------------------------

DDS (Ver_09-11-29.01) - NTFSx86
Run by Kris at 23:12:51.75 on Sun 11/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.457 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\cygwin\bin\cygrunsrv.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\SP TimeSync 2.3\SP TimeSync.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kris\Desktop\RootRepeal.exe
C:\Documents and Settings\Kris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SP TimeSync] "c:\program files\sp timesync 2.3\SP TimeSync.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195060634536
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195065413250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-5 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-5 108392]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2007-12-4 68096]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-5 2477304]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-2-16 1692224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-28 102448]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2007-11-25 10304]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091128.002\NAVENG.SYS [2009-11-28 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091128.002\NAVEX15.SYS [2009-11-28 1323568]
S3 exim;Exim;c:\cygwin\bin\cygrunsrv.exe [2007-12-4 68096]
S3 radmrdd;radmrdd;c:\windows\system32\drivers\radmrdd.sys --> c:\windows\system32\drivers\radmrdd.sys [?]

=============== Created Last 30 ================

2009-11-30 05:19:01 0 d-sha-r- C:\cmdcons
2009-11-29 20:32:44 0 ----a-w- c:\documents and settings\kris\_dvarchive_.run
2009-11-29 07:26:10 0 d-----w- c:\documents and settings\kris\DoctorWeb
2009-11-29 06:38:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-29 06:38:53 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-11-29 06:37:39 0 d-----w- c:\program files\Trend Micro
2009-11-28 22:02:20 77312 ----a-w- c:\windows\MBR.exe
2009-11-28 21:59:30 389120 ----a-w- c:\windows\system32\CF9230.exe
2009-11-28 19:38:58 0 d-----w- c:\docume~1\kris\applic~1\Malwarebytes
2009-11-28 19:38:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 19:38:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 19:38:49 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-11-28 19:38:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 18:49:21 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-28 02:20:32 0 d-----w- C:\RECYCLER(2)
2009-11-02 03:11:46 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-02 03:11:46 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-02 03:11:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-02 03:11:46 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-02 03:11:26 1060864 ----a-w- c:\windows\system32\MFC71.DLL

==================== Find3M ====================

2009-11-29 06:27:08 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-29 05:52:35 87616 ----a-w- c:\windows\PSSDNSVC.EXE
2009-11-28 20:36:38 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.old
2009-11-14 08:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-09-02 15:37:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090220080903\index.dat

============= FINISH: 23:13:54.01 ===============


Thanks in advance for your help.

Kris

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 30 November 2009 - 11:14 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 01 December 2009 - 01:49 AM

Here are the requested logs:


OTL.txt------------------------------------------------------------------------------------------------------------------------------

OTL logfile created on: 11/30/2009 10:32:41 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Kris\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 636.39 Mb Available Physical Memory | 62.18% Memory free
1.66 Gb Paging File | 1.30 Gb Available in Paging File | 78.69% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.31 Gb Total Space | 141.94 Gb Free Space | 76.19% Space Free | Partition Type: NTFS
Drive D: | 74.52 Gb Total Space | 34.38 Gb Free Space | 46.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SERVER
Current User Name: Kris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/30 22:32:15 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kris\Desktop\OTL.exe
PRC - [2009/10/05 11:36:42 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/10/05 11:36:42 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/10/05 11:36:40 | 02,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/10/05 11:36:40 | 01,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/10/05 11:36:40 | 01,455,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/08/26 22:18:44 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/07/25 04:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/29 22:22:36 | 01,692,224 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2008/11/20 11:18:27 | 00,310,272 | ---- | M] () -- C:\cygwin\usr\sbin\sshd.exe
PRC - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/18 03:28:46 | 00,068,096 | ---- | M] () -- C:\cygwin\bin\cygrunsrv.exe
PRC - [2008/01/11 22:16:38 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2007/03/21 15:39:24 | 00,373,760 | ---- | M] () -- C:\Program Files\UPSMON\UPSMON_Service.exe
PRC - [2006/09/17 10:32:16 | 01,352,704 | ---- | M] (Kana Solution) -- C:\Program Files\DynDNS Updater\DynDNS.exe
PRC - [2006/01/15 14:28:00 | 00,090,112 | ---- | M] () -- C:\Program Files\SP TimeSync 2.3\SP TimeSync.exe
PRC - [2003/10/06 15:16:00 | 00,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe


========== Modules (SafeList) ==========

MOD - [2009/11/30 22:32:15 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kris\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/10/05 11:36:42 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/10/05 11:36:42 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/10/05 11:36:40 | 02,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/10/05 11:36:40 | 01,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/10/05 11:36:40 | 00,341,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/13 12:06:15 | 03,093,880 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/12/29 22:22:36 | 01,692,224 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\WinVNC.exe -- (uvnc_service)
SRV - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/03/18 03:28:46 | 00,068,096 | ---- | M] () -- C:\cygwin\bin\cygrunsrv.exe -- (sshd)
SRV - [2008/03/18 03:28:46 | 00,068,096 | ---- | M] () -- C:\cygwin\bin\cygrunsrv.exe -- (exim)
SRV - [2007/03/21 15:39:24 | 00,373,760 | ---- | M] () -- C:\Program Files\UPSMON\UPSMON_Service.Exe -- (UPSMONService)
SRV - [2006/09/17 10:32:16 | 01,352,704 | ---- | M] (Kana Solution) -- C:\Program Files\DynDNS Updater\DynDNS.exe -- (DynDNS_Updater_Service)
SRV - [2003/10/06 15:16:00 | 00,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1275210071-2000478354-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1275210071-2000478354-839522115-1005\S-1-5-21-1275210071-2000478354-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1275210071-2000478354-839522115-1005..\Run: [SP TimeSync] C:\Program Files\SP TimeSync 2.3\SP TimeSync.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1275210071-2000478354-839522115-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1275210071-2000478354-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1275210071-2000478354-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1275210071-2000478354-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1275210071-2000478354-839522115-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1195060634536 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1195065413250 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/14 09:34:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/14 09:34:00 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17736372391510016)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/30 22:32:01 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kris\Desktop\OTL.exe
[2009/11/29 22:48:15 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Kris\Desktop\RootRepeal.exe
[2009/11/29 22:31:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/11/29 22:19:01 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/29 00:26:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kris\DoctorWeb
[2009/11/28 23:38:53 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/11/28 23:38:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
[2009/11/28 23:37:39 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/28 23:15:42 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/11/28 12:38:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kris\Application Data\Malwarebytes
[2009/11/28 12:38:51 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/28 12:38:49 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/28 12:38:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2009/11/28 12:38:48 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/28 11:48:16 | 00,000,000 | ---D | C] -- C:\RECYCLER
[2009/11/27 19:20:32 | 00,000,000 | ---D | C] -- C:\RECYCLER(2)
[2009/11/27 19:10:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/27 17:05:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kris\My Documents\PcSetup
[2009/11/27 16:46:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kris\My Documents\Regshot
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/11/30 22:32:15 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kris\Desktop\OTL.exe
[2009/11/30 22:31:09 | 03,670,016 | ---- | M] () -- C:\Documents and Settings\Kris\ntuser.dat
[2009/11/30 22:29:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/30 22:28:31 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/30 22:28:27 | 10,732,70784 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/29 23:26:33 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Kris\ntuser.ini
[2009/11/29 23:19:06 | 00,004,203 | ---- | M] () -- C:\Documents and Settings\Kris\Desktop\Attach.zip
[2009/11/29 23:12:48 | 00,524,800 | ---- | M] () -- C:\Documents and Settings\Kris\Desktop\dds.scr
[2009/11/29 22:49:44 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Kris\Desktop\settings.dat
[2009/11/29 22:48:48 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Kris\Desktop\RootRepeal.exe
[2009/11/29 22:33:39 | 03,712,656 | -H-- | M] () -- C:\Documents and Settings\Kris\Local Settings\Application Data\IconCache.db
[2009/11/29 22:27:57 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/29 22:19:12 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/11/29 21:32:20 | 03,571,933 | R--- | M] () -- C:\Documents and Settings\Kris\Desktop\Harris.exe
[2009/11/29 13:32:44 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Kris\_dvarchive_.run
[2009/11/29 00:24:33 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml
[2009/11/29 00:23:33 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml~
[2009/11/28 23:38:58 | 00,000,940 | ---- | M] () -- C:\Documents and Settings\Kris\Desktop\Spybot - Search & Destroy.lnk
[2009/11/28 23:37:40 | 00,001,741 | ---- | M] () -- C:\Documents and Settings\Kris\Desktop\HijackThis.lnk
[2009/11/28 23:34:46 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_1
[2009/11/28 23:23:20 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_2
[2009/11/28 23:06:11 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_3
[2009/11/28 22:52:35 | 00,087,616 | ---- | M] (Systems Internals) -- C:\WINDOWS\PSSDNSVC.EXE
[2009/11/28 19:53:46 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_4
[2009/11/28 19:52:46 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_5
[2009/11/28 19:44:45 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_6
[2009/11/28 19:10:43 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_7
[2009/11/28 18:10:42 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_8
[2009/11/28 14:57:32 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_9
[2009/11/28 14:00:31 | 00,034,198 | ---- | M] () -- C:\Documents and Settings\Kris\DVArchive.xml_10
[2009/11/28 13:36:38 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi.sys.old
[2009/11/28 13:19:58 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Kris\Desktop\clydzsjx.exe
[2009/11/28 12:38:54 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/28 11:58:30 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/28 08:07:42 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\Hibernate.job
[2009/11/28 03:54:20 | 02,736,341 | ---- | M] () -- C:\Documents and Settings\Kris\DVA_TV.xml
[2009/11/27 19:52:28 | 00,000,466 | ---- | M] () -- C:\Documents and Settings\Kris\My Documents\test.reg
[2009/11/27 17:59:15 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/27 15:55:01 | 00,000,302 | ---- | M] () -- C:\WINDOWS\tasks\Wake Up.job
[2009/11/23 03:54:13 | 02,532,994 | ---- | M] () -- C:\Documents and Settings\Kris\DVA_TV.xml~
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/29 23:19:06 | 00,004,203 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\Attach.zip
[2009/11/29 22:48:49 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\settings.dat
[2009/11/29 22:44:01 | 00,524,800 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\dds.scr
[2009/11/29 22:34:39 | 10,732,70784 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/29 21:32:14 | 03,571,933 | R--- | C] () -- C:\Documents and Settings\Kris\Desktop\Harris.exe
[2009/11/29 13:32:44 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Kris\_dvarchive_.run
[2009/11/28 23:38:58 | 00,000,940 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\Spybot - Search & Destroy.lnk
[2009/11/28 23:37:40 | 00,001,741 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\HijackThis.lnk
[2009/11/28 23:12:01 | 00,731,136 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\avenger.exe
[2009/11/28 15:02:20 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/28 13:48:47 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Kris\Desktop\clydzsjx.exe
[2009/11/28 12:38:54 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/28 11:27:52 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/28 11:27:47 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/27 19:52:28 | 00,000,466 | ---- | C] () -- C:\Documents and Settings\Kris\My Documents\test.reg
[2009/11/27 17:05:16 | 00,000,033 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\pcouffin.log
[2009/11/25 23:45:10 | 03,670,016 | ---- | C] () -- C:\Documents and Settings\Kris\ntuser.dat
[2009/07/11 19:23:50 | 00,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/07/11 19:23:50 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/17 22:15:03 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\Kris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/04 19:16:45 | 00,000,562 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\AutoGK.ini
[2008/02/12 22:19:05 | 00,000,711 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\.recentf
[2008/02/12 22:18:23 | 00,001,392 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\.emacs.desktop
[2007/12/12 00:55:33 | 00,000,281 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\.history
[2007/12/10 17:04:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/12/06 22:35:05 | 00,000,467 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\.emacs-places
[2007/12/06 22:33:45 | 00,018,216 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\.emacs~
[2007/12/06 22:30:41 | 00,018,215 | ---- | C] () -- C:\Documents and Settings\Kris\Application Data\.emacs
[2007/12/04 22:23:53 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/11/14 10:09:32 | 00,003,265 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/11/14 10:09:30 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2003/10/06 15:16:00 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/03/31 05:00:00 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys.old
[2002/10/15 15:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

========== LOP Check ==========

[2009/08/23 16:35:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Maxtor
[2007/12/06 22:05:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kris\Application Data\.emacs.d
[2008/08/04 19:48:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kris\Application Data\ImgBurn
[2007/11/30 21:30:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kris\Application Data\Kana Solution
[2009/02/07 14:33:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kris\Application Data\Notepad++
[2009/02/16 00:04:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kris\Application Data\TeamViewer
[2009/11/28 08:07:42 | 00,000,356 | ---- | M] () -- C:\WINDOWS\Tasks\Hibernate.job
[2009/11/27 15:55:01 | 00,000,302 | ---- | M] () -- C:\WINDOWS\Tasks\Wake Up.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/04 00:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/04 00:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/04 00:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 22:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2009/11/28 23:27:08 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/11/28 23:27:08 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/11/28 23:27:08 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 23:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 11:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >
< End of report >





Extras.txt----------------------------------------------------------------------------------------------------------


OTL Extras logfile created on: 11/30/2009 10:32:41 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Kris\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 636.39 Mb Available Physical Memory | 62.18% Memory free
1.66 Gb Paging File | 1.30 Gb Available in Paging File | 78.69% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.31 Gb Total Space | 141.94 Gb Free Space | 76.19% Space Free | Partition Type: NTFS
Drive D: | 74.52 Gb Total Space | 34.38 Gb Free Space | 46.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SERVER
Current User Name: Kris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"22:TCP" = 22:TCP:*:Enabled:OpenSSH
"5900:TCP" = 5900:TCP:*:Enabled:vnc5900
"5800:TCP" = 5800:TCP:*:Enabled:vnc5800

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\UltraVNC\winvnc.exe" = C:\Program Files\UltraVNC\winvnc.exe:LocalSubNet:Enabled:UltraVNC Server -- (UltraVNC)
"C:\Program Files\UltraVNC\vncviewer.exe" = C:\Program Files\UltraVNC\vncviewer.exe:*:Enabled:vncviewer.exe -- (UltraVNC)
"C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{16E74020-1961-4907-AB62-11B6F5B13324}" = WakeOnLan
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 15
"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection
"{315F5FFC-1A5C-4A2A-B8E7-1C5B1174C198}_is1" = AML Free Registry Cleaner 4.15
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45D8FEAB-DA1C-4A42-AD3C-45FBC24041BB}" = avi.NET
"{5CEBCEE1-1405-4B87-87B2-4A85A0297EB1}" = pgc.NET v2.0.0.0
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F87EE6E7-AB46-4A13-821D-3CFF24443CF5}" = SP TimeSync 2.3
"7-Zip" = 7-Zip 4.57
"AC3Filter_is1" = AC3Filter 1.61b
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AutoGK" = Auto Gordian Knot 2.48b
"avi.NET 2.6.5.0" = avi.NET 2.6.5.0
"AviSynth" = AviSynth 2.5
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1" = DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
"DynDNS Updater_is1" = DynDNS Updater 3.1
"FairUse Wizard_is1" = FairUse Wizard 2.6
"getPlus®_ocx" = getPlus®_ocx
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ImgBurn" = ImgBurn
"JBidwatcher_0" = JBidwatcher 2
"JBidwatcher_1" = JBidwatcher 2
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mp3splt" = mp3splt
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"Ultravnc2_is1" = UltraVNC 1.0.5.3
"VLC media player" = VideoLAN VLC media player 0.8.6c
"VobSub" = VobSub v2.23 (Remove Only)
"Windows XP Service Pack" = Windows XP Service Pack 3
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/28/2009 3:12:52 PM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.FakeAV in File: c:\Documents and Settings\All
Users.WINDOWS\Application Data\Symantec\SRTSP\Quarantine\APQ17.tmp by: Manual scan.
Action: Cleaned by Deletion. Action Description: The file was deleted successfully.



Error - 11/28/2009 5:57:17 PM | Computer Name = SERVER | Source = Application Error | ID = 1000
Description = Faulting application clydzsjx.exe, version 1.0.15.15252, faulting
module clydzsjx.exe, version 1.0.15.15252, fault address 0x0005c857.

Error - 11/28/2009 7:35:24 PM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pidief.E in File: C:\Documents and Settings\Kris\Local
Settings\Temporary Internet Files\Content.IE5\AAXA1P70\pdf[1].pdf by: Auto-Protect
scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.



Error - 11/28/2009 7:35:53 PM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pidief.E in File: C:\Documents and Settings\Kris\Local
Settings\Temporary Internet Files\Content.IE5\P8HU532E\pdf[1].pdf by: Auto-Protect
scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.



Error - 11/28/2009 7:36:13 PM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Infostealer in File: C:\Documents and Settings\Kris\Local
Settings\Temporary Internet Files\Content.IE5\DF56Z3EZ\feedback[1].php by: Auto-Protect
scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.



Error - 11/28/2009 10:12:17 PM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pidief.E in File: C:\Documents and Settings\All
Users.WINDOWS\Application Data\Symantec\SRTSP\Quarantine\APQ9B9.tmp by: Auto-Protect
scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.



Error - 11/29/2009 2:41:39 AM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Bloodhound.PDF.18 in File: C:\Documents and Settings\Kris\Local
Settings\Temporary Internet Files\Content.IE5\051EG96P\oH21524d0aV0100f070006R461cf825102T6a405a7b201l0409317[1].pdf
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 11/29/2009 4:42:52 PM | Computer Name = SERVER | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 11/29/2009 5:43:05 PM | Computer Name = SERVER | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 11/29/2009 6:43:00 PM | Computer Name = SERVER | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

[ System Events ]
Error - 11/30/2009 1:16:40 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7031
Description = The Symantec Endpoint Protection service terminated unexpectedly.
It has done this 3 time(s). The following corrective action will be taken in 10000
milliseconds: Restart the service.

Error - 11/30/2009 1:16:44 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7031
Description = The Symantec Event Manager service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 200 milliseconds:
Restart the service.

Error - 11/30/2009 1:16:44 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7031
Description = The Symantec Settings Manager service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 100
milliseconds: Restart the service.

Error - 11/30/2009 1:16:52 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7031
Description = The Symantec Event Manager service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 200 milliseconds:
Restart the service.

Error - 11/30/2009 1:16:52 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7031
Description = The Symantec Settings Manager service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 100
milliseconds: Restart the service.

Error - 11/30/2009 1:33:40 AM | Computer Name = SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/30/2009 1:34:52 AM | Computer Name = SERVER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/30/2009 1:34:52 AM | Computer Name = SERVER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/1/2009 1:28:55 AM | Computer Name = SERVER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/1/2009 1:28:55 AM | Computer Name = SERVER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >




GMER.log
--------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 23:47:08
Windows 5.1.2600 Service Pack 3
Running: clydzsjx.exe; Driver: C:\DOCUME~1\Kris\LOCALS~1\Temp\kwldypob.sys


---- System - GMER 1.0.15 ----

SSDT 86C622E0 ZwAlertResumeThread
SSDT 86C62468 ZwAlertThread
SSDT 86D83DF0 ZwAllocateVirtualMemory
SSDT 86F06FB0 ZwConnectPort
SSDT 86C74EE8 ZwCreateMutant
SSDT 86EFAB40 ZwCreateThread
SSDT 86F09AF8 ZwFreeVirtualMemory
SSDT 86C62070 ZwImpersonateAnonymousToken
SSDT 86C62148 ZwImpersonateThread
SSDT 86E5CF18 ZwMapViewOfSection
SSDT 86C61E70 ZwOpenEvent
SSDT 86C62C00 ZwOpenProcessToken
SSDT 86C565C0 ZwOpenThreadToken
SSDT 86C63310 ZwResumeThread
SSDT 86C628D0 ZwSetContextThread
SSDT 865DF160 ZwSetInformationProcess
SSDT 86C4E6D8 ZwSetInformationThread
SSDT 86C61CD8 ZwSuspendProcess
SSDT 86C625D8 ZwSuspendThread
SSDT 86C62D88 ZwTerminateProcess
SSDT 86C62758 ZwTerminateThread
SSDT 86C62A68 ZwUnmapViewOfSection
SSDT 868843D0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F8 804E2754 4 Bytes CALL 8FD4EEA7
.text ntoskrnl.exe!_abnormal_termination + 198 804E27F4 1 Byte [F8]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7728A0C]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6885340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86F5A618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Kris

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 01 December 2009 - 08:20 AM

Let's try this new tool that was just released.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 01 December 2009 - 09:35 AM

Well, I was excited to see that this app seemed to find and potentially correct the TDSS virus found in atapi.sys. I rebooted the computer as instructed and ran the internet. Within three clicks I was still being re-directed to some other web page, that I did not wish to go to. Maybe I have two problems, or maybe it still isn't fixed not sure.

As an additional test, once I re-booted the computer and grabbed the log file for this post, I re-ran the TDSSKiller App. It found the same virus in the same atapi.sys file. So it appears that after a re-boot the virus is able to re-infect that file.

The log file posted is from the first time I ran the TDSSKiller app, although the second log looks identical.


Here is the log from TDSSKiller--------------------------------------------

7:22:59:937 368 ForceUnloadDriver: NtUnloadDriver error 2
7:22:59:937 368 ForceUnloadDriver: NtUnloadDriver error 2
7:22:59:937 368 ForceUnloadDriver: NtUnloadDriver error 2
7:22:59:968 368 main: Driver KLMD successfully dropped
7:23:0:0 368 main: Driver KLMD successfully loaded
7:23:0:0 368
Scanning Registry ...
7:23:0:0 368 ScanServices: Searching service UACd.sys
7:23:0:0 368 ScanServices: Open/Create key error 2
7:23:0:0 368 ScanServices: Searching service TDSSserv.sys
7:23:0:0 368 ScanServices: Open/Create key error 2
7:23:0:0 368 ScanServices: Searching service gaopdxserv.sys
7:23:0:0 368 ScanServices: Open/Create key error 2
7:23:0:0 368 ScanServices: Searching service gxvxcserv.sys
7:23:0:0 368 ScanServices: Open/Create key error 2
7:23:0:0 368 ScanServices: Searching service MSIVXserv.sys
7:23:0:0 368 ScanServices: Open/Create key error 2
7:23:0:15 368 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
7:23:0:15 368 UnhookRegistry: Kernel local addr: 1030000
7:23:0:15 368 UnhookRegistry: KeServiceDescriptorTable addr: 10B3220
7:23:0:15 368 UnhookRegistry: KiServiceTable addr: 103B6A8
7:23:0:15 368 UnhookRegistry: NtEnumerateKey service number (local): 47
7:23:0:15 368 UnhookRegistry: NtEnumerateKey local addr: 10CC5A4
7:23:0:15 368 KLMD_OpenDevice: Trying to open KLMD device
7:23:0:15 368 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
7:23:0:15 368 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
7:23:0:15 368 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]
7:23:0:15 368 UnhookRegistry: NtEnumerateKey service number (kernel): 47
7:23:0:15 368 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]
7:23:0:15 368 UnhookRegistry: NtEnumerateKey real addr: 805735A4
7:23:0:15 368 UnhookRegistry: NtEnumerateKey calc addr: 805735A4
7:23:0:15 368 UnhookRegistry: No SDT hooks found on NtEnumerateKey
7:23:0:15 368 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]
7:23:0:15 368 UnhookRegistry: No splicing found on NtEnumerateKey
7:23:0:15 368
Scanning Kernel memory ...
7:23:0:15 368 KLMD_OpenDevice: Trying to open KLMD device
7:23:0:15 368 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
7:23:0:15 368 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
7:23:0:15 368 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F10A08
7:23:0:15 368 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
7:23:0:15 368 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86F31C68
7:23:0:15 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F31C68
7:23:0:15 368 KLMD_ReadMem: Trying to ReadMemory 0x86F31C68[0x38]
7:23:0:15 368 DetectCureTDL3: DRIVER_OBJECT addr: 86F10A08
7:23:0:15 368 KLMD_ReadMem: Trying to ReadMemory 0x86F10A08[0xA8]
7:23:0:15 368 KLMD_ReadMem: Trying to ReadMemory 0xE1017978[0x208]
7:23:0:15 368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
7:23:0:15 368 DetectCureTDL3: IrpHandler (0) addr: F76B5BB0
7:23:0:15 368 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (2) addr: F76B5BB0
7:23:0:15 368 DetectCureTDL3: IrpHandler (3) addr: F76AFD1F
7:23:0:15 368 DetectCureTDL3: IrpHandler (4) addr: F76AFD1F
7:23:0:15 368 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (9) addr: F76B02E2
7:23:0:15 368 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (14) addr: F76B03BB
7:23:0:15 368 DetectCureTDL3: IrpHandler (15) addr: F76B3F28
7:23:0:15 368 DetectCureTDL3: IrpHandler (16) addr: F76B02E2
7:23:0:15 368 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (22) addr: F76B1C82
7:23:0:15 368 DetectCureTDL3: IrpHandler (23) addr: F76B699E
7:23:0:15 368 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
7:23:0:15 368 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
7:23:0:15 368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
7:23:0:15 368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
7:23:0:46 368 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86FD29F0
7:23:0:46 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FD29F0
7:23:0:46 368 KLMD_ReadMem: Trying to ReadMemory 0x86FD29F0[0x38]
7:23:0:46 368 DetectCureTDL3: DRIVER_OBJECT addr: 86F10A08
7:23:0:46 368 KLMD_ReadMem: Trying to ReadMemory 0x86F10A08[0xA8]
7:23:0:46 368 KLMD_ReadMem: Trying to ReadMemory 0xE1017978[0x208]
7:23:0:46 368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
7:23:0:46 368 DetectCureTDL3: IrpHandler (0) addr: F76B5BB0
7:23:0:46 368 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (2) addr: F76B5BB0
7:23:0:46 368 DetectCureTDL3: IrpHandler (3) addr: F76AFD1F
7:23:0:46 368 DetectCureTDL3: IrpHandler (4) addr: F76AFD1F
7:23:0:46 368 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (9) addr: F76B02E2
7:23:0:46 368 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (14) addr: F76B03BB
7:23:0:46 368 DetectCureTDL3: IrpHandler (15) addr: F76B3F28
7:23:0:46 368 DetectCureTDL3: IrpHandler (16) addr: F76B02E2
7:23:0:46 368 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (22) addr: F76B1C82
7:23:0:46 368 DetectCureTDL3: IrpHandler (23) addr: F76B699E
7:23:0:46 368 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
7:23:0:46 368 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
7:23:0:46 368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
7:23:0:46 368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
7:23:0:62 368 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86F3DAB8
7:23:0:62 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F3DAB8
7:23:0:62 368 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86EF29E8
7:23:0:62 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EF29E8
7:23:0:62 368 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86FD9B00
7:23:0:62 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FD9B00
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86FD9B00[0x38]
7:23:0:62 368 DetectCureTDL3: DRIVER_OBJECT addr: 86F1C158
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86F1C158[0xA8]
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0xE1015310[0x208]
7:23:0:62 368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
7:23:0:62 368 DetectCureTDL3: IrpHandler (0) addr: F75E26F2
7:23:0:62 368 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (2) addr: F75E26F2
7:23:0:62 368 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (14) addr: F75E2712
7:23:0:62 368 DetectCureTDL3: IrpHandler (15) addr: F75DE852
7:23:0:62 368 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (22) addr: F75E273C
7:23:0:62 368 DetectCureTDL3: IrpHandler (23) addr: F75E9336
7:23:0:62 368 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
7:23:0:62 368 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
7:23:0:62 368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
7:23:0:62 368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
7:23:0:62 368 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86F32AB8
7:23:0:62 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F32AB8
7:23:0:62 368 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86F83F18
7:23:0:62 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F83F18
7:23:0:62 368 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86F11940
7:23:0:62 368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F11940
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86F11940[0x38]
7:23:0:62 368 DetectCureTDL3: DRIVER_OBJECT addr: 86EFF258
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86EFF258[0xA8]
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86F83030[0x38]
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86F1C158[0xA8]
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0xE1015310[0x208]
7:23:0:62 368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
7:23:0:62 368 DetectCureTDL3: IrpHandler (0) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (1) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (2) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (3) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (4) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (5) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (6) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (7) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (8) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (9) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (10) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (11) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (12) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (13) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (14) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (15) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (16) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (17) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (18) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (19) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (20) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (21) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (22) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (23) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (24) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (25) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: IrpHandler (26) addr: 86F5A618
7:23:0:62 368 DetectCureTDL3: All IRP handlers pointed to one addr: 86F5A618
7:23:0:62 368 KLMD_ReadMem: Trying to ReadMemory 0x86F5A618[0x400]
7:23:0:62 368 TDL3_HookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
7:23:0:62 368 Driver atapi infected by TDSS rootkit ... 7:23:0:62 368 TDL3_HookCure: Processing driver in memory: atapi
7:23:0:62 368 KLMD_WriteMem: Trying to WriteMemory 0x86F5A67D[0xD]
7:23:0:62 368 cured
7:23:0:62 368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
7:23:0:62 368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
7:23:0:78 368
Completed

Results:
7:23:0:78 368 Infected / Cured drivers in memory: 1 / 1
7:23:0:78 368 Infected / Cured drivers on disk: 0 / 0
7:23:0:78 368 Files deleted on next reboot: 0
7:23:0:78 368 Registry nodes deleted on next reboot: 0
7:23:0:78 368



Hope that helps.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 01 December 2009 - 06:10 PM

Open up this folder.

C:\WINDOWS\system32\Drivers

and locate the atapi.sys file.

Now drag atapi.sys to your desktop.
Wait about 10 seconds and then hit F5 on your keyboard.
Look to see if a new atapi.sys file is created in the Drivers folder.

IMPORTANT STEP - If you don't see a new atapi.sys created after hitting F5 you must drag atapi.sys back from your desktop into the Drivers folder again.
If this is the case, then don't bother with the next step. Just post back here and we'll proceed differently.




Please visit the online Virustotal Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\dllcache\atapi.sys


  • The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Edited by Buckeye_Sam, 01 December 2009 - 06:12 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 02 December 2009 - 01:56 AM

Yes, moving the file to the desktop, invoked Windows to make a new copy in the drivers directory. That much worked.

Interesting results. Only two scanners say it is a virus, but I guess that is two more than we want. But it seems that there is more than just this file because before I asked your team for help, I noticed atapi.sys was flagged by GMER so I got a clean version of the file and replaced it in the system32 directory. Running GMER after that still showed the file being "suspicious". Interestingly Dr. Web flagged the old file (I renamed it atapi.sys.old before copying over a new one) as having a virus and claimed to have fixed it, but did not flag the new version of atapi.sys, and still does not, as evidenced below in the log. Just for kicks I ran VirusTotalScanner on the atapi.sys.old file and got only one hit from McAfee-GW-Edition.

Also Dr.Web always flags a process in memory as being infected and then "Eradicates" it. Then the next process that is started no matter what it is, becomes infected with TDSS. I guess that is what TDSS does.


Here is the log-------------------------------------------------------------------------



File atapi.sys received on 2009.12.02 06:27:39 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/41 (4.88%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 60 and 85 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.02 -
AhnLab-V3 5.0.0.2 2009.12.02 -
AntiVir 7.9.1.88 2009.12.01 -
Antiy-AVL 2.0.3.7 2009.12.02 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.01 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.02 -
CAT-QuickHeal 10.00 2009.12.02 -
ClamAV 0.94.1 2009.12.02 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.12.01 Win32.Rootkit
eTrust-Vet 35.1.7151 2009.12.01 -
F-Prot 4.5.1.85 2009.12.01 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.02 -
GData 19 2009.12.02 -
Ikarus T3.1.1.74.0 2009.12.02 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.02 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.02 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5302 2009.12.01 -
NOD32 4653 2009.12.02 -
Norman 6.03.02 2009.12.01 -
nProtect 2009.1.8.0 2009.12.02 -
Panda 10.0.2.2 2009.12.01 -
PCTools 7.0.3.5 2009.12.02 -
Prevx 3.0 2009.12.02 -
Rising 22.24.02.03 2009.12.02 -
Sophos 4.48.0 2009.12.02 -
Sunbelt 3.2.1858.2 2009.12.02 -
Symantec 1.4.4.12 2009.12.02 -
TheHacker 6.5.0.2.083 2009.12.01 -
TrendMicro 9.100.0.1001 2009.12.02 -
VBA32 3.12.12.0 2009.12.02 -
ViRobot 2009.12.2.2066 2009.12.02 -
VirusBuster 5.0.21.0 2009.12.01 -
Additional information
File size: 96512 bytes
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159f7
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch


Hope that helps.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 02 December 2009 - 08:57 AM

We need to find a clean copy of the file. Submit each of these to the virus scanner and let me know which ones come up as infected and which are clean.

C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
C:\WINDOWS\ERDNT\cache\atapi.sys
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\drivers\atapi.sys

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 02 December 2009 - 12:47 PM

C:\WINDOWS\$NtServicePackUninstall$\atapi.sys - Virus found by McAffee
C:\WINDOWS\ERDNT\cache\atapi.sys - Virus found by E-Safe / McAffee
C:\WINDOWS\ServicePackFiles\i386\atapi.sys - Virus found by E-Safe / McAffee
C:\WINDOWS\system32\drivers\atapi.sys - Virus found by E-Safe / McAffee


When I saw that I started to wonder if this is a false positive. I went over to my computer that is working fine. I scanned these same files, and they all also were flagged by E-Safe and McAffee as having a potential virus.

I then went to my work computer which is behind a massive firewall and constantly scanned by two virus scanners. It also scan all web content as it passes through the firewall. The atapi.sys file on that computer shows being infected by E-Safe and McAffee.

I wonder if everyone running Service Pack 3, would show us as have a potential virus using VirusTotal.

I tried to find a Service Pack 3 version of atapi.sys on the web, but was unsuccessful. My Windows XP CD is Service Pack 1, and the file size in I386 is nearly half the size of the Service Pack 3 file, that I tested on the 3 other machines. For that reason, I did not dare copy it over to the infected machine and try to use it, although it did scan fine.


But, I am still be re-directed on this computer and not on the others, so there is a difference somewhere.

Kris

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 02 December 2009 - 07:15 PM

I think you're right. There may be some false positives in that analysis.
We need to run Combofix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 02 December 2009 - 09:34 PM

Ok. I am absolutely stunned. Combofix found and seemingly corrected the atapi.sys file. Although, I don't know what "Kitty ate it" is.

I must have run Combofix 4 or 5 times ( yes, yes, I know that Combofix is not something to play with) but I did, and it never found anything. Then today, it finds a Root Kit reboots and everything seems to work.

The only thing I can think of, is that between Combofix 09-11-29.03 and 09-12-02.05 it has been updated to look for this problem. Otherwise, I must be going crazy.

Anyway, Thank heavens for Combofix and the work that is done to maintain it.

Here is the Combofix log..

Oh ya, I also ran a VirusTotal on the new atapi.sys from Combofix, and yes the same two scanners still show a false positive. So, at least I wasn't crazy with that.

Let me know if you want me to do anything else.

Combofix.txt ------------------------------------------------------------------------------------------------------------------------------------------------------


ComboFix 09-12-02.05 - Kris 12/02/2009 19:05.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.700 [GMT -7:00]
Running from: c:\documents and settings\Kris\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-11-29 07:26 . 2009-11-29 18:12 -------- d-----w- c:\documents and settings\Kris\DoctorWeb
2009-11-29 06:38 . 2009-11-29 07:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-29 06:38 . 2009-11-29 06:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-29 06:37 . 2009-11-29 06:37 -------- d-----w- c:\program files\Trend Micro
2009-11-28 21:59 . 2009-11-28 21:58 389120 ----a-w- c:\windows\system32\CF9230.exe
2009-11-28 19:38 . 2009-11-28 19:38 -------- d-----w- c:\documents and settings\Kris\Application Data\Malwarebytes
2009-11-28 19:38 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 19:38 . 2009-11-28 19:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-11-28 19:38 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 19:38 . 2009-11-28 19:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 18:49 . 2009-11-28 18:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-28 02:20 . 2009-11-28 18:48 -------- d-----w- C:\RECYCLER(2)
2009-11-08 16:10 . 2009-11-08 16:10 -------- d-----w- c:\documents and settings\Kris\Local Settings\Application Data\clone.AD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 16:07 . 2003-03-31 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-02 15:23 . 2007-12-01 04:30 -------- d-----w- c:\program files\DynDNS Updater
2009-11-29 05:52 . 2009-08-26 02:48 87616 ----a-w- c:\windows\PSSDNSVC.EXE
2009-11-28 20:36 . 2003-03-31 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.old
2009-11-23 06:04 . 2008-08-03 22:10 -------- d-----w- c:\program files\avi.NET
2009-11-08 05:01 . 2007-11-25 06:30 13512 ----a-w- c:\documents and settings\Kris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 03:13 . 2009-01-18 02:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-02 03:12 . 2009-01-18 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-10-05 18:36 . 2009-10-05 18:36 89600 ----a-w- c:\windows\system32\atl71.dll
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-28_22.27.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-03 02:04 . 2009-12-03 02:04 16384 c:\windows\temp\Perflib_Perfdata_188.dat
+ 2003-03-31 12:00 . 2009-12-02 16:07 96512 c:\windows\system32\dllcache\atapi.sys
- 2003-03-31 12:00 . 2009-11-28 20:36 96512 c:\windows\system32\dllcache\atapi.sys
+ 2007-11-14 16:36 . 2009-12-03 01:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-14 16:36 . 2009-11-28 19:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-14 16:36 . 2009-12-03 01:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-14 16:36 . 2009-11-28 19:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP TimeSync"="c:\program files\SP TimeSync 2.3\SP TimeSync.exe" [2006-01-15 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-05 115560]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22:TCP"= 22:TCP:OpenSSH
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [2/16/2009 12:50 AM 1692224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/28/2009 11:53 AM 102448]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [11/25/2007 9:20 PM 10304]
S2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [12/4/2007 11:18 PM 68096]
S3 exim;Exim;c:\cygwin\bin\cygrunsrv.exe [12/4/2007 11:18 PM 68096]
S3 radmrdd;radmrdd;c:\windows\system32\DRIVERS\radmrdd.sys --> c:\windows\system32\DRIVERS\radmrdd.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\Hibernate.job
- c:\documents and settings\Kris\My Documents\hibernate.bat [2009-08-26 03:58]

2009-11-27 c:\windows\Tasks\Wake Up.job
- c:\documents and settings\Kris\My Documents\wakeup.bat [2009-08-26 03:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 19:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-02 19:12
ComboFix-quarantined-files.txt 2009-12-03 02:12
ComboFix2.txt 2009-11-30 05:08
ComboFix3.txt 2009-11-29 04:22
ComboFix4.txt 2009-11-28 22:31
ComboFix5.txt 2009-11-30 05:18

Pre-Run: 152,459,444,224 bytes free
Post-Run: 152,443,392,000 bytes free

- - End Of File - - 599342859EFC6696470E48B636D8F43D


Thanks.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 03 December 2009 - 08:48 AM

Combofix gets updated frequently in an effort to stay on top of these variants that come out all the time. Good to see it did the trick for us.

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 07 December 2009 - 12:05 PM

Bump. Sorry, I have not being ignoring your post on purpose, I just got wrapped up in a few things. I will run Cleanup tonight. Thanks.

I will let you know how it goes.

#14 kris_h

kris_h
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 08 December 2009 - 12:56 AM

Ok. I ran cleanup. Disabled and Re-enabled Restore. So it looks like I am done.

One thing to note. Today my Symantec scanner found a copy of the atapi.sys file that I made while trying differnet things, and cleaned it. So it took a while, but even they can now find and clean the virus I had.

Thanks for everything. :(

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:07 AM

Posted 08 December 2009 - 09:50 AM

I'd be willing to bet that it found the copy of atapi.sys that was in quarantine by Combofix. Funny how it can remove it then. :(

Now that your problem appears to be resolved, this topic will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users