Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

all browsers are being hijacked


  • This topic is locked This topic is locked
60 replies to this topic

#1 wellsy

wellsy

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 11 January 2010 - 05:35 AM

Hi my browsers keep redirecting and I have run norton 360 installed and up to date, also search and destroy running and run cc cleaner but nothing seems to fix it,
I have followed the directions on this website about malware removal and ran the dds but was unable to run the rootrepeal as it kept making the computer blue screen.
here is the dds log can someone please help its very frustrating.

I was just able to run rootrepeal in safemode and I have attached the log file

Attached Files


Edited by wellsy, 11 January 2010 - 06:17 AM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 13 January 2010 - 03:22 PM


Hello wellsy smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:



Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Registry
    • Files
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.





Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 16 January 2010 - 11:22 PM

Hi here is the GMER scan results

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 14:18:57
Windows 6.0.6002 Service Pack 2
Running: 8q0x05wt.exe; Driver: C:\Users\Nikki\AppData\Local\Temp\pglcqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 864162C8 ZwAlertResumeThread
SSDT 864163A8 ZwAlertThread
SSDT 8640C358 ZwAllocateVirtualMemory
SSDT 85A5DE28 ZwAlpcConnectPort
SSDT 86418500 ZwCreateMutant
SSDT 86411390 ZwCreateThread
SSDT 86419430 ZwDebugActiveProcess
SSDT 86412330 ZwFreeVirtualMemory
SSDT 86417388 ZwImpersonateAnonymousToken
SSDT 86417468 ZwImpersonateThread
SSDT 864134B0 ZwMapViewOfSection
SSDT 86418440 ZwOpenEvent
SSDT 85A91118 ZwOpenProcessToken
SSDT 86419510 ZwOpenSection
SSDT 86414500 ZwOpenThreadToken
SSDT 864B8388 ZwResumeThread
SSDT 864142D0 ZwSetContextThread
SSDT 86413358 ZwSetInformationProcess
SSDT 86415458 ZwSetInformationThread
SSDT 86418360 ZwSuspendProcess
SSDT 864164D0 ZwSuspendThread
SSDT 86410410 ZwTerminateProcess
SSDT 86415340 ZwTerminateThread
SSDT 86411310 ZwUnmapViewOfSection
SSDT 86410320 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85453841

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Regards
Greg

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 16 January 2010 - 11:29 PM

Yep, definitely looks like you got the bug. Let's see if we can clean you up.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 January 2010 - 12:17 AM

Hi here is the Combofix log file, I had to restart after running the file as it would not let me open a browser but it does now after restart,


ComboFix 10-01-16.02 - Nikki 17/01/2010 14:50:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.1978.930 [GMT 10:00]
Running from: c:\users\Nikki\Documents\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1476304445-892488839-2980733996-500
c:\$recycle.bin\S-1-5-21-3970936570-1358095798-2334366003-500

.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 05:00 . 2010-01-17 05:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-12 08:34 . 2009-12-13 22:59 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\NAVENG.SYS
2010-01-12 08:34 . 2009-12-13 22:59 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\EECTRL.SYS
2010-01-12 08:34 . 2009-12-13 22:59 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\CCERASER.DLL
2010-01-12 08:34 . 2009-12-13 22:59 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\ECMSVR32.DLL
2010-01-12 08:34 . 2009-12-13 22:59 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\NAVENG32.DLL
2010-01-12 08:34 . 2009-12-13 22:59 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\NAVEX32A.DLL
2010-01-12 08:34 . 2009-12-13 22:59 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\NAVEX15.SYS
2010-01-12 08:34 . 2009-12-13 22:59 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100111.024\ERASER.SYS
2010-01-11 09:54 . 2010-01-11 09:54 -------- d-----w- c:\program files\Trend Micro
2010-01-11 02:06 . 2009-12-13 22:59 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVENG.SYS
2010-01-11 02:06 . 2009-12-13 22:59 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVENG32.DLL
2010-01-11 02:06 . 2009-12-13 22:59 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVEX32A.DLL
2010-01-11 02:06 . 2009-12-13 22:59 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVEX15.SYS
2010-01-11 02:06 . 2009-12-13 22:59 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\ERASER.SYS
2010-01-11 02:06 . 2009-12-13 22:59 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\EECTRL.SYS
2010-01-11 02:06 . 2009-12-13 22:59 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\CCERASER.DLL
2010-01-11 02:06 . 2009-12-13 22:59 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\ECMSVR32.DLL
2010-01-08 23:48 . 2010-01-11 10:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-08 23:48 . 2010-01-09 01:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-08 23:04 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\SymIDSco.sys
2010-01-08 23:04 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\SymIDSI.dll
2010-01-08 23:04 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\Scxpx86.dll
2010-01-08 23:04 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\IDSvix86.sys
2010-01-08 23:04 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\IDSxpx86.dll
2010-01-08 23:04 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\IDSviA64.sys
2010-01-08 23:04 . 2009-06-24 16:03 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20100106.001\IDS9xx86.dll
2010-01-05 10:51 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\SymIDSco.sys
2010-01-05 10:51 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\Scxpx86.dll
2010-01-05 10:51 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\SymIDSI.dll
2010-01-05 10:51 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\IDSvix86.sys
2010-01-05 10:51 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\IDSxpx86.dll
2010-01-05 10:51 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\IDSviA64.sys
2010-01-05 10:51 . 2009-06-24 16:03 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091230.001\IDS9xx86.dll
2010-01-04 04:33 . 2009-12-16 04:42 43008 ----a-w- c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\5dld431t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-04 04:33 . 2009-12-16 04:42 872960 ----a-w- c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\5dld431t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-04 04:33 . 2009-12-16 04:42 340480 ----a-w- c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\5dld431t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-04 04:33 . 2009-12-16 04:41 346624 ----a-w- c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\5dld431t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-03 07:50 . 2010-01-03 07:50 -------- d-----w- c:\users\Nikki\AppData\Local\Mozilla
2010-01-01 23:36 . 2010-01-01 23:36 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-01 23:36 . 2010-01-01 23:36 -------- d-----w- c:\windows\system32\IOSUBSYS
2010-01-01 23:35 . 2010-01-01 23:35 33558 ----a-w- c:\programdata\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
2010-01-01 23:34 . 2010-01-01 23:40 -------- d-----w- c:\programdata\Google Updater
2010-01-01 22:48 . 2010-01-01 22:48 -------- d-----w- C:\found.000
2010-01-01 08:38 . 2010-01-01 08:38 -------- d-----w- c:\users\Nikki\AppData\Roaming\Yahoo!
2010-01-01 08:38 . 2010-01-01 23:23 -------- d-----w- c:\program files\Yahoo!
2010-01-01 08:38 . 2010-01-01 08:38 -------- d-----w- c:\program files\CCleaner
2010-01-01 07:15 . 2004-08-03 22:00 506368 ----a-w- c:\windows\system32\msxml.dll
2010-01-01 00:55 . 2010-01-01 00:55 -------- d-----w- c:\users\Nikki\AppData\Roaming\PeerNetworking
2009-12-31 23:27 . 2009-12-31 23:27 -------- d-----w- C:\Intel
2009-12-31 14:11 . 2009-11-02 10:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 08:29 . 2009-02-23 02:08 394240 ----a-w- c:\windows\system32\drivers\stwrt.sys
2009-12-31 08:29 . 2009-02-23 02:08 404992 ----a-w- c:\windows\system32\stcplx.dll
2009-12-31 08:29 . 2009-02-23 02:08 430592 ----a-w- c:\windows\system32\stapi32.dll
2009-12-31 08:27 . 2009-12-31 08:28 -------- d-----w- c:\program files\IDT
2009-12-31 08:26 . 2009-12-13 22:59 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX32A.DLL
2009-12-31 08:26 . 2009-12-13 22:59 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX15.SYS
2009-12-31 08:26 . 2009-12-13 22:59 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG.SYS
2009-12-31 08:26 . 2009-12-13 22:59 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG32.DLL
2009-12-31 08:26 . 2009-12-13 22:59 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.SYS
2009-12-31 08:26 . 2009-12-13 22:59 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\EECTRL.SYS
2009-12-31 08:26 . 2009-12-13 22:59 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ECMSVR32.DLL
2009-12-31 08:26 . 2009-12-13 22:59 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\CCERASER.DLL
2009-12-30 19:46 . 2009-12-30 19:46 -------- d-----w- c:\users\Nikki\AppData\Local\Symantec
2009-12-30 12:55 . 2009-12-30 12:55 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-12-30 12:55 . 2009-12-30 12:55 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-12-30 12:35 . 2010-01-08 23:50 -------- d-----w- c:\programdata\Lavasoft
2009-12-30 08:48 . 2009-08-27 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\NAVENG.SYS
2009-12-30 08:48 . 2009-08-27 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\EECTRL.SYS
2009-12-30 08:48 . 2009-08-27 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\NAVENG32.DLL
2009-12-30 08:48 . 2009-08-27 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\NAVEX32A.DLL
2009-12-30 08:48 . 2009-08-27 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\NAVEX15.SYS
2009-12-30 08:48 . 2009-08-27 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\ERASER.SYS
2009-12-30 08:48 . 2009-12-13 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\CCERASER.DLL
2009-12-30 08:48 . 2009-11-16 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091229.052\ECMSVR32.DLL
2009-12-28 07:04 . 2009-12-28 07:04 -------- d-----w- c:\windows\Sun
2009-12-28 06:48 . 2009-12-28 06:57 -------- d-----w- c:\users\Nikki\AppData\Roaming\vlc
2009-12-28 06:47 . 2009-12-28 06:47 -------- d-----w- c:\program files\VideoLAN
2009-12-28 04:23 . 2009-08-27 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\NAVEX32A.DLL
2009-12-28 04:23 . 2009-12-13 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\CCERASER.DLL
2009-12-28 04:23 . 2009-11-16 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\ECMSVR32.DLL
2009-12-28 04:23 . 2009-08-27 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\NAVENG.SYS
2009-12-28 04:23 . 2009-08-27 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\EECTRL.SYS
2009-12-28 04:23 . 2009-08-27 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\NAVENG32.DLL
2009-12-28 04:23 . 2009-08-27 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\NAVEX15.SYS
2009-12-28 04:23 . 2009-08-27 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091227.023\ERASER.SYS
2009-12-28 03:09 . 2009-12-28 03:09 -------- d-----w- c:\program files\uTorrent
2009-12-28 03:08 . 2010-01-01 22:55 -------- d-----w- c:\users\Nikki\AppData\Roaming\uTorrent
2009-12-26 11:13 . 2009-12-26 11:14 -------- d-----w- c:\program files\QuickTime
2009-12-18 21:44 . 2009-12-13 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\CCERASER.DLL
2009-12-18 21:44 . 2009-11-16 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\ECMSVR32.DLL
2009-12-18 21:44 . 2009-08-27 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\NAVENG.SYS
2009-12-18 21:44 . 2009-08-27 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\EECTRL.SYS
2009-12-18 21:44 . 2009-08-27 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\NAVENG32.DLL
2009-12-18 21:44 . 2009-08-27 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\NAVEX32A.DLL
2009-12-18 21:44 . 2009-08-27 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\NAVEX15.SYS
2009-12-18 21:44 . 2009-08-27 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp33e9.tmp\ERASER.SYS
2009-12-18 21:44 . 2009-12-17 16:32 1319 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp2b6f.tmp\cur.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 04:42 . 2009-05-20 08:52 6080 ----a-w- c:\users\Nikki\AppData\Local\d3d9caps.dat
2010-01-02 04:03 . 2009-05-18 09:56 -------- d-----w- c:\program files\Google
2010-01-01 22:53 . 2009-05-10 21:53 104952 ----a-w- c:\users\Nikki\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-01 11:19 . 2009-03-04 09:09 -------- d-----w- c:\program files\Java
2009-12-16 23:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-16 23:28 . 2009-03-04 07:58 -------- d-----w- c:\programdata\Microsoft Help
2009-12-14 10:10 . 2009-05-31 10:05 -------- d-----w- c:\program files\EA GAMES
2009-12-13 09:00 . 2009-12-14 02:14 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091213.020\CCERASER.DLL
2009-11-21 06:40 . 2009-12-10 07:17 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 07:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 07:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 07:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 03:02 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\symidsco.sys
2009-11-20 03:02 . 2009-11-20 03:02 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\scxpx86.dll
2009-11-20 03:02 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\IDSvix86.sys
2009-11-20 03:02 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\SymIDSI.dll
2009-11-20 03:02 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\idsxpx86.dll
2009-11-20 03:02 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\IDSvia64.sys
2009-11-19 00:00 . 2009-05-10 22:04 -------- d-----w- c:\users\Nikki\AppData\Roaming\hewlett-packard
2009-11-18 23:56 . 2009-03-04 08:37 -------- d-----w- c:\program files\CyberLink
2009-11-18 23:56 . 2009-04-14 11:17 36864 ----a-w- c:\programdata\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
2009-11-18 23:48 . 2009-03-04 07:13 -------- d-----w- c:\programdata\Hewlett-Packard
2009-11-16 09:00 . 2009-12-14 02:14 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091213.020\ECMSVR32.DLL
2009-11-16 03:35 . 2009-11-16 03:35 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-16 03:27 . 2009-11-16 03:27 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 12:31 . 2009-12-16 23:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-16 23:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-16 23:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 09:31 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-29 09:17 . 2009-11-29 20:25 2048 ----a-w- c:\windows\system32\tzres.dll
2009-03-04 08:30 . 2009-03-04 08:21 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rynvp"="C:" [X]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-11-18 966656]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-18 39408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-12-21 1803064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-28 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-28 154136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-12-24 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-01-01 160752]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-01-01 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~4\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chubd]
C: [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jucuh]
C: [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mbpkd]
C: [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptpdt]
C: [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xjxqq]
C: [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-12-28 03:09 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:00,44,22,c5,d2,34,ca,01

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20100106.001\IDSvix86.sys [9/01/2010 9:04 AM 286768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_b9d13b43\AEstSrv.exe [31/12/2009 6:28 PM 81920]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [19/02/2008 5:37 AM 149352]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [4/03/2009 7:41 PM 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/01/2010 9:48 AM 1153368]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [4/03/2009 5:29 PM 222512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/01/2010 5:41 PM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [22/09/2008 3:49 PM 112128]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\System32\drivers\OA004Ufd.sys [3/06/2008 9:30 AM 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\System32\drivers\OA004Vid.sys [17/07/2008 5:01 PM 269760]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 1:31 PM 41008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/12/2009 10:44 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [13/01/2008 12:32 PM 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 12:23 PM 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/01/2010 9:35 AM 30192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-18 23:34]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 12:44]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 12:44]

2010-01-01 c:\windows\Tasks\HPCeeScheduleForNikki.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-04 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-AU\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\5dld431t.default\
FF - component: c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\5dld431t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1808.5272\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-J8RPLTROBQ - c:\users\Nikki\AppData\Local\Temp\c.exe
MSConfigStartUp-msnmsgr - ~c:\program files\Windows Live\Messenger\msnmsgr.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 15:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85459841]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82807d24
\Driver\ACPI -> acpi.sys @ 0x806a0d68
\Driver\atapi -> ataport.SYS @ 0x828dfa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4756)
c:\windows\System32\NLSData0009.dll
.
Completion time: 2010-01-17 15:04:56
ComboFix-quarantined-files.txt 2010-01-17 05:04

Pre-Run: 204,644,589,568 bytes free
Post-Run: 204,585,779,200 bytes free

- - End Of File - - 6A3A1031B027CF8FD5D366C11B53E54E
Regards
Greg


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 17 January 2010 - 01:02 AM

I would have thought there would have been more deletions than there was. Please run GMER once again just like you did the last time and post the log it produces.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 January 2010 - 01:34 AM

Hi please find the 2nd GMER log and I also had two blue screens while I was doing it I have put the logs for those on as well.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 16:25:39
Windows 6.0.6002 Service Pack 2
Running: 8q0x05wt.exe; Driver: C:\Users\Nikki\AppData\Local\Temp\pglcqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 85A443C0 ZwAlertResumeThread
SSDT 85A4AA60 ZwAlertThread
SSDT 85A8A3F8 ZwAllocateVirtualMemory
SSDT 859B8150 ZwAlpcConnectPort
SSDT 864363A0 ZwCreateMutant
SSDT 85A1A360 ZwCreateThread
SSDT 8643A468 ZwDebugActiveProcess
SSDT 85AC66D8 ZwFreeVirtualMemory
SSDT 863F24C0 ZwImpersonateAnonymousToken
SSDT 86438420 ZwImpersonateThread
SSDT 85A2D340 ZwMapViewOfSection
SSDT 859D4C60 ZwOpenEvent
SSDT 859D5B10 ZwOpenProcessToken
SSDT 864392F0 ZwOpenSection
SSDT 85A7D390 ZwOpenThreadToken
SSDT 8640E2F0 ZwResumeThread
SSDT 85A5EC88 ZwSetContextThread
SSDT 85A0F580 ZwSetInformationProcess
SSDT 85A5E390 ZwSetInformationThread
SSDT 86439448 ZwSuspendProcess
SSDT 85A3D380 ZwSuspendThread
SSDT 85A1AC68 ZwTerminateProcess
SSDT 85AB1408 ZwTerminateThread
SSDT 85A70B10 ZwUnmapViewOfSection
SSDT 85AC3390 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 85447841

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Blue screen info


Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 3081

Additional information about the problem:
BCCode: 50
BCP1: 9982200B
BCP2: 00000000
BCP3: 80D7FC65
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini011710-02.dmp
C:\Users\Nikki\AppData\Local\Temp\WER-101806-0.sysdata.xml
C:\Users\Nikki\AppData\Local\Temp\WER59D2.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 3081

Additional information about the problem:
BCCode: f4
BCP1: 00000003
BCP2: 981A7C70
BCP3: 981A7DBC
BCP4: 82068650
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini011710-03.dmp
C:\Users\Nikki\AppData\Local\Temp\WER-92414-0.sysdata.xml
C:\Users\Nikki\AppData\Local\Temp\WERB672.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

regards
Greg

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 17 January 2010 - 02:08 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 January 2010 - 02:14 AM

Hi is the system look log file

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:09 on 17/01/2010 by Nikki (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [05:02 17/01/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7f3e4ed9\atapi.sys --a--- 21560 bytes [08:30 04/03/2009] [08:30 04/03/2009] 9C0E70031905ADBF94EDB9EA14AF943B
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [23:41 13/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b7393fc6\atapi.sys --a--- 21560 bytes [08:30 04/03/2009] [08:30 04/03/2009] E26DDFE464B464DAF1C739122978D1D6
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [23:41 13/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_dbb74a7b3d9afbc1\atapi.sys --a--- 21560 bytes [08:30 04/03/2009] [08:30 04/03/2009] E26DDFE464B464DAF1C739122978D1D6
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_dd6376773aedb5e4\atapi.sys --a--- 21560 bytes [08:30 04/03/2009] [08:30 04/03/2009] 9C0E70031905ADBF94EDB9EA14AF943B
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [23:41 13/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-

regards
Greg

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 17 January 2010 - 11:57 AM

You have an infected file we need to replace:

First we need to copy the replacement file to C:\ which we will do from the command prompt

Open an elevated command window:


First open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.


Copy the contents of the code box > right click in the command window and select paste

CODE
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys c:\


press enter

you should see 1 file copied on the screen

type exit to close the command window.

(if you do not see 1 file copied do not continue, but instead post back and let me know.)



Now we need to boot into the Recovery Environment:

Tap F8 on startup and select Repair your computer from the list of startup options.

If Repair your computer is not an option on the Advanced Startup menu, insert your Windows Vista dvd and restart the computer, then when prompted, select Repair your computer
  • select your keyboard layout
  • enter your username and password (if you use one)
  • then the System Recovery Options menu comes up
  • select Command Prompt
It will open to an x:\sources> prompt

(this may vary depending if you boot from cd or an installed RE)


at the X:\sources prompt carefully type the following:


ren c:\windows\system32\drivers\atapi.sys atapi.old
copy c:\atapi.sys c:\windows\system32\drivers\atapi.sys
exit


You should receive a message that "1 file" has been copied.

{if you do not receive a message that 1 file has been copied, the file will need to be renamed back - type
ren c:\windows\system32\drivers\atapi.old atapi.sys press enter
then type exit, reboot the system normally and report this to me.)


Reboot Normally.


Run CombofIx for me again and post the log back here.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 January 2010 - 04:45 PM

Hi the command prompt window says the application can't be run in win32 mode

regards
Greg

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 17 January 2010 - 05:33 PM

Just so I'm totally clear on it, you are talking about the first part when you tried to copy the file....is that correct?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 January 2010 - 05:45 PM

Hi
yes you are correct I was talking about the first part where I had to run the code in the command prompt window to copy the file.
regards
Greg

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 17 January 2010 - 10:20 PM

Alright let's try this instead:


Go to Start>>Run and type in Notepad. When Notepad opens paste the following text into it.

CODE
    
ren windows\system32\drivers\atapi.sys atapi.old
copy atapi.sys windows\system32\drivers\atapi.sys



After doing so click on File and then Save. Now browse to where you can save the file to to your Desktop and save it as fix.bat.. NEXT: Select save as All Files. Click the Save button and exit. Now you will need to go to fix.bat on your Desktop and copy it. After copying you will need to drop the copy at the root of your drive which would be c:\ so you should have a c:\fix.bat on your machine when done.




Now we need to boot into the Recovery Environment:

Tap F8 on startup and select Repair your computer from the list of startup options.

If Repair your computer is not an option on the Advanced Startup menu, insert your Windows Vista dvd and restart the computer, then when prompted, select Repair your computer
  • select your keyboard layout
  • enter your username and password (if you use one)
  • then the System Recovery Options menu comes up
  • select Command Prompt(Note: Before selecting this please read all of the instructions so you will know what drive letter you will need in the next part)
  • it will open to an x:\sources>prompt





At the x:\sources> prompt, type the following command then hit Enter.

cd /d x: <---- replace the red x with the drive letter of your operating system, as shown in the image above



Assuming your drive letter in RE is C, at the C:\> prompt, type the following command then hit Enter.

fix.bat

You should receive a message that "1 file" has been copied.

If you do not receive a message that 1 file has been copied please let me know prior to rebooting. If you do get the message then reboot normally.


Run CombofIx for me again and post the log back here.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 wellsy

wellsy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 January 2010 - 11:04 PM

Hi
when I run fix.bat it says

The system cannot find the file specified

when I search for *.sys I can't see an atapi file at all either

I am in C: and when I check the dir/w the fix.bat is there.

regards
Greg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users