Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IN DIRE NEED


  • This topic is locked This topic is locked
25 replies to this topic

#1 Roached1

Roached1

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 17 January 2010 - 03:44 PM

Ok..

I have gone through various checks with Boopme over in the "Am I infected..What do I do?" forum.

Brief background: About two weeks ago I started seeing redirects from Google. I also encountered the "NT Authority\SYSTEM" shutdown countdown window. The "countdown" had only happened twice. Since working with Boopme I haven't encountered it again (yet...if it is still there or not...not sure).

As I mentioned I worked with Boopme and ran various checks and was guided here by him.

I have just ran the DDS reports..two of them (one attached as a .zip file as suggested) and the RootRepeal Log (below the first dds report).

I hope to move further and get this computer healed again.

I love this site and appreciate all and any help from you guys.

Thank you so much in advance!

First DDS report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Doody at 13:24:34.43 on Sun 01/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.733 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doody\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-3 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2010-01-15 11:08:29 1888 ----a-w- c:\windows\system32\tmp.reg
2010-01-15 00:52:37 0 d-----w- c:\program files\ESET
2010-01-14 11:19:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-13 00:00:53 0 d-----w- C:\3922fe47631a2b1131e7
2010-01-12 12:46:38 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-03 15:33:58 0 dc-h--w- c:\windows\ie8
2010-01-03 15:31:05 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-03 15:31:05 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-03 15:30:45 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-02 02:57:58 0 d-----w- c:\program files\common files\DirectX
2010-01-02 02:33:33 0 d-----w- C:\AeriaGames
2010-01-01 21:53:04 0 d-----w- c:\program files\DNA
2010-01-01 21:53:04 0 d-----w- c:\docume~1\doody\applic~1\DNA
2009-12-23 20:52:18 32720 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-23 20:35:03 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-23 20:35:03 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-23 20:34:06 0 d-----w- c:\program files\iPod
2009-12-23 20:34:02 0 d-----w- c:\program files\iTunes
2009-12-23 20:34:02 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-23 20:33:33 0 d-----w- c:\program files\Bonjour
2009-12-23 20:32:15 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-23 20:32:15 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2010-01-15 02:25:51 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-15 02:25:51 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 12:31:15 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-29 07:46:51 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-29 07:45:35 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:33 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2008-12-09 02:56:58 88 --sh--r- c:\windows\system32\6B6A5F3764.sys

============= FINISH: 13:26:10.85 ===============


RootRepeal Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/17 13:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA685A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\doody\local settings\temp\~df1a0f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\doody\local settings\temp\~df1ccd.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\doody\application data\superantispyware.com\superantispyware\applogs\superantispyware-1-17-2010( 13-44-17 ).sdb
Status: Allocation size mismatch (API: 16384, Raw: 4096)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa73870b0

==EOF==







BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 19 January 2010 - 08:35 PM

Hello Roached1 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to run another ARK scan for me. Also when you post the reply let me know if you have done any work on replacing any atapi.sys files since your infection began.


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files





Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 20 January 2010 - 07:42 AM

Hey Wall....Thanks in advance for your help.

I ran both reports last night. I let the GMer run overnight, and sometime during the course of the evening, my system auto-updated and re-started itself by the time I woke up this morning. So..I ran both reports again this morning and re-saved the new files.

As far as the atapi.sys files; I don't recall Boopme having me change anything with it. He ran me through various tools such as: Atf Cleaner, SUPER ANTISPYWARE, Malwarebytes, ESET, SmitFraudfix & GooredFix before handing me off to you.
Here are the new saved files:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/20 05:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA62FF000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doody\Cookies\doody@quantserve[1].txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Doody\Cookies\doody@scorecardresearch[1].txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Doody\Cookies\doody@www.bleepingcomputer[1].txt
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\doody\local settings\temp\~dfb8db.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log
Status: Locked to the Windows API!

Path: c:\documents and settings\doody\local settings\application data\microsoft\internet explorer\recovery\active\{e62ffd16-05b3-11df-8049-001320ed2ba1}.dat
Status: Size mismatch (API: 9728, Raw: 8704)

Path: C:\Documents and Settings\Doody\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{05F3F284-05B3-11DF-8049-001320ED2BA1}.dat
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doody\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{2339F13A-05B4-11DF-8049-001320ED2BA1}.dat
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa6f520b0

==EOF==





and finally...Gmer





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-20 06:31:21
Windows 5.1.2600 Service Pack 3
Running: f99oh2uy.exe; Driver: C:\DOCUME~1\Doody\LOCALS~1\Temp\pwloapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA6F520B0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A5982D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 896A7841

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 20 January 2010 - 10:41 AM

That was good, you got me what I wanted to see.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 20 January 2010 - 10:20 PM

Evening Wall....

Was worried about running ComboFix after reading other posts. BUT....read the instructions...followed word-for-word.....and finally got the end-results that said would be there... thumbup.gif

I am going to re-activate my antivirus, malware & spyware programs.....I hope that this is ok.

Here is the combo log:


ComboFix 10-01-20.04 - Doody 01/20/2010 20:58:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.852 [GMT -6:00]
Running from: c:\documents and settings\Doody\Desktop\ComboFix.exe
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\Seekdns
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dllcache\ieframe.dll.mui
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-19 12:43 . 2010-01-21 01:14 -------- d-----w- c:\documents and settings\Doody\Tracing
2010-01-19 12:36 . 2010-01-19 12:36 -------- d-----w- c:\program files\Microsoft
2010-01-19 12:36 . 2010-01-19 12:36 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-19 12:32 . 2010-01-19 12:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-17 20:09 . 2010-01-17 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-15 00:52 . 2010-01-15 00:52 -------- d-----w- c:\program files\ESET
2010-01-14 11:21 . 2010-01-14 11:21 52224 ----a-w- c:\documents and settings\Doody\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 11:21 . 2010-01-14 11:21 117760 ----a-w- c:\documents and settings\Doody\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 11:19 . 2010-01-14 11:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-14 11:17 . 2010-01-14 11:17 -------- d-sh--w- c:\documents and settings\Administrator.DJJYVZ91\IETldCache
2010-01-13 00:00 . 2010-01-13 00:00 -------- d-----w- C:\3922fe47631a2b1131e7
2010-01-12 12:46 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 03:06 . 2010-01-05 03:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-04 15:25 . 2010-01-04 15:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-03 15:33 . 2010-01-03 15:35 -------- dc-h--w- c:\windows\ie8
2010-01-03 15:31 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-03 15:31 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-03 15:30 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-02 02:57 . 2010-01-02 02:57 -------- d-----w- c:\program files\Common Files\DirectX
2010-01-02 02:33 . 2010-01-02 02:33 -------- d-----w- C:\AeriaGames
2010-01-01 21:53 . 2010-01-01 21:53 -------- d-----w- c:\documents and settings\Doody\Local Settings\Application Data\DNA
2010-01-01 21:53 . 2010-01-21 03:05 -------- d-----w- c:\program files\DNA
2010-01-01 21:53 . 2010-01-21 03:05 -------- d-----w- c:\documents and settings\Doody\Application Data\DNA
2009-12-23 20:52 . 2009-12-23 20:52 32720 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-23 20:35 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-23 20:35 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-23 20:34 . 2009-12-23 20:34 -------- d-----w- c:\program files\iPod
2009-12-23 20:34 . 2009-12-23 20:35 -------- d-----w- c:\program files\iTunes
2009-12-23 20:34 . 2009-12-23 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-23 20:33 . 2009-12-23 20:33 -------- d-----w- c:\program files\Bonjour
2009-12-23 20:32 . 2009-12-23 20:33 -------- d-----w- c:\program files\QuickTime
2009-12-23 20:32 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-23 20:32 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 02:41 . 2008-07-04 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-20 09:17 . 2009-04-19 15:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 12:43 . 2006-07-12 00:28 34232 ----a-w- c:\documents and settings\Doody\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 12:42 . 2008-09-04 11:30 -------- d-----w- c:\program files\Windows Live
2010-01-18 05:01 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 11:20 . 2008-07-04 13:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 11:20 . 2008-07-04 13:17 -------- d-----w- c:\documents and settings\Doody\Application Data\SUPERAntiSpyware.com
2010-01-10 22:51 . 2008-07-04 15:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 22:51 . 2008-07-12 12:07 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2008-08-05 08:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-07-04 15:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 12:31 . 2008-05-11 18:53 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-06 12:31 . 2008-05-11 18:53 104 --sh--r- c:\windows\system32\64375F6A6B.sys
2009-12-26 16:54 . 2006-05-16 15:43 -------- d-----w- c:\program files\MUSICMATCH
2009-12-23 20:38 . 2009-11-25 13:41 -------- d-----w- c:\documents and settings\Doody\Application Data\Apple Computer
2009-12-23 20:34 . 2009-11-25 12:27 -------- d-----w- c:\program files\Common Files\Apple
2009-12-23 20:34 . 2009-11-25 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-25 12:52 . 2009-11-25 12:35 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-11-25 12:51 . 2006-05-16 15:44 -------- d-----w- c:\program files\Common Files\Real
2009-11-25 12:26 . 2009-11-25 12:26 -------- d-----w- c:\program files\Apple Software Update
2009-11-25 12:26 . 2009-11-25 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2008-12-09 02:56 . 2008-08-15 11:23 88 --sh--r- c:\windows\system32\6B6A5F3764.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-11-20 2335880]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-01-01 323392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-16 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 14:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2009-11-20 19:51 2335880 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
2007-11-13 21:46 135168 ----a-w- c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Explorer]
2009-03-08 20:09 638816 ----a-w- c:\program files\Internet Explorer\iexplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-03 11:59 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2008 3:07 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2008 3:07 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 5:22 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 5:22 AM 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 21:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-20 21:11:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-21 03:11
ComboFix2.txt 2008-07-04 16:02

Pre-Run: 56,034,701,312 bytes free
Post-Run: 56,201,183,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BCAA81A7AEFBEA2F087C4A08D5E22BE1


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 20 January 2010 - 10:45 PM

Appears ComboFix found quite a bit which is good. Re-enabling your security programs was fine.


Let's run a scan next.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 21 January 2010 - 07:42 PM

Sorry Wall.....

Started the scan this morning...then had to go to work and the scan was still running...

Nonetheless...here is the log for the Kapersky scan:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, January 21, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 21, 2010 10:55:34
Records in database: 3353640
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
E:\

Scan statistics:
Objects scanned: 54335
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:57:57


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 21 January 2010 - 08:10 PM

No problem at all. Scan looks good, the only thing there is a qoobox quarantine which is part of ComboFix and will be gone when we uninstall it.


Your Add/Remove list shows you have AVG 8.5 which is outdated. The new one is AVG 9.0. Once they go to new versions they no longer support the old ones with updates so it is important to make sure you update to a new version of antivirus. I provided a link to a new version of AVG as well as others if you would like to take a look at them.


For a free anti-virus please follow one of these links:


AVG

Avira

Avast(Mouse over Free Software in the upper right corner)

Panda Cloud

Microsoft Security Essentials complete with installation videos









Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.




Let me know when you have completed this and we will finish up.









If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 21 January 2010 - 10:48 PM

Hey Wall....

Downloaded AVG 9.0 and updated Java.

AVG went ok...but things on the computer acted screwy with the Java update.

First off...AVG asked if I should enable it (AVG) to act as the firewall instead of windows...I accepted...is this ok?

Next...everything that was written out on your instructions on the Java update wasn't there. It never asked about my platform...my language..windows offline installlation...etc....It just basically took over and ran its installation.

Is there anyway to run some kind of scan for a log that you can read to ensure that everything went ok? I just don't feel as confident as I have up to this point.

Please let me know what you think.

Thanks.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 21 January 2010 - 11:24 PM

I may have to update my instructions for Java. I haven't checked it out lately and things could have changed some. As far as using AVG as a firewall that sounds OK, I wonder if that is new because I don't recall that being there before.

If you would like to you can run DDS one more time and just give me the logs and I'll check out the Java question or you can go to your Add/Remove and it should show what version you have now.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 22 January 2010 - 06:30 AM

Thanks Wall...

I just want to make sure I get everything right so I can set a restore point and have no worries.

Here is the DDS Log for your review:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Doody at 5:00:23.59 on Fri 01/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.663 [GMT -6:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doody\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-21 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-21 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-3 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-21 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-21 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-1-21 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-1-21 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-21 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-21 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-21 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-21 25736]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-21 30104]

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-22 03:32:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-22 02:50:59 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 02:50:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 02:50:58 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-18 05:01:19 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-18 05:01:19 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 12:31:15 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:14:03 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:14:03 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:14:03 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:14:01 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-29 07:46:51 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-09 02:56:58 88 --sh--r- c:\windows\system32\6B6A5F3764.sys

============= FINISH: 5:01:29.03 ===============


Java installed these four programs on my system....my question...do I really need ALL of them?

Java DB 10.4.2.1 (?)
Java 6 updated 17 ( I know I need this one)
Java SE Development Kit 6 Update 17 (?)
Java FX 1.2 SDK (??)

Thank you Wall


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 22 January 2010 - 03:02 PM

Those are just extra things Java puts on your machine. I'm not sure if they are necessary but I don't believe they should be any problem.

Don't worry about setting a restore point, ComboFix will take care of that when we do a uninstall with it.

Things are looking good overall but I would like you to check the following file before we finish:




Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\windows\system32\6B6A5F3764.sys
Click Send.
Please post the results of this scan to this thread.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 22 January 2010 - 08:02 PM

Evening Wall....

Here is the results for the Virus Total scan. Under the "Additional Results" there is a akward item.....I can almost gurantee that "MS Flight Simulator Aircraft Performance" should not be there...I NEVER have had that program on this pc.

Anyway...here is the information you requested....thanks again:

File 6B6A5F3764.sys received on 2010.01.23 00:52:58 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.23 -
AhnLab-V3 5.0.0.2 2010.01.22 -
AntiVir 7.9.1.146 2010.01.22 -
Antiy-AVL 2.0.3.7 2010.01.22 -
Authentium 5.2.0.5 2010.01.22 -
Avast 4.8.1351.0 2010.01.22 -
AVG 9.0.0.730 2010.01.22 -
BitDefender 7.2 2010.01.23 -
CAT-QuickHeal 10.00 2010.01.22 -
ClamAV 0.94.1 2010.01.22 -
Comodo 3676 2010.01.23 -
DrWeb 5.0.1.12222 2010.01.22 -
eSafe 7.0.17.0 2010.01.21 -
eTrust-Vet 35.2.7255 2010.01.22 -
F-Prot 4.5.1.85 2010.01.22 -
F-Secure 9.0.15370.0 2010.01.22 -
Fortinet 4.0.14.0 2010.01.23 -
GData 19 2010.01.23 -
Ikarus T3.1.1.80.0 2010.01.22 -
Jiangmin 13.0.900 2010.01.22 -
K7AntiVirus 7.10.952 2010.01.22 -
Kaspersky 7.0.0.125 2010.01.23 -
McAfee 5869 2010.01.22 -
McAfee+Artemis 5869 2010.01.22 -
McAfee-GW-Edition 6.8.5 2010.01.22 -
Microsoft 1.5405 2010.01.22 -
NOD32 4798 2010.01.22 -
Norman 6.04.03 2010.01.22 -
nProtect 2009.1.8.0 2010.01.22 -
Panda 10.0.2.2 2010.01.22 -
PCTools 7.0.3.5 2010.01.22 -
Prevx 3.0 2010.01.23 -
Rising 22.31.04.04 2010.01.22 -
Sophos 4.50.0 2010.01.22 -
Sunbelt 3.2.1858.2 2010.01.22 -
Symantec 20091.2.0.41 2010.01.23 -
TheHacker 6.5.0.9.159 2010.01.22 -
TrendMicro 9.120.0.1004 2010.01.22 -
VBA32 3.12.12.1 2010.01.21 -
ViRobot 2010.1.22.2151 2010.01.22 -
VirusBuster 5.0.21.0 2010.01.22 -

Additional information
File size: 88 bytes
MD5...: b1ca472ce6ae5d3df3fc1ce38a83481a
SHA1..: 32f4325fe43b885dbaf5b390713570d832c4c773
SHA256: 76e5e65e5613adb8eb56c747ff521805c1335f01795bb7296c8812470b1f5695
ssdeep: 3:hl/L/aDn:fOn<BR>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: MS Flight Simulator Aircraft Performance Info (100.0%)
sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
<table border="1"><tr><td colspan="4">File 6B6A5F3764.sys received on 2010.01.23 00:52:58 (UTC)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.5.0.50</td><td>2010.01.23</td><td>-</td</tr><tr><td>AhnLab-V3</td><td>5.0.0.2</td><td>2010.01.22</td><td>-</td</tr><tr><td>AntiVir</td><td>7.9.1.146</td><td>2010.01.22</td><td>-</td</tr><tr><td>Antiy-AVL</td><td>2.0.3.7</td><td>2010.01.22</td><td>-</td</tr><tr><td>Authentium</td><td>5.2.0.5</td><td>2010.01.22</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1351.0</td><td>2010.01.22</td><td>-</td</tr><tr><td>AVG</td><td>9.0.0.730</td><td>2010.01.22</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2010.01.23</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2010.01.22</td><td>-</td</tr><tr><td>ClamAV</td><td>0.94.1</td><td>2010.01.22</td><td>-</td</tr><tr><td>Comodo</td><td>3676</td><td>2010.01.23</td><td>-</td</tr><tr><td>DrWeb</td><td>5.0.1.12222</td><td>2010.01.22</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2010.01.21</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>35.2.7255</td><td>2010.01.22</td><td>-</td</tr><tr><td>F-Prot</td><td>4.5.1.85</td><td>2010.01.22</td><td>-</td</tr><tr><td>F-Secure</td><td>9.0.15370.0</td><td>2010.01.22</td><td>-</td</tr><tr><td>Fortinet</td><td>4.0.14.0</td><td>2010.01.23</td><td>-</td</tr><tr><td>GData</td><td>19</td><td>2010.01.23</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.80.0</td><td>2010.01.22</td><td>-</td</tr><tr><td>Jiangmin</td><td>13.0.900</td><td>2010.01.22</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.952</td><td>2010.01.22</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2010.01.23</td><td>-</td</tr><tr><td>McAfee</td><td>5869</td><td>2010.01.22</td><td>-</td</tr><tr><td>McAfee+Artemis</td><td>5869</td><td>2010.01.22</td><td>-</td</tr><tr><td>McAfee-GW-Edition</td><td>6.8.5</td><td>2010.01.22</td><td>-</td</tr><tr><td>Microsoft</td><td>1.5405</td><td>2010.01.22</td><td>-</td</tr><tr><td>NOD32</td><td>4798</td><td>2010.01.22</td><td>-</td</tr><tr><td>Norman</td><td>6.04.03</td><td>2010.01.22</td><td>-</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2010.01.22</td><td>-</td</tr><tr><td>Panda</td><td>10.0.2.2</td><td>2010.01.22</td><td>-</td</tr><tr><td>PCTools</td><td>7.0.3.5</td><td>2010.01.22</td><td>-</td</tr><tr><td>Prevx</td><td>3.0</td><td>2010.01.23</td><td>-</td</tr><tr><td>Rising</td><td>22.31.04.04</td><td>2010.01.22</td><td>-</td</tr><tr><td>Sophos</td><td>4.50.0</td><td>2010.01.22</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.2.1858.2</td><td>2010.01.22</td><td>-</td</tr><tr><td>Symantec</td><td>20091.2.0.41</td><td>2010.01.23</td><td>-</td</tr><tr><td>TheHacker</td><td>6.5.0.9.159</td><td>2010.01.22</td><td>-</td</tr><tr><td>TrendMicro</td><td>9.120.0.1004</td><td>2010.01.22</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.12.1</td><td>2010.01.21</td><td>-</td</tr><tr><td>ViRobot</td><td>2010.1.22.2151</td><td>2010.01.22</td><td>-</td</tr><tr><td>VirusBuster</td><td>5.0.21.0</td><td>2010.01.22</td><td>-</td</tr><tr><td colspan="4">&nbsp;</td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 88 bytes</td></tr><tr><td colspan="4">MD5...: b1ca472ce6ae5d3df3fc1ce38a83481a</td></tr><tr><td colspan="4">SHA1..: 32f4325fe43b885dbaf5b390713570d832c4c773</td></tr><tr><td colspan="4">SHA256: 76e5e65e5613adb8eb56c747ff521805c1335f01795bb7296c8812470b1f5695</td></tr><tr><td colspan="4">ssdeep: 3:hl/L/aDn:fOn<BR></td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: -</td></tr><tr><td colspan="4">RDS...: NSRL Reference Data Set<BR>-</td></tr><tr><td colspan="4">pdfid.: -</td></tr><tr><td colspan="4">trid..: MS Flight Simulator Aircraft Performance Info (100.0%)</td></tr><tr><td colspan="4">sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR></td></tr></table>
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.23 -
AhnLab-V3 5.0.0.2 2010.01.22 -
AntiVir 7.9.1.146 2010.01.22 -
Antiy-AVL 2.0.3.7 2010.01.22 -
Authentium 5.2.0.5 2010.01.22 -
Avast 4.8.1351.0 2010.01.22 -
AVG 9.0.0.730 2010.01.22 -
BitDefender 7.2 2010.01.23 -
CAT-QuickHeal 10.00 2010.01.22 -
ClamAV 0.94.1 2010.01.22 -
Comodo 3676 2010.01.23 -
DrWeb 5.0.1.12222 2010.01.22 -
eSafe 7.0.17.0 2010.01.21 -
eTrust-Vet 35.2.7255 2010.01.22 -
F-Prot 4.5.1.85 2010.01.22 -
F-Secure 9.0.15370.0 2010.01.22 -
Fortinet 4.0.14.0 2010.01.23 -
GData 19 2010.01.23 -
Ikarus T3.1.1.80.0 2010.01.22 -
Jiangmin 13.0.900 2010.01.22 -
K7AntiVirus 7.10.952 2010.01.22 -
Kaspersky 7.0.0.125 2010.01.23 -
McAfee 5869 2010.01.22 -
McAfee+Artemis 5869 2010.01.22 -
McAfee-GW-Edition 6.8.5 2010.01.22 -
Microsoft 1.5405 2010.01.22 -
NOD32 4798 2010.01.22 -
Norman 6.04.03 2010.01.22 -
nProtect 2009.1.8.0 2010.01.22 -
Panda 10.0.2.2 2010.01.22 -
PCTools 7.0.3.5 2010.01.22 -
Prevx 3.0 2010.01.23 -
Rising 22.31.04.04 2010.01.22 -
Sophos 4.50.0 2010.01.22 -
Sunbelt 3.2.1858.2 2010.01.22 -
Symantec 20091.2.0.41 2010.01.23 -
TheHacker 6.5.0.9.159 2010.01.22 -
TrendMicro 9.120.0.1004 2010.01.22 -
VBA32 3.12.12.1 2010.01.21 -
ViRobot 2010.1.22.2151 2010.01.22 -
VirusBuster 5.0.21.0 2010.01.22 -

Additional information
File size: 88 bytes
MD5...: b1ca472ce6ae5d3df3fc1ce38a83481a
SHA1..: 32f4325fe43b885dbaf5b390713570d832c4c773
SHA256: 76e5e65e5613adb8eb56c747ff521805c1335f01795bb7296c8812470b1f5695
ssdeep: 3:hl/L/aDn:fOn<BR>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: MS Flight Simulator Aircraft Performance Info (100.0%)
sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>



#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:18 PM

Posted 22 January 2010 - 08:56 PM

What they are referring to about the flight simulator is not clear at all but it is not showing the file as being infected and that is what we were concerned about.

Is the computer still running good?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 23 January 2010 - 10:15 AM

Everything seems kind of back to normal. I did some general searches with Google and Yahoo and there were no redirects.

One thing that still seems to be happening is my "Local Area Connection Staus" which have monitoring on my toolbar, seems to be continually sending and receiving packets even when IE sits idle for a while. Not sure if that is still right or not.

Other than than it's running perfect.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users