Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another browser redirect after Internet Security 2010


  • This topic is locked This topic is locked
41 replies to this topic

#1 KT-22

KT-22

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 04 February 2010 - 03:05 PM

Background Info':

Computer got infected with Internet Security 2010 virus. I used rkill.com and mbam to remove it. Report:

Attached File  mbam_log_2010_01_28__14_13_39_.txt   4.69KB   18 downloads

Everything appeared okay so I ran Windows update which hadn't been done in months. Upon reboot I got BSOD stop 0x0000007e when booting normally and in safe mode, (stop 0x0000005 ). After searching I tried to remove the Windows KB971486 update which reportedly has been causing this error. I couldn't even load repair console from the XP installation disk as I'd get another blue screen, (Can't remember any of the stop error code).

I used Hiren's boot cd to get back in and remove KB971486 which unistalled. I was then able to get the machine to boot into XP normally. I then tried to boot into safe mode so I could run mbam from there, but I received another blue screen, (0x0000005 - I think), so I ran it from a normal boot and received the following infection report:

Attached File  mbam_log_2010_02_03__21_37_11_.txt   1.62KB   13 downloads

Everything appears okay now except that I still can't boot into safe mode, haven't tried inserting the installation disk to see if I still get a stop error, and I'm getting the browser redirects from Firefox and IE that others are reporting after removing IS2010.

Reports to follow:


DDS (Ver_09-12-01.01) - NTFSx86
Run by HAP at 11:50:28.32 on Thu 02/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2043.1236 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\HAP\Desktop\RootRepeal.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HAP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.live.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoTrayItemsDisplay = 00000000
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264717743250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264717702953
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hap\applic~1\mozilla\firefox\profiles\xfh8wui3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\hap\application data\mozilla\firefox\profiles\xfh8wui3.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-12 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-12 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-4 112512]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-5-4 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-5-4 41760]

=============== Created Last 30 ================

2010-02-04 07:37:12 56680 ----a-w- c:\windows\system32\rpcnet.exe
2010-02-04 07:37:12 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-02-04 04:51:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 04:51:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 04:00:07 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-04 01:03:57 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-02-04 01:02:36 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-01-28 23:16:40 0 d-----w- c:\program files\MSXML 4.0
2010-01-28 23:05:38 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-28 22:54:33 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-28 22:29:34 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-01-28 22:26:43 0 d-----w- c:\windows\system32\appmgmt
2010-01-28 22:16:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-28 21:26:50 0 d-----w- c:\docume~1\hap\applic~1\Malwarebytes
2010-01-28 21:26:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-28 21:26:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 20:38:41 0 ----a-w- c:\windows\system32\6334.exe
2010-01-28 20:18:41 0 ----a-w- c:\windows\system32\18467.exe
2010-01-28 19:35:55 1 ----a-w- C:\s
2010-01-24 04:44:04 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-24 04:44:04 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-02-04 16:02:30 31681 ----a-w- c:\windows\system32\nvModes.dat
2010-02-04 07:28:00 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll

============= FINISH: 11:50:45.32 ===============



Attached File  Attach.txt   15.46KB   18 downloads
Attached File  ark.txt   2.04KB   17 downloads



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 05 February 2010 - 09:04 AM

Hi KT-22,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


CODE
@ECHO OFF
cd\
mbr.exe -t
sc query type= driver group= "SCSI Miniport" > Log.txt
type mbr.log >>log.txt
Start Log.txt
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click look.bat on the desktop.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#3 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 05 February 2010 - 11:32 AM

Thank you for your help jarbar. I won't be making any changes to this system except for those requested from you. In fact, I'll be running your instructions on this machine, then shutting it down until I hear back from you.

Requested log:


SERVICE_NAME: iaStor
DISPLAY_NAME: Intel AHCI Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: O2MDGRDR
DISPLAY_NAME: O2MDGRDR
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: O2SDGRDR
DISPLAY_NAME: O2SDGRDR
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x89DAC8C8]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 05 February 2010 - 11:52 AM

  1. Click on this link--> virustotal

    Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

    c:\windows\system32\drivers\o2mdg.sys
    c:\windows\system32\drivers\o2sdg.sys


    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  2. Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 05 February 2010 - 01:36 PM


Report for file:

c:\windows\system32\drivers\o2mdg.sys


File o2mdg.sys received on 2010.02.05 16:57:09 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 60 and 85 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.02 -
AhnLab-V3 5.0.0.2 2010.02.01 -
AntiVir 7.9.1.156 2010.02.02 -
Antiy-AVL 2.0.3.7 2010.02.02 -
Authentium 5.2.0.5 2010.02.02 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.01 -
BitDefender 7.2 2010.02.02 -
CAT-QuickHeal 10.00 2010.02.02 -
ClamAV 0.96.0.0-git 2010.02.02 -
Comodo 3790 2010.02.02 -
DrWeb 5.0.1.12222 2010.02.02 -
eSafe 7.0.17.0 2010.02.02 -
eTrust-Vet 35.2.7276 2010.02.02 -
F-Prot 4.5.1.85 2010.02.01 -
F-Secure 9.0.15370.0 2010.02.02 -
Fortinet 4.0.14.0 2010.02.02 -
GData 19 2010.02.02 -
Ikarus T3.1.1.80.0 2010.02.02 -
Jiangmin 13.0.900 2010.02.02 -
K7AntiVirus 7.10.962 2010.02.01 -
Kaspersky 7.0.0.125 2010.02.02 -
McAfee 5879 2010.02.01 -
McAfee+Artemis 5879 2010.02.01 -
McAfee-GW-Edition 6.8.5 2010.02.02 -
Microsoft 1.5406 2010.02.02 -
NOD32 4827 2010.02.02 -
Norman 6.04.03 2010.02.02 -
nProtect 2009.1.8.0 2010.02.02 -
Panda 10.0.2.2 2010.02.01 -
PCTools 7.0.3.5 2010.02.02 -
Prevx 3.0 2010.02.05 -
Rising 22.33.01.04 2010.02.02 -
Sophos 4.50.0 2010.02.02 -
Sunbelt 3.2.1858.2 2010.02.02 -
TheHacker 6.5.1.0.176 2010.02.02 -
TrendMicro 9.120.0.1004 2010.02.02 -
VBA32 3.12.12.1 2010.02.01 -
ViRobot 2010.2.2.2168 2010.02.02 -
VirusBuster 5.0.21.0 2010.02.01 -
Additional information
File size: 51616 bytes
MD5...: 4f8d4b1233af48b30f4fdc76a8865cfa
SHA1..: 41ac97d449ad0753cd652eab65fcdb82eb563551
SHA256: 1ae34f62b42345687481851d6366548155e2907d7470612c67f438c97e97ba28
ssdeep: 768:yLXMsMv5akJDwNHhNK0fmjOb6V1kmpGIo3W8Qr7P63clcGLAm+bT8:yD05ak
J4I1kfIDH7Ac+GLeY
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xa005
timedatestamp.....: 0x495b5722 (Wed Dec 31 11:27:30 2008)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x95be 0x9600 6.49 595bcd7c4630230b801b58166143aecc
.rdata 0x9a80 0x1f3 0x200 4.78 7780d73eb41a861de3cd6692c5baa047
.data 0x9c80 0x365 0x380 0.80 6956182ad79dcb64cb13c1d0fd9683f1
INIT 0xa000 0x3f2 0x400 5.22 a4b03da55ccd0b6659aadac3ddb1b80c
.rsrc 0xa400 0x3d0 0x400 3.16 e4229808d8c3e94cd44359fc8911266e
.reloc 0xa800 0x70c 0x780 4.30 3bf56a000975de34b33f6080a4e4f23f

( 3 imports )
> ntoskrnl.exe: ObfDereferenceObject, KeSetEvent, KeClearEvent, KeWaitForSingleObject, KeInsertQueueDpc, IofCompleteRequest, ObReferenceObjectByHandle, MmMapIoSpace, PsCreateSystemThread, KeInitializeEvent, KeInitializeDpc, KeTickCount, KeBugCheckEx, ExEventObjectType, IoOpenDeviceRegistryKey, RtlInitUnicodeString, ZwCreateKey, ZwSetValueKey, ZwClose, memcpy, memset, swprintf, ExAllocatePool, _purecall, ExFreePool
> HAL.DLL: KeStallExecutionProcessor
> SCSIPORT.SYS: ScsiPortCompleteRequest, ScsiPortGetUncachedExtension, ScsiPortGetPhysicalAddress, ScsiPortMoveMemory, ScsiPortNotification, ScsiPortGetDeviceBase, ScsiPortValidateRange, ScsiPortInitialize

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%)
sigcheck:
publisher....: O2Micro
copyright....: Copyright ©O2Micro 2004_2008
product......: o2media
description..: Gunslinger Test Driver
original name: O2MDG.sys
internal name: O2MDG
file version.: 1, 1, 0, 320
comments.....:
signers......: O2Micro Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 3:50 AM 1/4/2009
verified.....: -


-----------------------------------------------------------------------------------------------------

Report for file:

c:\windows\system32\drivers\o2sdg.sys

File o2sdg.sys received on 2010.02.05 17:04:44 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.05 -
AhnLab-V3 5.0.0.2 2010.02.05 -
AntiVir 7.9.1.158 2010.02.05 -
Antiy-AVL 2.0.3.7 2010.02.05 -
Authentium 5.2.0.5 2010.02.05 -
Avast 4.8.1351.0 2010.02.05 -
AVG 9.0.0.730 2010.02.05 -
BitDefender 7.2 2010.02.05 -
CAT-QuickHeal 10.00 2010.02.05 -
ClamAV 0.96.0.0-git 2010.02.05 -
Comodo 3830 2010.02.05 -
DrWeb 5.0.1.12222 2010.02.05 -
eSafe 7.0.17.0 2010.02.04 -
eTrust-Vet 35.2.7285 2010.02.05 -
F-Prot 4.5.1.85 2010.02.05 -
F-Secure 9.0.15370.0 2010.02.05 -
Fortinet 4.0.14.0 2010.02.05 -
GData 19 2010.02.05 -
Ikarus T3.1.1.80.0 2010.02.05 -
Jiangmin 13.0.900 2010.02.05 -
K7AntiVirus 7.10.967 2010.02.05 -
Kaspersky 7.0.0.125 2010.02.05 -
McAfee 5883 2010.02.05 -
McAfee+Artemis 5883 2010.02.05 -
McAfee-GW-Edition 6.8.5 2010.02.05 -
Microsoft 1.5406 2010.02.05 -
NOD32 4839 2010.02.05 -
Norman 6.04.03 2010.02.05 -
nProtect 2009.1.8.0 2010.02.05 -
Panda 10.0.2.2 2010.02.05 -
PCTools 7.0.3.5 2010.02.05 -
Rising 22.33.04.04 2010.02.05 -
Sophos 4.50.0 2010.02.05 -
Sunbelt 3.2.1858.2 2010.02.05 -
TheHacker 6.5.1.0.180 2010.02.05 -
TrendMicro 9.120.0.1004 2010.02.05 -
VBA32 3.12.12.1 2010.02.05 -
ViRobot 2010.2.5.2174 2010.02.05 -
VirusBuster 5.0.21.0 2010.02.05 -
Additional information
File size: 41760 bytes
MD5...: 928b7612b65e82d68d489a1474c98b37
SHA1..: 18b063ab369df47a043f11a53236f752cfdc73a3
SHA256: fe682dcc59eb1494bdd19b506c23288db0398ca6685a422ab495349a1d41dc80
ssdeep: 768:XvIu1WRyAYEoxNZ3x5ooPqDWwz2ywjluhfX8HLAm+bv:Ey73AoPqiwz3zlsH
Lev
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7785
timedatestamp.....: 0x494f10f9 (Mon Dec 22 04:00:57 2008)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x68e9 0x6900 6.36 2036917062f2049e175b3751a2622bb4
.rdata 0x6d80 0x156 0x180 4.45 28b1cddb4c83d86056de2bd0c834ce8a
.data 0x6f00 0x818 0x880 2.52 03ec09faa6e82bd3281634e755e3b310
INIT 0x7780 0x48c 0x500 4.92 ad2fe781618f0a055da908aa92e9d91a
.rsrc 0x7c80 0x428 0x480 3.08 3ce91d591f06b5df39431a6c7a928cf4
.reloc 0x8100 0x7f4 0x800 5.17 81773278452b986808fc3762a7318d43

( 3 imports )
> ntoskrnl.exe: swprintf, KeInsertQueueDpc, PsCreateSystemThread, KeInitializeEvent, KeInitializeDpc, ObReferenceObjectByHandle, memset, KeTickCount, KeBugCheckEx, ExEventObjectType, IofCompleteRequest, IoOpenDeviceRegistryKey, RtlInitUnicodeString, ZwCreateKey, ZwSetValueKey, ZwClose, KeClearEvent, KeSetEvent, ObfDereferenceObject, KeReleaseMutex, KeWaitForSingleObject, KeInitializeMutex, KeQuerySystemTime, memcpy
> HAL.DLL: KeStallExecutionProcessor
> SCSIPORT.SYS: ScsiPortWriteRegisterBufferUshort, ScsiPortReadRegisterBufferUchar, ScsiPortMoveMemory, ScsiPortGetPhysicalAddress, ScsiPortReadRegisterBufferUshort, ScsiPortInitialize, ScsiPortCompleteRequest, ScsiPortValidateRange, ScsiPortGetDeviceBase, ScsiPortNotification, ScsiPortReadRegisterBufferUlong, ScsiPortWriteRegisterBufferUlong

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%)
sigcheck:
publisher....: O2Micro
copyright....: Copyright ©2004_2008, O2Micro International.
product......: O2Micro SD Reader Driver
description..: O2Micro SD Reader Driver
original name: O2SDG.sys
internal name: O2SDG
file version.: 1, 1, 0, 406
comments.....: O2Micro Driver
signers......: O2Micro Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 3:13 AM 12/23/2008
verified.....: -


-------------------------------------------------------------------------------------------

Combofix report:


ComboFix 10-02-04.08 - HAP 02/05/2010 10:05:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2043.1348 [GMT -8:00]
Running from: c:\documents and settings\HAP\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
C:\s
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-05 16:27 . 2010-02-05 16:27 77312 ----a-w- C:\mbr.exe
2010-02-04 07:37 . 2010-02-05 16:20 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-02-04 07:37 . 2010-02-04 07:36 56680 ----a-w- c:\windows\system32\rpcnet.exe
2010-02-04 04:51 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 04:51 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 04:10 . 2010-02-04 04:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-04 04:00 . 2010-02-04 04:00 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-04 01:03 . 2010-02-04 06:20 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-02-04 01:02 . 2010-02-05 16:21 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-01-28 23:16 . 2010-01-28 23:16 -------- d-----w- c:\program files\MSXML 4.0
2010-01-28 23:05 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-28 22:54 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-28 22:16 . 2010-02-04 06:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-28 21:26 . 2010-01-28 21:26 -------- d-----w- c:\documents and settings\HAP\Application Data\Malwarebytes
2010-01-28 21:26 . 2010-01-28 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-28 21:26 . 2010-02-04 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 19:17 . 2010-01-11 21:24 51200 ----a-w- c:\documents and settings\HAP\Application Data\Mozilla\Firefox\Profiles\xfh8wui3.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
2010-01-21 18:20 . 2010-01-21 18:20 -------- d-----w- c:\documents and settings\HAP\Local Settings\Application Data\Help
2010-01-14 05:59 . 2010-01-14 05:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 16:26 . 2009-12-01 15:05 79488 ----a-w- c:\documents and settings\HAP\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-04 16:02 . 2009-05-05 05:02 31681 ----a-w- c:\windows\system32\nvModes.dat
2010-02-04 07:28 . 2009-10-11 03:14 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-02-04 01:50 . 2009-08-28 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-04 01:02 . 2009-05-05 05:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-28 23:18 . 2009-05-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-21 19:14 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 07:01 . 2009-10-09 05:58 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-24 06:57 . 2009-10-09 05:57 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-21 15:51 . 2008-04-25 16:16 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-03 208896]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-22 13590528]
"nwiz"="nwiz.exe" [2009-01-22 1630208]
"NVHotkey"="nvHotkey.dll" [2009-01-22 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-22 86016]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 04:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/10/2009 9:57 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/12/2009 12:55 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/12/2009 12:55 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/12/2009 12:55 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 6:49 AM 1028432]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/4/2009 11:56 PM 112512]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [5/4/2009 11:57 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [5/4/2009 11:57 PM 41760]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 05:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HAP\Application Data\Mozilla\Firefox\Profiles\xfh8wui3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\HAP\Application Data\Mozilla\Firefox\Profiles\xfh8wui3.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 10:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x89DAC8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\iaStor -> iaStor.sys @ 0xba692d0c
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® WiFi Link 5100 AGN -> SendCompleteHandler -> NDIS.sys @ 0xba544bb0
PacketIndicateHandler -> NDIS.sys @ 0xba533a0d
SendHandler -> NDIS.sys @ 0xba547b40
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-02-05 10:12:29
ComboFix-quarantined-files.txt 2010-02-05 18:12

Pre-Run: 132,704,006,144 bytes free
Post-Run: 133,523,812,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CC40A036B757443F484B2C211A84F71E


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 05 February 2010 - 04:45 PM

Did ComboFix needed a reboot? Please give me feedback so that I know if rebooting causes any problem.
  1. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • If deFogger asked to reboot the machine don't reboot now.

  2. Go to start > Run copy and paste the following lines one by one in the run box and click OK after each line:

    sc config O2FLASH start= disabled
    sc config O2MDGRDR start= disabled
    sc config O2SDGRDR start= disabled


    A window flashes it is normal.

  3. Reboot the computer now.

  4. Delete the dirlook.bat from your desktop.
    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    cd\
    mbr.exe -f
    sc query type= driver group= "SCSI Miniport" > Log.txt
    type mbr.log >>log.txt
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1500 >nul
    type mbr.log >>log.txt
    echo %date% %time% >>log.txt
    Start Log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

Edited by farbar, 05 February 2010 - 06:52 PM.


#7 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 05 February 2010 - 09:57 PM

Unfortunately, I don't know if Combofix rebooted or not. This machine's not set up with a log in. It took about 15-20 minutes, it froze for most of that time, for it to get to the point of downloading recovery console and when it finally started its scan I had to go get ready for work. I have booted it several times, once to see how it re-booted and once as you instructed, and it doesn't appear to have any difficulties. The only change is the pause to choose between XP and the recovery console. The only other notable change was Firefox asking about being the default browser, which it has been since this computer was new.

Your instructions say to save the bat file as dirlook.bat, but to run the look.bat file. I ran the dirlook.bat file with the results pasted below.

Log.txt file:

SERVICE_NAME: iaStor
DISPLAY_NAME: Intel AHCI Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x894448C8]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !
Fri 02/05/2010 18:43:59.96

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 06 February 2010 - 05:21 AM

We are going to replace iaStor.sys with a clean copy. Please tell me if you have access to another computer with Windows XP installed?. What we need a clean copy of that file. If yes please do the following on both the computers, otherwise do it just on the infected computer:

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c dir /a /s /oe c:\iastor.* > log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.

Edited by farbar, 06 February 2010 - 10:40 AM.


#9 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 06 February 2010 - 08:45 PM


Report from clean computer:

Volume in drive C has no label.
Volume Serial Number is 70A6-165A

Directory of c:\WINDOWS\dell

09/28/2009 05:22 AM <DIR> iastor
0 File(s) 0 bytes

Directory of c:\WINDOWS\dell\iastor

08/12/2004 05:36 AM 7,878 iastor.cat
08/12/2004 05:36 AM 2,634 iastor.inf
09/28/2009 05:22 AM 7,428 iastor.PNF
08/12/2004 05:36 AM 467,200 iastor.sys
4 File(s) 485,140 bytes

Total Files Listed:
4 File(s) 485,140 bytes
1 Dir(s) 8,457,998,336 bytes free


Report from infected computer:

Volume in drive C is OS
Volume Serial Number is 4C18-0A2B

Directory of c:\drivers\storage\R208747

01/19/2009 11:41 AM 8,946 iastor.cat
01/19/2009 11:41 AM 8,116 iaStor.inf
05/05/2009 03:59 AM 13,524 iaStor.PNF
01/19/2009 11:41 AM 328,728 IaStor.sys
4 File(s) 359,314 bytes

Directory of c:\WINDOWS\system32\drivers

01/19/2009 11:41 AM 328,728 iaStor.sys
1 File(s) 328,728 bytes

Total Files Listed:
5 File(s) 688,042 bytes
0 Dir(s) 133,574,975,488 bytes free

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 07 February 2010 - 07:25 AM

Since the files on two computer seem to be of different version we will try use another copy of the file on the infected computer. So the following steps are will be performed on the infected computer.
  1. Go to start > Run copy and paste the following line in the run box and click OK:

    cmd /c copy c:\drivers\storage\R208747\iaStor.sys c:\ >log.txt&start log.txt

    A text file (log.txt) opens. Only if "1 file(s) copied" is listed proceed with the next step.

  2. Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      CODE
      Comment:
      start to process
      Files to move:
      C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
    • In the avenger window, click the Paste Script from Clipboard, button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.





#11 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 07 February 2010 - 12:52 PM


If it means anything, there's a new IE icon on my desktop when I booted this machine today.

Below is the text file produced by Avenger.


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 07 February 2010 - 01:46 PM

The IE icon is put there after running ComboFix. ComboFix sets some settings to its default to correct those set by the malware. You may delete the icon.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


CODE
@echo off
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
echo %date% %time% >>mbr.log
start mbr.log
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: KT.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click KT.bat on the desktop.
  • A notepad opens, copy and paste the content (mbr.log) to your reply.


#13 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 07 February 2010 - 02:49 PM


KT.bat report:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !
Sun 02/07/2010 11:48:44.46


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 07 February 2010 - 03:19 PM

It looks good. The rootkit is taken care of.

Form your first post:
QUOTE
Everything appears okay now except that I still can't boot into safe mode, haven't tried inserting the installation disk to see if I still get a stop error,

We have to restore the settings we changed in the process of handling this rootkit. But before that let's make sure those problems are resolved.
  1. Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account.
    • Tell me if you were able to log into Safe Mode.

  2. Also insert your CD to see if you get any error and tell me about it.


#15 KT-22

KT-22
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 07 February 2010 - 04:59 PM

Thanks for all your help farbar, (sorry about the typo on your name in my first response).

The machine boots into safe mode without any problems, but using the installation cd results in a BSOD with the following stop error:

0x7B (0xF78D2524, 0xC0000034, 0x0, 0x0)

I tried switching the sata controller, but that resulted in a different BSOD on normal boot so I switched it back.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users