Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:WinT/Aluero/n.gen!A


  • This topic is locked This topic is locked
22 replies to this topic

#1 Chas Brunson

Chas Brunson

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 24 February 2010 - 02:57 PM

Sine I have had this virus, I have had complications with a window that asks me repeatedly if I want to continue running scripts on a random page. I also am having trouble with random pop up windows, my computers speed, and when I tried using the internet explorer i keep getting redirected. I think I got the virus from a bit torrent download. After I opened the download I was told I needed to upgrade and when I finished downloading the upgrade onto my desktop it disappeared once I had double clicked it.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Bridget Brunson at 13:08:43.07 on Wed 02/24/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.153 [GMT -5:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\afasrv32.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\USIM Editor\iconcs15526000.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Bridget Brunson\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bridget Brunson\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {90C61707-C8F8-43DB-A25C-C1F4B18EE41E} - No File
uRun: [Weather] c:\progra~1\aws\weathe~1\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [USBestCR] c:\program files\usim editor\iconcs15526000.exe RunFromReg
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\bridge~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\bridget brunson\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - hxxp://static.zangocash.com/cab/Zango/ie/bridge-c10.cab?5c2286b2aaf8f3c1d0855799a4d110d00666446a76584b75ac01e3be0d210ec3d22ee9a3303d576e1281c6233932c6a2e667bcee15322a3b6efe4381ad:5e52d837461409ba5144aa8a93efb061
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 91.212.127.220 intsecure.microsoft.com
Hosts: 91.212.127.220 intsecure-2009.com
Hosts: 91.212.127.220 www.intsecure-2009.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bridge~1\applic~1\mozilla\firefox\profiles\8dpig5sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-10 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-10 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-10 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-19 329592]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2009-11-25 65536]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-10 117640]
R3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\system32\drivers\ax88178.sys [2009-6-25 24192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-10 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.048\NAVENG.SYS [2010-2-24 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.048\NAVEX15.SYS [2010-2-24 1324720]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-25 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-25 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-25 40552]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [2009-11-25 51072]

=============== Created Last 30 ================


==================== Find3M ====================

2010-02-10 04:57:09 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-10 04:56:51 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-30 14:09:39 77352 ----a-w- c:\windows\hpqins05.dat
2009-12-29 06:36:48 157529 ----a-w- c:\windows\hpoins28.dat
2009-12-11 02:02:31 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 13:10:09.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:56 PM

Posted 26 February 2010 - 09:07 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then please post back here with the following:
  • combofix.txt
  • MBAM log

Thanks

unite.jpg


#3 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 26 February 2010 - 11:33 PM

ComboFix 10-02-26.01 - Bridget Brunson 02/26/2010 22:58:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.195 [GMT -5:00]
Running from: c:\documents and settings\Bridget Brunson\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-27 01:25 . 2010-02-09 16:22 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVEX32A.DLL
2010-02-27 01:25 . 2010-02-09 16:22 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVEX15.SYS
2010-02-27 01:25 . 2010-02-09 16:22 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVENG.SYS
2010-02-27 01:25 . 2010-02-09 16:22 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVENG32.DLL
2010-02-27 01:25 . 2010-02-09 16:22 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\EECTRL.SYS
2010-02-27 01:25 . 2010-02-09 16:22 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\CCERASER.DLL
2010-02-27 01:25 . 2010-02-09 16:22 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\ECMSVR32.DLL
2010-02-27 01:25 . 2010-02-09 16:22 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\ERASER.SYS
2010-02-27 01:12 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-27 01:12 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-02-26 05:00 . 2010-02-26 05:02 23113 ----a-w- c:\windows\hpqins15.dat
2010-02-25 22:00 . 2010-02-25 22:00 -------- d-----w- C:\N360_BACKUP
2010-02-25 21:51 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-25 21:51 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-25 21:51 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-25 21:51 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-25 21:51 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-19 21:42 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-19 21:42 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-19 21:42 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-19 21:42 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-19 21:42 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-11 05:21 . 2010-02-11 05:21 -------- d-----w- c:\documents and settings\Bridget Brunson\Local Settings\Application Data\Symantec
2010-02-10 05:03 . 2010-02-10 05:03 -------- d---a-w- c:\program files\Norton Support
2010-02-10 04:57 . 2010-02-10 04:57 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-10 04:57 . 2010-02-10 04:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-10 04:57 . 2010-02-10 04:57 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-10 04:57 . 2010-02-10 04:57 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-10 04:56 . 2010-02-10 04:56 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-10 04:56 . 2010-02-10 04:56 776952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-10 04:56 . 2010-02-11 04:50 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-10 04:56 . 2010-02-10 04:56 -------- d-----w- c:\program files\Norton Security Suite
2010-02-10 04:56 . 2010-02-10 04:56 -------- d-----w- c:\program files\Windows Sidebar
2010-02-10 04:56 . 2010-02-10 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-10 04:54 . 2010-02-10 04:54 -------- d-----w- c:\program files\NortonInstaller
2010-02-10 04:54 . 2010-02-10 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-09 03:04 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Bridget Brunson\Application Data\Mozilla\Firefox\Profiles\8dpig5sn.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 03:52 . 2010-01-07 23:19 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\HPAppData
2010-02-26 05:02 . 2009-12-30 14:03 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\HpUpdate
2010-02-21 00:00 . 2009-12-29 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-12 05:28 . 2009-08-08 03:00 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-10 10:59 . 2004-08-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-10 05:06 . 2004-08-04 20:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 04:57 . 2004-08-04 20:24 -------- d-----w- c:\program files\Symantec
2010-02-10 04:57 . 2010-02-10 04:57 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-10 04:57 . 2010-02-10 04:57 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-10 04:57 . 2006-09-19 21:44 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-10 04:56 . 2006-09-19 21:43 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-10 04:55 . 2009-09-25 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-09 16:53 . 2009-10-04 04:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-04 05:49 . 2009-09-04 02:17 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\BitTorrent
2010-02-04 04:37 . 2005-02-24 21:49 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\WeatherBug
2010-02-04 04:24 . 2004-08-04 20:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 06:09 . 2009-12-29 07:04 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-26 05:21 . 2010-01-26 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-01-15 05:03 . 2006-07-25 02:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 17:43 . 2010-01-14 17:43 -------- d-----w- c:\program files\DVD Decrypter
2009-12-31 02:54 . 2004-08-26 02:15 90512 -c--a-w- c:\documents and settings\Bridget Brunson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 14:09 . 2009-12-30 14:06 77352 ----a-w- c:\windows\hpqins05.dat
2009-12-30 14:09 . 2009-12-29 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-12-30 14:08 . 2009-12-30 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-29 07:06 . 2009-12-29 07:05 -------- d-----w- c:\program files\NCH Software
2009-12-29 06:37 . 2009-12-29 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-12-29 06:36 . 2009-12-29 06:36 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\HP
2009-12-29 06:36 . 2009-12-29 06:24 157529 ----a-w- c:\windows\hpoins28.dat
2009-12-29 06:34 . 2009-12-29 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-29 06:28 . 2009-12-29 06:26 -------- d-----w- c:\program files\HP
2009-12-29 06:28 . 2009-12-29 06:28 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-29 06:28 . 2009-12-29 06:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-29 06:27 . 2009-12-29 06:27 -------- d-----w- c:\program files\Common Files\HP
2009-12-11 02:02 . 2009-12-11 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 02:01 . 2009-12-11 02:01 152576 ----a-w- c:\documents and settings\Bridget Brunson\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-11 02:01 . 2009-12-11 02:01 79488 ----a-w- c:\documents and settings\Bridget Brunson\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-17_20.02.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-22 10:29 . 2009-10-22 10:29 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2010-02-27 01:13 . 2010-02-27 01:13 16384 c:\windows\Temp\Perflib_Perfdata_2d8.dat
+ 2010-02-27 01:12 . 2010-02-27 01:12 16384 c:\windows\Temp\Perflib_Perfdata_23c.dat
+ 2008-07-18 18:13 . 2008-07-18 18:13 20992 c:\windows\SYSTEM32\hpzisn12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 29696 c:\windows\SYSTEM32\hpzipt12.dll
- 2006-11-08 21:35 . 2006-11-08 21:35 29696 c:\windows\SYSTEM32\hpzipt12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 33792 c:\windows\SYSTEM32\HPZipr12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 53760 c:\windows\SYSTEM32\HPZipm12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 44032 c:\windows\SYSTEM32\HPZinw12.dll
- 2006-11-08 21:35 . 2006-11-08 21:35 49152 c:\windows\SYSTEM32\HPZidr12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 49152 c:\windows\SYSTEM32\HPZidr12.dll
+ 2008-03-05 02:44 . 2008-03-05 02:44 39936 c:\windows\SYSTEM32\hpbpro.dll
+ 2008-03-05 02:45 . 2008-03-05 02:45 25600 c:\windows\SYSTEM32\hpboid.dll
+ 2008-03-05 02:44 . 2008-03-05 02:44 24576 c:\windows\SYSTEM32\hpbmiapi.dll
+ 2010-02-26 04:58 . 2010-02-26 04:58 65024 c:\windows\Installer\191b8ac.msi
+ 2008-03-05 02:44 . 2008-03-05 02:44 7680 c:\windows\SYSTEM32\hpbprops.dll
+ 2008-03-05 02:45 . 2008-03-05 02:45 7680 c:\windows\SYSTEM32\hpboidps.dll
+ 2007-04-24 15:33 . 2007-04-24 15:33 114688 c:\windows\SYSTEM32\hplbdchn.dll
+ 2010-02-26 05:01 . 2010-02-26 05:01 855040 c:\windows\Installer\191b8d0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2004-12-10 1597440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"USBestCR"="c:\program files\USIM Editor\iconcs15526000.exe" [2009-11-25 4808704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]

c:\documents and settings\Bridget Brunson\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Bridget Brunson\My Documents\RCA Detective\RCADetective.exe [2009-12-11 942592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\SymEFA.sys [2/10/2010 1:26 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\BHDrvx86.sys [2/10/2010 1:26 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\cchpx86.sys [2/10/2010 1:26 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 4:51 PM 329592]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/10/2010 1:25 AM 117640]
R3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\SYSTEM32\DRIVERS\ax88178.sys [6/25/2009 9:34 PM 24192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2010 7:37 PM 102448]
S2 AfaService;Afa Card Reader Service;c:\windows\SYSTEM32\afasrv32.exe [11/25/2009 6:18 PM 65536]
S3 MHIKEY10;MHIKEY10;c:\windows\SYSTEM32\DRIVERS\MHIKEY10.sys [11/25/2009 6:18 PM 51072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - hxxp://static.zangocash.com/cab/Zango/ie/bridge-c10.cab?5c2286b2aaf8f3c1d0855799a4d110d00666446a76584b75ac01e3be0d210ec3d22ee9a3303d576e1281c6233932c6a2e667bcee15322a3b6efe4381ad:5e52d837461409ba5144aa8a93efb061
FF - ProfilePath - c:\documents and settings\Bridget Brunson\Application Data\Mozilla\Firefox\Profiles\8dpig5sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x82FD88C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf853cf28
\Driver\ACPI -> ACPI.sys @ 0xf84afcb8
\Driver\atapi -> atapi.sys @ 0xf846ab3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-26 23:13:05
ComboFix-quarantined-files.txt 2010-02-27 04:12
ComboFix2.txt 2010-02-17 20:08

Pre-Run: 17,853,370,368 bytes free
Post-Run: 17,844,760,576 bytes free

- - End Of File - - EFBEABC03F314BA4968E1BC7D787F53D
Malwarebytes' Anti-Malware 1.44
Database version: 3799
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/26/2010 11:28:57 PM
mbam-log-2010-02-26 (23-28-57).txt

Scan type: Quick Scan
Objects scanned: 126606
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dd469a88-316c-441d-b712-783d9b9a6707} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d28cd14c-50be-4cfa-951e-b37f25da3472} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:56 PM

Posted 27 February 2010 - 03:11 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    atapi.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#5 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 27 February 2010 - 03:37 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:34 on 27/02/2010 by Bridget Brunson (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [03:59 04/08/2004] [03:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\DELL\ATAPI.EXE --a--c 28672 bytes [13:31 03/09/2002] [13:31 03/09/2002] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\I386\atapi.sys --a--c 87296 bytes [16:17 29/08/2004] [14:29 23/04/2003] E52B3B3F78C9AE85806CE49DCDD80C18
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [17:24 09/07/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [20:06 17/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\atapi.sys --a--c 95360 bytes [05:59 04/08/2004] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --a--- 96512 bytes [17:12 09/07/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 96512 bytes [05:00 01/01/1980] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--c 87296 bytes [20:06 04/08/2004] [14:29 23/04/2003] E52B3B3F78C9AE85806CE49DCDD80C18
C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys --a--c 87296 bytes [20:06 04/08/2004] [14:29 23/04/2003] E52B3B3F78C9AE85806CE49DCDD80C18

-=End Of File=-

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:56 PM

Posted 27 February 2010 - 03:41 PM

We need to replace a file using the recovery console.

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
CMD /K COPY C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\atapi.sys
  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.



Reboot your computer.

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following line, then press Enter.

COPY C:\atapi.sys C:\windows\system32\drivers\atapi.sys

It will then ask if you want to overwrite atapi.sys, press Y then Enter

If successful it should say "1 file(s) copied"

Then type EXIT and press Enter to reboot the machine.


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#7 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 03 March 2010 - 04:24 PM

I tried following the directions, but after i copied and pasted the file I couldn't figure out how to do the next step. After i reboot where is the black screen? Where is the start up menu? I am also having trouble saving files. I think that this virus is using up my hard drive. I keep getting warnings that i have no memory. I never had that problem before.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:56 PM

Posted 04 March 2010 - 04:24 PM

So your saying, when you reboot you don't get the selection menu to choose the recovery console?

Please post this log C:\Qoobox\ComboFix2.txt

unite.jpg


#9 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 04 March 2010 - 09:26 PM

i do get the screen, but it loads into windows before i have a chance to read it.

#10 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 04 March 2010 - 09:39 PM

My bad I figured it out. Here is the log
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x82F588C8]<<
kernel: MBR read successfully
user & kernel MBR OK


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:56 PM

Posted 05 March 2010 - 04:07 PM

Please run combofix again and post the new log.

unite.jpg


#12 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 05 March 2010 - 04:37 PM

ComboFix 10-03-05.01 - Bridget Brunson 03/05/2010 16:24:02.3.1 - x86
Running from: c:\documents and settings\Bridget Brunson\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 21:08 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-05 21:08 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-05 18:38 . 2010-02-09 16:22 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVENG.SYS
2010-03-05 18:38 . 2010-02-09 16:22 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVENG32.DLL
2010-03-05 18:38 . 2010-02-09 16:22 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVEX32A.DLL
2010-03-05 18:38 . 2010-02-09 16:22 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVEX15.SYS
2010-03-05 18:38 . 2010-02-09 16:22 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\EECTRL.SYS
2010-03-05 18:38 . 2010-02-09 16:22 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\CCERASER.DLL
2010-03-05 18:38 . 2010-02-09 16:22 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\ECMSVR32.DLL
2010-03-05 18:38 . 2010-02-09 16:22 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\ERASER.SYS
2010-03-03 21:13 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys
2010-02-27 04:18 . 2010-02-27 04:18 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\Malwarebytes
2010-02-27 04:17 . 2010-02-27 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-26 05:00 . 2010-02-26 05:02 23113 ----a-w- c:\windows\hpqins15.dat
2010-02-25 22:00 . 2010-02-25 22:00 -------- d-----w- C:\N360_BACKUP
2010-02-25 21:51 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-25 21:51 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-25 21:51 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-25 21:51 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-25 21:51 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-19 21:42 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-19 21:42 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-19 21:42 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-19 21:42 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-19 21:42 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-11 05:21 . 2010-02-11 05:21 -------- d-----w- c:\documents and settings\Bridget Brunson\Local Settings\Application Data\Symantec
2010-02-10 05:03 . 2010-02-10 05:03 -------- d---a-w- c:\program files\Norton Support
2010-02-10 04:57 . 2010-02-10 04:57 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-10 04:57 . 2010-02-10 04:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-10 04:57 . 2010-02-10 04:57 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-10 04:57 . 2010-02-10 04:57 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-10 04:56 . 2010-02-10 04:56 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-10 04:56 . 2010-02-10 04:56 776952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-10 04:56 . 2010-02-11 04:50 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-10 04:56 . 2010-02-10 04:56 -------- d-----w- c:\program files\Norton Security Suite
2010-02-10 04:56 . 2010-02-10 04:56 -------- d-----w- c:\program files\Windows Sidebar
2010-02-10 04:56 . 2010-02-10 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-10 04:54 . 2010-02-10 04:54 -------- d-----w- c:\program files\NortonInstaller
2010-02-10 04:54 . 2010-02-10 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-09 03:04 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Bridget Brunson\Application Data\Mozilla\Firefox\Profiles\8dpig5sn.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 18:41 . 2009-12-30 14:03 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\HpUpdate
2010-03-03 21:14 . 2010-01-07 23:19 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\HPAppData
2010-03-03 21:11 . 2004-08-04 20:27 28352 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2010-02-28 20:42 . 2006-04-03 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-02-28 19:53 . 2009-08-08 03:00 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-28 19:51 . 2006-04-03 15:42 -------- d-----w- c:\program files\Kodak
2010-02-28 19:49 . 2004-08-04 20:15 -------- d-----w- c:\program files\Java
2010-02-28 19:47 . 2004-08-04 20:23 -------- d-----w- c:\program files\Jasc Software Inc
2010-02-21 00:00 . 2009-12-29 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-10 10:59 . 2004-08-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-10 05:06 . 2004-08-04 20:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 04:57 . 2004-08-04 20:24 -------- d-----w- c:\program files\Symantec
2010-02-10 04:57 . 2010-02-10 04:57 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-10 04:57 . 2010-02-10 04:57 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-10 04:57 . 2006-09-19 21:44 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-10 04:56 . 2006-09-19 21:43 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-10 04:55 . 2009-09-25 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-04 05:49 . 2009-09-04 02:17 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\BitTorrent
2010-02-04 04:37 . 2005-02-24 21:49 -------- d-----w- c:\documents and settings\Bridget Brunson\Application Data\WeatherBug
2010-02-04 04:24 . 2004-08-04 20:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 06:09 . 2009-12-29 07:04 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-26 05:21 . 2010-01-26 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-01-15 05:03 . 2006-07-25 02:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 17:43 . 2010-01-14 17:43 -------- d-----w- c:\program files\DVD Decrypter
2009-12-31 02:54 . 2004-08-26 02:15 90512 -c--a-w- c:\documents and settings\Bridget Brunson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 14:09 . 2009-12-30 14:06 77352 ----a-w- c:\windows\hpqins05.dat
2009-12-29 06:36 . 2009-12-29 06:24 157529 ----a-w- c:\windows\hpoins28.dat
2009-12-11 02:02 . 2009-12-11 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-17_20.02.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-22 10:29 . 2009-10-22 10:29 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2010-03-05 21:08 . 2010-03-05 21:08 16384 c:\windows\Temp\Perflib_Perfdata_3bc.dat
+ 2008-07-18 18:13 . 2008-07-18 18:13 20992 c:\windows\SYSTEM32\hpzisn12.dll
- 2006-11-08 21:35 . 2006-11-08 21:35 29696 c:\windows\SYSTEM32\hpzipt12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 29696 c:\windows\SYSTEM32\hpzipt12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 33792 c:\windows\SYSTEM32\HPZipr12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 53760 c:\windows\SYSTEM32\HPZipm12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 44032 c:\windows\SYSTEM32\HPZinw12.dll
+ 2008-07-18 18:13 . 2008-07-18 18:13 49152 c:\windows\SYSTEM32\HPZidr12.dll
- 2006-11-08 21:35 . 2006-11-08 21:35 49152 c:\windows\SYSTEM32\HPZidr12.dll
+ 2008-03-05 02:44 . 2008-03-05 02:44 39936 c:\windows\SYSTEM32\hpbpro.dll
+ 2008-03-05 02:45 . 2008-03-05 02:45 25600 c:\windows\SYSTEM32\hpboid.dll
+ 2008-03-05 02:44 . 2008-03-05 02:44 24576 c:\windows\SYSTEM32\hpbmiapi.dll
+ 1980-01-01 05:00 . 2008-04-13 18:40 96512 c:\windows\SYSTEM32\DLLCACHE\atapi.sys
+ 2010-02-26 04:58 . 2010-02-26 04:58 65024 c:\windows\Installer\191b8ac.msi
+ 1980-01-01 05:00 . 2008-04-13 18:40 96512 c:\windows\ATAPI.SYS
+ 2008-03-05 02:44 . 2008-03-05 02:44 7680 c:\windows\SYSTEM32\hpbprops.dll
+ 2008-03-05 02:45 . 2008-03-05 02:45 7680 c:\windows\SYSTEM32\hpboidps.dll
+ 2007-04-24 15:33 . 2007-04-24 15:33 114688 c:\windows\SYSTEM32\hplbdchn.dll
+ 2010-02-26 05:01 . 2010-02-26 05:01 855040 c:\windows\Installer\191b8d0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2004-12-10 1597440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"USBestCR"="c:\program files\USIM Editor\iconcs15526000.exe" [2009-11-25 4808704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2004-04-19 53248]

c:\documents and settings\Bridget Brunson\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Bridget Brunson\My Documents\RCA Detective\RCADetective.exe [2009-12-11 942592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\SymEFA.sys [2/10/2010 1:26 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\BHDrvx86.sys [2/10/2010 1:26 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\cchpx86.sys [2/10/2010 1:26 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 4:51 PM 329592]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/10/2010 1:25 AM 117640]
R3 AX88178;10/100 Gigabit USB2.0 Network Adapter;c:\windows\SYSTEM32\DRIVERS\ax88178.sys [6/25/2009 9:34 PM 24192]
S2 AfaService;Afa Card Reader Service;c:\windows\SYSTEM32\afasrv32.exe [11/25/2009 6:18 PM 65536]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2010 7:37 PM 102448]
S3 MHIKEY10;MHIKEY10;c:\windows\SYSTEM32\DRIVERS\MHIKEY10.sys [11/25/2009 6:18 PM 51072]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI9

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bridget Brunson\Application Data\Mozilla\Firefox\Profiles\8dpig5sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 16:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-05 16:34:25
ComboFix-quarantined-files.txt 2010-03-05 21:34
ComboFix2.txt 2010-02-27 04:13
ComboFix3.txt 2010-02-17 20:08

Pre-Run: 5,079,678,976 bytes free
Post-Run: 5,038,026,752 bytes free

- - End Of File - - 79A26026AAA95FADC40CA30FE0B47555


#13 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 06 March 2010 - 12:46 AM

symantec keeps making me reboot my comouter. It found something called Tideserv!inf by auto Protect

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:56 PM

Posted 06 March 2010 - 04:01 PM

Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\ATAPI.SYS
c:\windows\SYSTEM32\DLLCACHE\atapi.sys

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/


Then please run combofix again and post the new log.

unite.jpg


#15 Chas Brunson

Chas Brunson
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 07 March 2010 - 03:25 PM

File atapi.sys received on 2010.03.07 17:09:21 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.07 -
AhnLab-V3 5.0.0.2 2010.03.07 -
AntiVir 8.2.1.180 2010.03.05 -
Antiy-AVL 2.0.3.7 2010.03.05 -
Authentium 5.2.0.5 2010.03.06 -
Avast 4.8.1351.0 2010.03.07 -
Avast5 5.0.332.0 2010.03.07 -
AVG 9.0.0.787 2010.03.07 -
BitDefender 7.2 2010.03.07 -
CAT-QuickHeal 10.00 2010.03.06 -
ClamAV 0.96.0.0-git 2010.03.06 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.07 -
eSafe 7.0.17.0 2010.03.04 Win32.Rootkit
eTrust-Vet 35.2.7342 2010.03.05 -
F-Prot 4.5.1.85 2010.03.06 -
F-Secure 9.0.15370.0 2010.03.07 -
Fortinet 4.0.14.0 2010.03.07 -
GData 19 2010.03.07 -
Ikarus T3.1.1.80.0 2010.03.07 -
Jiangmin 13.0.900 2010.03.07 -
K7AntiVirus 7.10.990 2010.03.04 -
Kaspersky 7.0.0.125 2010.03.07 -
McAfee 5912 2010.03.06 -
McAfee+Artemis 5912 2010.03.06 -
McAfee-GW-Edition 6.8.5 2010.03.07 -
Microsoft 1.5502 2010.03.07 -
NOD32 4922 2010.03.07 -
Norman 6.04.08 2010.03.07 -
nProtect 2009.1.8.0 2010.03.07 -
Panda 10.0.2.2 2010.03.07 -
PCTools 7.0.3.5 2010.03.04 -
Rising 22.37.06.04 2010.03.07 -
Sophos 4.51.0 2010.03.07 -
Sunbelt 5780 2010.03.07 -
Symantec 20091.2.0.41 2010.03.07 -
TheHacker 6.5.1.9.223 2010.03.07 -
TrendMicro 9.120.0.1004 2010.03.07 -
VBA32 3.12.12.2 2010.03.05 -
ViRobot 2010.3.5.2214 2010.03.05 -
VirusBuster 5.0.27.0 2010.03.06 -
Additional information
File size: 96512 bytes
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159F7
timedatestamp.....: 0x4802539D (Sun Apr 13 20:40:29 2008)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97BA 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9B80 0x18E8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xB480 0xA64 0xA80 4.31 8523651899e28819a14bf9415af25708
.data 0xBF00 0xD94 0xE00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xCD00 0x157F 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xE280 0x61DA 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22BE 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3E0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16B80 0xD20 0xD80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...f062c712cfa2674
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
sigcheck: publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users