Windows Internet Security 2010

Hi,
I am posting this issue again because initially I was not aware of uploading the various log files, this time I am taking care of.

Last week some how in my laptop windows internet security 2010 was downloaded and hijacked windows firewall and antivirus. I ran spybot search and destroy, adaware, spyware doctor, spyware terminator ikill and malwarebytes. The virus was detected and removed by spyware terminator. After that I have another issue that when I do google search in Internet Browser and Firefox, I am getting search result but when I click in particular link then the page is redirected to some other unintended page (possibly spyware/ virus). Can you help me to resolve the issue. Even it is not allowing to launch google chrome browser.
I have McAffe and Symantec (installed yesterday) anti virus.
I have XP professional OP.
Pl. help.
Thanks,
PULIN

Hello and welcome to Bleeping Computer!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Elle

Hi,
Thanks for your reply.
Herewith I am forwarding new log files. Hope it will be helpful to resolve my issue.
As mentioned earlier, I got windows internet security 2010 virus downloaded and took control of my firewall and antivirus. I somehow removed (possibly, not sure) using malwarebites. Now I have another issue, when I do search using google or yahoo, I get search results, when I click particular search result then it gets redirected to unintended website (possibly spyware or malware). I need help to resolve internet security 2010 and redirecting page issue. I also experience today that my laptop gets rebooted by its own. It happen three times while running gmer.exe.
I have XP professional OP.
I hope this is enough information about my problem. Pl. let me know if further information is needed.
Thanks,
PULIN

Hello, Pulin.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

• Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
• Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
• Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
• Please reply within 3 days to be fair to other people asking for help.
• When in doubt, please stop and ask first. There's no harm in asking questions!

I also see that you have a registry cleaner installed (in your case CCleaner). Here at BC, we do not recommend using registry cleaners.

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578



Step 1

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or PC Tools.



Step 2

1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
2. If prompted with a legal dialog, accept the warning.
3. Click and then on "Advanced Mode"
   
4. You may be presented with a warning dialog. If so, press
5. Click on
6. Click on
7. Uncheck this checkbox:
   
8. Close/Exit Spybot Search and Destroy

Step 3

Next, please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop as PulinCF.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on PulinCF.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Please copy and paste the logs into your reply instead of attaching them.

etavares

Hi,
Thanks for your reply. As per your instruction I have run combofix and their log files are shown below. Some how I was not able to disable my McAffe antivirus enterprise, so I did run combofix twice before and after removing antivirus.
Below is the lof file before removing antivirus. Log file after removing antivirus is attached with this message as a log-2.txt. In the same way combofis.txt is before removing antivirus and combofix-2.txt is after removing antivirus. Hope this information will be helpful to fix my issue.





ComboFix 10-03-10.08 - PULIN 03/11/2010 11:34:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1331 [GMT -6:00]
Running from: c:\documents and settings\PULIN\Desktop\pulinCF.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-1644491937-1292428093-725345543-1003
c:\recycler\S-1-5-21-1682508817-1800803623-1141150777-1003
c:\recycler\S-1-5-21-2290454960-2953975225-4089710087-1003
c:\recycler\S-1-5-21-246832256-3006914963-493307199-1003
c:\recycler\S-1-5-21-3293920870-4118683337-1468059775-1003
c:\recycler\S-1-5-21-939244760-1862961615-370437480-1003
C:\Thumbs.db
c:\windows\regsvr32.exe
c:\windows\setup.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\Thumbs.db

----- BITS: Possible infected sites -----

hxxp://SCCMSITESRV.MATRIX.TXSTATE.EDU:80
.
((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.

2010-03-08 20:03 . 2010-03-08 20:03 -------- d-----w- C:\spoolerlogs
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-02 22:53 . 2010-03-02 22:53 -------- d-----w- c:\documents and settings\Temp\Application Data\PC Tools
2010-03-02 22:39 . 2010-03-02 22:39 -------- d-----w- c:\documents and settings\Temp\Local Settings\Application Data\Identities
2010-03-02 22:38 . 2010-03-02 22:38 -------- d-----w- c:\documents and settings\Temp\Local Settings\Application Data\Ahead
2010-03-02 22:38 . 2010-03-02 22:38 -------- d-----w- c:\documents and settings\Temp\Local Settings\Application Data\Symantec
2010-03-02 17:27 . 2010-03-02 17:27 -------- d-----w- c:\program files\McAfee Security Scan
2010-03-02 17:26 . 2010-03-11 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-01 20:37 . 2010-03-01 20:37 -------- d-----w- c:\documents and settings\PULIN\Local Settings\Application Data\Symantec
2010-03-01 20:35 . 2010-03-02 22:43 40 ----a-w- c:\windows\system32\profile.dat
2010-03-01 20:28 . 2010-03-03 22:57 -------- d-----w- c:\program files\Symantec
2010-03-01 20:27 . 2010-03-03 22:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-01 20:27 . 2010-03-01 20:27 -------- d-----w- c:\program files\Symantec Client Security
2010-03-01 20:07 . 2010-03-01 20:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-01 17:14 . 2010-03-01 17:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-28 23:54 . 2010-02-28 23:54 -------- d-----w- c:\program files\Trend Micro
2010-02-27 19:48 . 2010-03-11 16:50 -------- d-----w- c:\program files\Crawler
2010-02-27 04:00 . 2010-02-27 04:00 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2010-02-27 04:00 . 2010-02-27 04:00 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2010-02-27 04:00 . 2010-02-27 04:00 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-02-27 04:00 . 2010-02-27 20:07 -------- d-----w- c:\documents and settings\PULIN\Application Data\Spyware Terminator
2010-02-27 04:00 . 2010-02-28 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-02-27 04:00 . 2010-02-28 06:28 -------- d-----w- c:\program files\Spyware Terminator
2010-02-27 03:56 . 2009-08-19 17:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-27 03:56 . 2010-03-11 16:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-27 03:55 . 2010-03-11 16:49 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-02-25 19:57 . 2010-02-25 19:57 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-25 19:56 . 2010-02-25 19:56 -------- d-----w- c:\documents and settings\PULIN\Application Data\Malwarebytes
2010-02-25 19:56 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-25 19:56 . 2010-02-25 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 19:56 . 2010-02-25 19:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 19:56 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 17:33 . 2010-02-23 17:33 -------- d-----w- c:\documents and settings\PULIN\Local Settings\Application Data\Threat Expert
2010-02-23 16:47 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-02-23 16:46 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-02-23 16:46 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-02-23 15:46 . 2010-02-24 04:36 -------- d-----w- c:\program files\Spyware Doctor
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 21:08 . 2010-02-17 21:08 -------- d-----w- c:\program files\Common Files\WexTech Shared
2010-02-17 21:08 . 2010-02-17 21:08 -------- d-----w- c:\program files\Common Files\LHSPF
2010-02-17 21:08 . 1996-08-09 07:30 68880 ----a-w- c:\windows\REGINI.EXE
2010-02-17 21:07 . 1998-10-19 16:11 167424 ----a-w- c:\windows\system32\awrtl30.dll
2010-02-17 21:07 . 1998-06-17 06:00 94285 ----a-w- c:\windows\system32\MSVCIRTD.DLL
2010-02-17 21:07 . 1998-06-17 06:00 516173 ----a-w- c:\windows\system32\MSVCP60D.DLL
2010-02-17 21:07 . 1999-03-23 05:00 929844 ----a-w- c:\windows\system32\MFC42D.DLL
2010-02-17 21:07 . 1999-03-23 05:00 798773 ----a-w- c:\windows\system32\MFCO42D.DLL
2010-02-17 21:07 . 1998-08-04 16:22 111616 ----a-w- c:\windows\system32\Ltih30tb.dll
2010-02-17 21:07 . 1999-03-23 05:00 401484 ----a-w- c:\windows\system32\MSVCRTD.DLL
2010-02-17 21:04 . 2010-02-19 18:05 -------- d-----w- C:\Millennium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 16:47 . 2008-11-14 19:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 21:28 . 2007-02-15 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-07 22:27 . 2007-01-14 19:28 -------- d-----w- c:\documents and settings\PULIN\Application Data\U3
2010-03-07 18:34 . 2006-01-02 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 18:19 . 2006-11-21 17:57 131816 -c--a-w- c:\documents and settings\PULIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 20:27 . 2005-07-23 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-22 15:53 . 2005-07-13 20:38 -------- d-----w- c:\program files\Google
2010-02-13 22:55 . 2007-06-18 15:34 99516 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\documents and settings\PULIN\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-28 00:30 . 2010-01-28 00:30 -------- d-----w- c:\program files\DIFX
2010-01-28 00:29 . 2010-01-28 00:29 -------- d-----w- c:\program files\Keyspan
2010-01-28 00:29 . 2005-07-13 18:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 00:26 . 2010-01-28 00:26 -------- d-----w- c:\program files\Common Files\Polymer Laboratories
2010-01-28 00:26 . 2010-01-28 00:26 -------- d-----w- c:\program files\Polymer Laboratories
2010-01-28 00:24 . 2010-01-28 00:24 -------- d-----w- c:\program files\Renaissance
2010-01-27 21:31 . 2010-01-27 21:30 -------- d-----w- c:\program files\iTunes
2010-01-27 21:30 . 2006-04-22 04:26 -------- d-----w- c:\program files\iPod
2010-01-27 21:30 . 2007-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple
2010-01-27 21:25 . 2010-01-27 21:24 -------- d-----w- c:\program files\QuickTime
2010-01-27 21:19 . 2010-01-27 21:19 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-31 16:50 . 2008-02-12 08:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-02-12 19:59 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 21:00 . 2008-04-10 21:36 256 -c--a-w- c:\windows\system32\pool.bin
2009-12-16 18:43 . 2005-07-13 18:08 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-02-12 19:58 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-09-29 14:07 . 2009-01-14 16:30 22576 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2007-06-27 16:46 . 2007-06-27 16:46 88 -csha-r- c:\windows\system32\C956A61D0F.sys
2007-06-27 16:49 . 2007-06-27 16:46 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Visitor\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 22:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 19:43 133104 ----atw- c:\documents and settings\PULIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-06-09 23:56 6746112 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
2010-02-27 04:00 2166784 ----a-w- c:\program files\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminatorUpdate]
2010-02-27 04:00 3037696 ----a-w- c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-30 17:18 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 3]
2007-05-16 01:46 551032 ----a-w- c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\PULIN\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2004\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Common Files\\Sony Shared\\VAIO Entertainment Platform\\VCSW\\VCSW.exe"=
"c:\\Program Files\\Sony\\VAIO Media Registration Tool\\VmpClient.exe"=
"c:\\Program Files\\Sony\\VAIO Media Integrated Server\\Platform\\SV_Httpd.exe"=
"c:\\Program Files\\Sony\\VAIO Media Integrated Server\\Platform\\UPnPFramework.exe"=
"c:\\Program Files\\Sony\\VAIO Media Integrated Server\\Platform\\VMConsole.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Documents and Settings\\PULIN\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\PULIN\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\DELL\\Dell Laser MFP 1600n\\NetworkScan\\DNSCST.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/6/2009 1:45 PM 64160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2/26/2010 10:00 PM 142592]
R2 Impressionist Server;Impressionist Server;c:\program files\Renaissance\Impressionist\ImpServer.exe [2/5/2004 4:34 PM 90112]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 7:09 AM 93320]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/14/2009 10:30 AM 67904]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [12/2/2006 12:47 PM 7424]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [6/17/2009 2:17 PM 434864]
R3 VAIO TV Tuner Library Service;VAIO TV Tuner Library Service;c:\program files\Common Files\Sony Shared\TVTunerLib\TunerLibSvc.exe [2/20/2007 10:27 AM 61440]
S2 OracleServiceMIL3;OracleServiceMIL3;c:\millennium\ora\bin\oracle80.exe MIL3 --> c:\millennium\ora\bin\oracle80.exe MIL3 [?]
S2 OracleStartMIL3;OracleStartMIL3;c:\millennium\Ora\BIN\STRTDB80.EXE [2/17/2010 3:07 PM 5632]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [7/13/2005 12:28 PM 16194]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/14/2009 10:30 AM 64432]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [5/31/2008 12:31 PM 91830]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 19:46]

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-20 14:20]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1447914817-3732023553-1120123104-1006Core.job
- c:\documents and settings\PULIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:43]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1447914817-3732023553-1120123104-1006UA.job
- c:\documents and settings\PULIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:43]

2005-12-30 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-07-13 19:59]

2010-03-11 c:\windows\Tasks\User_Feed_Synchronization-{299DFD4A-CC3E-42DD-9257-2F105002A4BE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2010-03-11 c:\windows\Tasks\User_Feed_Synchronization-{E5961BAD-FF14-43F3-8343-6B4120A4CF7E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2010-03-11 c:\windows\Tasks\User_Feed_Synchronization-{F037AA34-1C4F-4D26-BFF4-3CD731AEC1AD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Copy to &Lightning Note - c:\program files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: Crawler Search - tbr:iemenu
IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html
IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: localhost
Trusted Zone: txstate.edu\*.jupiter
Trusted Zone: txstate.edu\*.sap
Trusted Zone: txstate.edu\bobcatmail
Trusted Zone: txstate.edu\bobcatshare
Trusted Zone: txstate.edu\catsweb
Trusted Zone: txstate.edu\sccmsitesrv.matrix
Trusted Zone: txstate.edu\share.it
Trusted Zone: txstate.edu\synergy
Trusted Zone: txstate.edu\uweb
Trusted Zone: txstate.edu\www
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://amrut1.na.baps.org/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\PULIN\Application Data\Mozilla\Firefox\Profiles\5hqjwzny.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Crawler\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\firefox\components\xwsg.dll
FF - plugin: c:\documents and settings\PULIN\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\PULIN\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npSfAppM.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-iKill - c:\program files\ArpanTECH\iKill\iKill.exe
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
MSConfigStartUp-PCTAVApp - c:\program files\PC Tools AntiVirus\PCTAV.exe
AddRemove-PAUninstall - c:\program files\NewSoft\PhotoAlbum\DeIsL1.isu
AddRemove-Uninstall VistaShuttle - c:\program files\Newsoft\VistaShuttle\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 11:44
Windows 5.1.2600 Service Pack 3, v.5857 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-03-11 11:48:45
ComboFix-quarantined-files.txt 2010-03-11 17:48

Pre-Run: 8,691,343,360 bytes free
Post-Run: 8,835,817,472 bytes free

- - End Of File - - EB1F7682D33AE2F8EB6C257CB8893A21

Hello, Pulin.
Ok, combofix didn't fix the issues. Let's try TDSSKiller. If not, we'll do this manually. Also, I forgot to warn you:



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

1. Make a new folder on your desktop by Right-clicking, selecting New --> Folder and name it TDSSKiller.
2. Download TDSSKiller.zip and save it to the folder you just created and name the file TDSSKiller.zip
3. Open the folder, Right Click on TDSSKiller.zip and select Extract all...select "Next" and "Finish" until it's complete.
4. Open notepad and copy and past the lines below (excluding the word code):
   
   CODE
   @ECHO OFF
   TDSSKiller.exe -l report.txt -v
   DEL %0
5. Go to File -> Save as.
6. At "Save to", choose: C:\TDSSKiller\TDSSKiller
7. At "File name", type start.bat
8. At "File type" select: All files (*.*).
9. Now click on the Save button.
10. Open the folder C:\TDSSKiller\TDSSKiller and double-click on start.bat. This will activate TDSS Killer. Please post the log that opens in your next reply.

If you need to find the log manually, look for C:\TDSSKiller\TDSSKiller\report.txt and copy and paste it in your reply.

etavares

HI,
Log of TDSSkiller is,

09:13:15:937 1572 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
09:13:15:937 1572 ================================================================================
09:13:15:937 1572 SystemInfo:

09:13:15:937 1572 OS Version: 5.1.2600 ServicePack: 3.0
09:13:15:937 1572 Product type: Workstation
09:13:15:937 1572 ComputerName: NAYAN
09:13:15:937 1572 UserName: PULIN
09:13:15:937 1572 Windows directory: C:\WINDOWS
09:13:15:937 1572 Processor architecture: Intel x86
09:13:15:937 1572 Number of processors: 1
09:13:15:937 1572 Page size: 0x1000
09:13:15:937 1572 Boot type: Normal boot
09:13:15:937 1572 ================================================================================
09:13:15:937 1572 UnloadDriverW: NtUnloadDriver error 2
09:13:15:937 1572 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:13:15:968 1572 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:13:15:968 1572 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:13:15:968 1572 wfopen_ex: Trying to KLMD file open
09:13:15:968 1572 wfopen_ex: File opened ok (Flags 2)
09:13:15:968 1572 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:13:15:968 1572 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:13:15:968 1572 wfopen_ex: Trying to KLMD file open
09:13:15:968 1572 wfopen_ex: File opened ok (Flags 2)
09:13:15:968 1572 Initialize success
09:13:15:968 1572
09:13:15:968 1572 Scanning Services ...
09:13:16:468 1572 GetAdvancedServicesInfo: Raw services enum returned 446 services
09:13:16:468 1572
09:13:16:468 1572 Scanning Kernel memory ...
09:13:16:500 1572 Devices to scan: 7
09:13:16:500 1572
09:13:16:500 1572 Driver Name: Disk
09:13:16:500 1572 IRP_MJ_CREATE : BA90EBB0
09:13:16:500 1572 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:13:16:500 1572 IRP_MJ_CLOSE : BA90EBB0
09:13:16:500 1572 IRP_MJ_READ : BA908D1F
09:13:16:500 1572 IRP_MJ_WRITE : BA908D1F
09:13:16:500 1572 IRP_MJ_QUERY_INFORMATION : 804F355A
09:13:16:500 1572 IRP_MJ_SET_INFORMATION : 804F355A
09:13:16:500 1572 IRP_MJ_QUERY_EA : 804F355A
09:13:16:500 1572 IRP_MJ_SET_EA : 804F355A
09:13:16:500 1572 IRP_MJ_FLUSH_BUFFERS : BA9092E2
09:13:16:500 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:13:16:500 1572 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:13:16:500 1572 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:13:16:500 1572 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:13:16:500 1572 IRP_MJ_DEVICE_CONTROL : BA9093BB
09:13:16:500 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
09:13:16:500 1572 IRP_MJ_SHUTDOWN : BA9092E2
09:13:16:500 1572 IRP_MJ_LOCK_CONTROL : 804F355A
09:13:16:500 1572 IRP_MJ_CLEANUP : 804F355A
09:13:16:500 1572 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:13:16:500 1572 IRP_MJ_QUERY_SECURITY : 804F355A
09:13:16:500 1572 IRP_MJ_SET_SECURITY : 804F355A
09:13:16:500 1572 IRP_MJ_POWER : BA90AC82
09:13:16:500 1572 IRP_MJ_SYSTEM_CONTROL : BA90F99E
09:13:16:500 1572 IRP_MJ_DEVICE_CHANGE : 804F355A
09:13:16:500 1572 IRP_MJ_QUERY_QUOTA : 804F355A
09:13:16:500 1572 IRP_MJ_SET_QUOTA : 804F355A
09:13:16:515 1572 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:13:16:515 1572
09:13:16:515 1572 Driver Name: usbstor
09:13:16:515 1572 IRP_MJ_CREATE : BAC6D218
09:13:16:515 1572 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:13:16:515 1572 IRP_MJ_CLOSE : BAC6D218
09:13:16:515 1572 IRP_MJ_READ : BAC6D23C
09:13:16:515 1572 IRP_MJ_WRITE : BAC6D23C
09:13:16:515 1572 IRP_MJ_QUERY_INFORMATION : 804F355A
09:13:16:515 1572 IRP_MJ_SET_INFORMATION : 804F355A
09:13:16:515 1572 IRP_MJ_QUERY_EA : 804F355A
09:13:16:515 1572 IRP_MJ_SET_EA : 804F355A
09:13:16:515 1572 IRP_MJ_FLUSH_BUFFERS : 804F355A
09:13:16:515 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:13:16:515 1572 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:13:16:515 1572 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:13:16:515 1572 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:13:16:515 1572 IRP_MJ_DEVICE_CONTROL : BAC6D180
09:13:16:515 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC689E6
09:13:16:515 1572 IRP_MJ_SHUTDOWN : 804F355A
09:13:16:515 1572 IRP_MJ_LOCK_CONTROL : 804F355A
09:13:16:515 1572 IRP_MJ_CLEANUP : 804F355A
09:13:16:515 1572 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:13:16:515 1572 IRP_MJ_QUERY_SECURITY : 804F355A
09:13:16:515 1572 IRP_MJ_SET_SECURITY : 804F355A
09:13:16:515 1572 IRP_MJ_POWER : BAC6C5F0
09:13:16:515 1572 IRP_MJ_SYSTEM_CONTROL : BAC6AA6E
09:13:16:515 1572 IRP_MJ_DEVICE_CHANGE : 804F355A
09:13:16:515 1572 IRP_MJ_QUERY_QUOTA : 804F355A
09:13:16:515 1572 IRP_MJ_SET_QUOTA : 804F355A
09:13:16:531 1572 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
09:13:16:531 1572
09:13:16:562 1572 Driver Name: Disk
09:13:16:562 1572 IRP_MJ_CREATE : BA90EBB0
09:13:16:562 1572 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:13:16:562 1572 IRP_MJ_CLOSE : BA90EBB0
09:13:16:562 1572 IRP_MJ_READ : BA908D1F
09:13:16:562 1572 IRP_MJ_WRITE : BA908D1F
09:13:16:562 1572 IRP_MJ_QUERY_INFORMATION : 804F355A
09:13:16:562 1572 IRP_MJ_SET_INFORMATION : 804F355A
09:13:16:562 1572 IRP_MJ_QUERY_EA : 804F355A
09:13:16:562 1572 IRP_MJ_SET_EA : 804F355A
09:13:16:562 1572 IRP_MJ_FLUSH_BUFFERS : BA9092E2
09:13:16:562 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:13:16:562 1572 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:13:16:562 1572 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:13:16:562 1572 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:13:16:562 1572 IRP_MJ_DEVICE_CONTROL : BA9093BB
09:13:16:562 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
09:13:16:562 1572 IRP_MJ_SHUTDOWN : BA9092E2
09:13:16:562 1572 IRP_MJ_LOCK_CONTROL : 804F355A
09:13:16:562 1572 IRP_MJ_CLEANUP : 804F355A
09:13:16:562 1572 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:13:16:562 1572 IRP_MJ_QUERY_SECURITY : 804F355A
09:13:16:562 1572 IRP_MJ_SET_SECURITY : 804F355A
09:13:16:562 1572 IRP_MJ_POWER : BA90AC82
09:13:16:562 1572 IRP_MJ_SYSTEM_CONTROL : BA90F99E
09:13:16:562 1572 IRP_MJ_DEVICE_CHANGE : 804F355A
09:13:16:562 1572 IRP_MJ_QUERY_QUOTA : 804F355A
09:13:16:562 1572 IRP_MJ_SET_QUOTA : 804F355A
09:13:16:562 1572 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:13:16:562 1572
09:13:16:562 1572 Driver Name: tifmsony
09:13:16:562 1572 IRP_MJ_CREATE : B991A0AA
09:13:16:562 1572 IRP_MJ_CREATE_NAMED_PIPE : B990948E
09:13:16:562 1572 IRP_MJ_CLOSE : B991A0DA
09:13:16:562 1572 IRP_MJ_READ : B991A15E
09:13:16:562 1572 IRP_MJ_WRITE : B991A15E
09:13:16:562 1572 IRP_MJ_QUERY_INFORMATION : B990948E
09:13:16:562 1572 IRP_MJ_SET_INFORMATION : B990948E
09:13:16:562 1572 IRP_MJ_QUERY_EA : B990948E
09:13:16:562 1572 IRP_MJ_SET_EA : B990948E
09:13:16:562 1572 IRP_MJ_FLUSH_BUFFERS : B991A15E
09:13:16:562 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : B990948E
09:13:16:562 1572 IRP_MJ_SET_VOLUME_INFORMATION : B990948E
09:13:16:562 1572 IRP_MJ_DIRECTORY_CONTROL : B990948E
09:13:16:562 1572 IRP_MJ_FILE_SYSTEM_CONTROL : B990948E
09:13:16:562 1572 IRP_MJ_DEVICE_CONTROL : B991A10A
09:13:16:562 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : B991A134
09:13:16:562 1572 IRP_MJ_SHUTDOWN : B991A15E
09:13:16:562 1572 IRP_MJ_LOCK_CONTROL : B990948E
09:13:16:562 1572 IRP_MJ_CLEANUP : B991A06C
09:13:16:562 1572 IRP_MJ_CREATE_MAILSLOT : B990948E
09:13:16:562 1572 IRP_MJ_QUERY_SECURITY : B990948E
09:13:16:562 1572 IRP_MJ_SET_SECURITY : B990948E
09:13:16:562 1572 IRP_MJ_POWER : B991A1A8
09:13:16:562 1572 IRP_MJ_SYSTEM_CONTROL : B991A1D2
09:13:16:562 1572 IRP_MJ_DEVICE_CHANGE : B990948E
09:13:16:562 1572 IRP_MJ_QUERY_QUOTA : B990948E
09:13:16:562 1572 IRP_MJ_SET_QUOTA : B990948E
09:13:16:578 1572 C:\WINDOWS\system32\drivers\tifmsony.sys - Verdict: 1
09:13:16:578 1572
09:13:16:578 1572 Driver Name: Disk
09:13:16:578 1572 IRP_MJ_CREATE : BA90EBB0
09:13:16:578 1572 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:13:16:578 1572 IRP_MJ_CLOSE : BA90EBB0
09:13:16:578 1572 IRP_MJ_READ : BA908D1F
09:13:16:578 1572 IRP_MJ_WRITE : BA908D1F
09:13:16:578 1572 IRP_MJ_QUERY_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_SET_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_EA : 804F355A
09:13:16:578 1572 IRP_MJ_SET_EA : 804F355A
09:13:16:578 1572 IRP_MJ_FLUSH_BUFFERS : BA9092E2
09:13:16:578 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_DEVICE_CONTROL : BA9093BB
09:13:16:578 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
09:13:16:578 1572 IRP_MJ_SHUTDOWN : BA9092E2
09:13:16:578 1572 IRP_MJ_LOCK_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_CLEANUP : 804F355A
09:13:16:578 1572 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_SECURITY : 804F355A
09:13:16:578 1572 IRP_MJ_SET_SECURITY : 804F355A
09:13:16:578 1572 IRP_MJ_POWER : BA90AC82
09:13:16:578 1572 IRP_MJ_SYSTEM_CONTROL : BA90F99E
09:13:16:578 1572 IRP_MJ_DEVICE_CHANGE : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_QUOTA : 804F355A
09:13:16:578 1572 IRP_MJ_SET_QUOTA : 804F355A
09:13:16:578 1572 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:13:16:578 1572
09:13:16:578 1572 Driver Name: Disk
09:13:16:578 1572 IRP_MJ_CREATE : BA90EBB0
09:13:16:578 1572 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:13:16:578 1572 IRP_MJ_CLOSE : BA90EBB0
09:13:16:578 1572 IRP_MJ_READ : BA908D1F
09:13:16:578 1572 IRP_MJ_WRITE : BA908D1F
09:13:16:578 1572 IRP_MJ_QUERY_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_SET_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_EA : 804F355A
09:13:16:578 1572 IRP_MJ_SET_EA : 804F355A
09:13:16:578 1572 IRP_MJ_FLUSH_BUFFERS : BA9092E2
09:13:16:578 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_DEVICE_CONTROL : BA9093BB
09:13:16:578 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
09:13:16:578 1572 IRP_MJ_SHUTDOWN : BA9092E2
09:13:16:578 1572 IRP_MJ_LOCK_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_CLEANUP : 804F355A
09:13:16:578 1572 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_SECURITY : 804F355A
09:13:16:578 1572 IRP_MJ_SET_SECURITY : 804F355A
09:13:16:578 1572 IRP_MJ_POWER : BA90AC82
09:13:16:578 1572 IRP_MJ_SYSTEM_CONTROL : BA90F99E
09:13:16:578 1572 IRP_MJ_DEVICE_CHANGE : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_QUOTA : 804F355A
09:13:16:578 1572 IRP_MJ_SET_QUOTA : 804F355A
09:13:16:578 1572 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:13:16:578 1572
09:13:16:578 1572 Driver Name: atapi
09:13:16:578 1572 IRP_MJ_CREATE : BA6F76F2
09:13:16:578 1572 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:13:16:578 1572 IRP_MJ_CLOSE : BA6F76F2
09:13:16:578 1572 IRP_MJ_READ : 804F355A
09:13:16:578 1572 IRP_MJ_WRITE : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_SET_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_EA : 804F355A
09:13:16:578 1572 IRP_MJ_SET_EA : 804F355A
09:13:16:578 1572 IRP_MJ_FLUSH_BUFFERS : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:13:16:578 1572 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_DEVICE_CONTROL : BA6F7712
09:13:16:578 1572 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA6F3850
09:13:16:578 1572 IRP_MJ_SHUTDOWN : 804F355A
09:13:16:578 1572 IRP_MJ_LOCK_CONTROL : 804F355A
09:13:16:578 1572 IRP_MJ_CLEANUP : 804F355A
09:13:16:578 1572 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_SECURITY : 804F355A
09:13:16:578 1572 IRP_MJ_SET_SECURITY : 804F355A
09:13:16:578 1572 IRP_MJ_POWER : BA6F773C
09:13:16:578 1572 IRP_MJ_SYSTEM_CONTROL : BA6FE336
09:13:16:578 1572 IRP_MJ_DEVICE_CHANGE : 804F355A
09:13:16:578 1572 IRP_MJ_QUERY_QUOTA : 804F355A
09:13:16:578 1572 IRP_MJ_SET_QUOTA : 804F355A
09:13:16:593 1572 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
09:13:16:593 1572
09:13:16:593 1572 Completed
09:13:16:593 1572
09:13:16:593 1572 Results:
09:13:16:593 1572 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:13:16:593 1572 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:13:16:593 1572 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:13:16:593 1572
09:13:16:593 1572 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:13:16:593 1572 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:13:16:593 1572 KLMD(ARK) unloaded successfully



Thanks,
PULIN

Edited by Pulin, 12 March 2010 - 10:19 AM.

OK, let's do this manually. Do you have Windows installation CD handy?

Hi,
Yes I have WIndows XP Professional CD handy but it would be available on Monday because of week end.
Is this OK ?
Thanks,
PULIN

Hello, Pulin.
Ok, that will work. We need to replace an important Windows system file that has been patched by malware. We may be able to find a clean copy without the disk. Let's take a look.



Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":
  
  CODE
  :filefind
  atapi.*
• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.
• Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

etavares

Hi,
Systemlook log file is as under,

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:31 on 14/03/2010 by PULIN (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [04:59 04/08/2004] [04:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Documents and Settings\pp20\Desktop\New Folder\WXPVOL_EN (E)\I386\ATAPI.SY_ --a--- 50008 bytes [21:35 12/10/2009] [08:13 12/02/2008] 6E47F5B17EE16FFCC6AAF45F8A3A7346
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir --a--- 96512 bytes [08:13 12/02/2008] [08:13 12/02/2008] B7971D28C5784E68AAC79980A6B8C575
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [17:46 11/03/2010] [08:13 12/02/2008] 7316AFA8EFA110621D6D90722AF3EFE6
C:\WINDOWS\I386\ATAPI.SY_ --a--c 49558 bytes [17:53 13/07/2005] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [08:13 12/02/2008] [08:13 12/02/2008] 1F0A0D2D75AC8CF2D823DDC358AF61FD
C:\WINDOWS\system32\drivers\atapi.svs --a--- 96512 bytes [08:13 12/02/2008] [08:13 12/02/2008] 7316AFA8EFA110621D6D90722AF3EFE6
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [08:13 12/02/2008] [08:13 12/02/2008] 7316AFA8EFA110621D6D90722AF3EFE6

-=End Of File=-


Thanks,
PULIN

Hello, Pulin.
ok, let's replace the infected file.



Step 1

First, click Start --> Run
and type the bolded text below into the runbox and click OK.
cmd

A window will pop up, type the following and press Enter
expand C:\windows\i386\atapi.sy_ c:\atapi.sys

You should see "1 file(s) expanded". If not, stop here let me know. If yes, please continue.



Step 2

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.

once you are in the recovery console, you'll be at a command prompt. Type the following bolded lines one by one and hit enter after each one.

cd\
this will take you to c:\

cd c:\windows\system32\drivers
the prompt should show c:\windows\system32\drivers

ren atapi.sys atapi.bak
it will not look like anything happened, but we just renamed the infected file and kept it as a backup

copy c:\atapi.sys c:\windows\system32\drivers\atapi.sys
you should see one file(s) copied

Reboot normally. Did it reboot OK?



Step 3

1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
   
   CODE
   @echo off
   cd\
   mbr.exe -t
   start mbr.log
3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.

etavares

Edited by etavares, 15 March 2010 - 09:43 PM.

Hi,
After Step 1, there is no expanded file.
Thanks,
PULIN

ok, this time go to the command prompt as before and type in each of these and press enter after each one

cd\
cd windows
cd i386
Note: don't type this line, but the prompt should say C:\windows\i386\> here
expand atapi.sy_ c:\atapi.sys


then, launch my computer...do you see atapi.sys in the C:\ folder? If so, please continue with Step 2

Hi,
I am only getting
c:\windows\I386>
Not getting expand atapi.sy_ c:\atapi.sys

Thanks,
PULIN