Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit that alters atapi.sys and possibly others

  • This topic is locked This topic is locked
5 replies to this topic

#1 Glenn Neufeld

Glenn Neufeld

  • Members
  • 3 posts
  • Local time:05:40 AM

Posted 05 April 2010 - 04:14 AM

ClamWin detected alteration of the system file "atapi.sys" in "C:\Windows\System32\drivers", and quarantined it, rendering the system unbootable with a generic BSOD that displays for only a split second before boot-looping the machine.

The system in question is WinXP SP2, all updates installed (except SP3), 2GB Ram, 160GB HD, Toshiba M200 S838 Portege Tablet, Centrino 1.8Ghz.

I restored the quarantined file from a backup image of the drive, and the machine boots again - for the time being.

I disabled ClamWin temporarily, and ran the standard scans in preparation for possible ComboFix action.

There are also a few old viruses in the attachments in my Eudora directory ("c:\WEUDORA\ATTACHED\") that are never accessed - meaning I never launch anything from the Attachments directory as a general rule. I've prepared a cygwin bash-script to delete those attachments when ready - if required.

I've attached the GMER log file, which found two hidden server processes, as well as the "Attach.txt" file from DDS in .zip format.

The GMER log also contains a long-dead MAPI folder that Eudora created that should have been deleted long ago, which is a pretty deep/wide directory structure - sorry about that.

Here's the DDS output ("DDS.txt") - thanks in advance for any specific action you may specify:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:17:03.82 on Sun 04/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1397 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
C:\Program Files\WinTV\WinTV7\WinTVTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [TapButt] c:\program files\toshiba\tapbutton\TapButt.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TosRotation] "c:\program files\toshiba\toshiba rotation utility\TRot.exe"
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MacDrive 8 application] "c:\program files\mediafour\macdrive 8\MacDrive.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fn-esse.lnk - c:\program files\toshiba\windows utilities\FNESSE32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartc~1.lnk - c:\windows\seiko\slpcap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wintvr~1.lnk - c:\program files\wintv\wintv7\WinTVTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193724418706
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {C213C5A1-C6F9-433A-BE50-3FBA73536731} =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\weudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\8z7m67as.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-9-28 259176]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2009-7-31 27488]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-2-3 5760]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\brother\bradmin professional 3\bratimer.exe [2010-3-11 65536]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2009-9-28 242176]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\tvserver\HAUPPA~1.EXE [2009-12-5 434176]
R2 MacDrive8Service;MacDrive 8 service;c:\program files\mediafour\macdrive 8\MacDrive8Service.exe [2009-9-23 150528]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-3-16 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2004-2-3 126976]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-2-3 8832]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-2-3 13568]
S2 mwfvrx;Driver Security;c:\windows\system32\svchost.exe -k netsvcs [2004-2-3 14336]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2009-1-16 44928]
S2 ozxmw;Windows Image;c:\windows\system32\svchost.exe -k netsvcs [2004-2-3 14336]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2007-11-1 43008]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [2009-12-5 28672]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [2009-12-5 1218944]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [2009-12-5 1216512]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-3-16 42752]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2009-1-16 55936]
S3 PORTMON;PORTMON;\??\c:\documents and settings\administrator\desktop\sysinternalssuite\portmsys.sys --> c:\documents and settings\administrator\desktop\sysinternalssuite\PORTMSYS.SYS [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-9-2 31872]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S3 USA49WG;USA49WG;c:\windows\system32\drivers\USA49WG2k.sys [2010-4-2 723712]
S3 USA49WG2KP;Keyspan USB 2.0 4-Port Serial Adapter Port Driver;c:\windows\system32\drivers\USA49WG2kp.sys [2010-4-2 24320]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-04-04 22:08:17 0 d-----w- c:\docume~1\admini~1\applic~1\Canneverbe Limited
2010-04-04 22:08:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited
2010-04-04 21:51:35 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-04 21:38:36 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-04-04 21:06:49 21 ----a-w- c:\windows\S.dirmngr
2010-04-02 05:27:41 77824 ----a-w- c:\windows\system32\USA49WGPropPage.dll
2010-04-02 05:27:41 24320 ----a-w- c:\windows\system32\drivers\USA49WG2kp.sys
2010-04-02 05:27:39 723712 ----a-w- c:\windows\system32\drivers\USA49WG2k.sys
2010-04-02 05:27:39 49152 ----a-w- c:\windows\system32\k49wgco.dll
2010-04-02 05:27:38 0 d-----w- c:\program files\Keyspan
2010-03-29 08:55:10 0 d-----w- c:\documents and settings\administrator\workspace
2010-03-29 08:47:45 0 d-----w- c:\program files\OBEX Commander
2010-03-27 17:07:34 0 d-----w- c:\documents and settings\administrator\.red
2010-03-20 02:50:25 0 d-----w- c:\program files\common files\CineForm
2010-03-20 02:50:25 0 d-----w- c:\program files\CineForm
2010-03-20 02:49:50 0 d-----w- c:\program files\Silicon Imaging
2010-03-19 20:23:50 0 d-----w- c:\program files\MagikInfo Inc
2010-03-18 02:26:58 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-03-18 02:26:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 02:26:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 02:26:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 02:26:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 17:27:46 0 d-----w- c:\program files\SystemRequirementsLab
2010-03-16 11:52:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Avanquest Bluetooth SDK
2010-03-16 11:50:49 42752 ----a-w- c:\windows\system32\drivers\motodrv.sys
2010-03-16 10:12:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-03-16 10:12:16 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-16 10:10:57 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-03-15 06:34:43 0 d-----w- c:\program files\Hugin
2010-03-15 03:43:46 37760 ----a-w- c:\windows\system32\drivers\P2k.sys
2010-03-15 03:43:43 77895 ----a-w- c:\windows\system32\unibus_tcutil.dll
2010-03-15 03:43:42 244024 ----a-w- c:\windows\system32\msflxgrd.ocx
2010-03-15 00:12:13 0 d-----w- c:\windows\system32\NtmsData
2010-03-13 23:19:31 22486 ----a-w- c:\windows\system32\msu.ico
2010-03-13 21:54:47 716800 ----a-w- c:\windows\system32\Wibuke32.cpl
2010-03-13 21:54:46 57552 ----a-w- c:\windows\system32\WKDOS.EXE
2010-03-13 21:54:43 29696 ----a-w- c:\windows\system32\drivers\Wibukey2.sys
2010-03-13 21:54:41 67072 ----a-w- c:\windows\system32\drivers\Wibukey.sys
2010-03-13 21:54:41 52736 ----a-w- c:\windows\system\WkWin.dll
2010-03-13 21:54:41 139264 ----a-w- c:\windows\system32\WkWin32.dll
2010-03-13 21:54:40 0 d-----w- c:\program files\WIBUKEY
2010-03-13 21:54:40 0 d-----w- c:\program files\WIBU-SYSTEMS
2010-03-13 21:07:19 0 d-----w- c:\program files\Motorola Phone Tools
2010-03-13 19:26:21 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2010-03-13 19:26:18 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-13 19:26:12 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-03-13 19:07:51 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-03-13 19:07:48 15616 ----a-w- c:\windows\system32\mot_ci.dll
2010-03-13 19:07:01 0 d-----w- c:\program files\Motorola
2010-03-13 19:07:01 0 d-----w- c:\program files\common files\Motorola Shared
2010-03-13 03:48:15 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-11 16:56:59 0 d-----r- c:\docume~1\admini~1\applic~1\Brother
2010-03-11 16:55:50 426 ----a-w- c:\windows\BRWMARK.INI
2010-03-11 16:55:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother
2010-03-11 16:55:41 24223 ----a-w- c:\windows\system32\BRLM03A.DLL
2010-03-11 16:55:41 0 ----a-w- c:\windows\brmx2001.ini
2010-03-11 16:55:39 31257 ------w- c:\windows\HL-5370DW.INI
2010-03-11 16:55:39 176128 ----a-w- c:\windows\system32\BROSNMP.DLL
2010-03-11 16:55:39 0 d-----w- c:\program files\Brownie
2010-03-11 16:55:38 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL
2010-03-11 16:55:38 50 ----a-w- c:\windows\system32\BRADM08A.DAT
2010-03-11 16:55:38 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL
2010-03-11 16:55:38 196608 ------w- c:\windows\system32\Pdrvinst.dll
2010-03-11 16:55:38 114 ----a-w- c:\windows\system32\BRLMW03A.INI
2010-03-11 16:55:38 111928 ----a-w- c:\windows\system32\BRRBTOOL.EXE
2010-03-11 16:55:38 0 d-----w- c:\program files\Brother
2010-03-11 16:54:26 99 ----a-w- c:\windows\Brownie.ini
2010-03-10 20:42:57 0 d-----w- c:\program files\Windows Installer Clean Up
2010-03-10 04:30:47 218 ----a-w- c:\documents and settings\administrator\.recently-used.xbel
2010-03-10 04:19:47 0 d-----w- c:\docume~1\admini~1\applic~1\Eudora Imported
2010-03-10 02:21:45 0 d-----w- c:\program files\Emailchemy
2010-03-10 02:19:09 0 d-----w- c:\docume~1\admini~1\applic~1\Mail
2010-03-10 02:17:59 0 d-----w- c:\docume~1\admini~1\applic~1\Claws-mail
2010-03-10 02:17:26 0 d-----w- c:\program files\GNU
2010-03-08 07:17:53 99109 ----a-w- c:\windows\hpdj6800.hi1
2010-03-08 07:17:53 13804 ----a-w- c:\windows\hpdj6800.bu1
2010-03-08 07:17:51 5438 ----a-w- c:\windows\hpf6800m.bu1
2010-03-08 07:17:51 23089 ----a-w- c:\windows\hpf6800m.hi1
2010-03-08 02:43:03 344 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-08 02:41:31 528 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-08 01:28:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-08 01:27:10 0 d-----w- c:\program files\common files\iS3
2010-03-08 01:27:09 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-06 17:47:36 0 d-----w- c:\program files\DIY DataRecovery MBRtool

==================== Find3M ====================

2010-03-08 01:31:57 262144 ----a-w- c:\windows\system32\default_user_class.dat
2010-03-02 04:39:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 02:06:01 106557 ----a-w- c:\windows\system32\btw_ci.dll

============= FINISH: 17:17:34.85 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:40 AM

Posted 05 April 2010 - 01:35 PM

Good evening. smile.gif

The immediate problem I see is that you appear to be relying on ClamWin anti-virus which offers no real-time protection. How long have you been solely using this program for your PC's security?

So long, and thanks for all the fish.



#3 Glenn Neufeld

Glenn Neufeld
  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:40 AM

Posted 05 April 2010 - 11:29 PM

Thanks for your response. The immediate problem is that I've got to disinfect the machine before I *can* install any real-time virus protection. I've used ComboFix without supervision several times, but after Googling a lot, it seems this virus is somewhat new, and I thought the process for removing this one might be of interest.

Answer to your question: A few weeks. I'm on location and I got tired of NOD32 asking me to update when I can't afford to pay for any software this month. This virus seems to have infected the machine after being held at bay for a while - I don't use IE, have script blocking on FireFox, and don't ever launch attachments from email - automatically, or manually.

Any idea what the infection vector might be besides what I've mentioned above? Perhaps one of the many USB sticks I've used from other members of the film crew...

Edited by Glenn Neufeld, 06 April 2010 - 09:37 AM.

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:40 AM

Posted 06 April 2010 - 01:39 PM

Good evening. smile.gif

I think that the atapi.sys infection is a result of surfing either a malicious site or a legitimate one that has been hacked rather than an infected USB stick.

The problem that you have, apart from the obvious one, is that your system has been insufficiently protected from both internet threats and also potentially infected USB sticks that aren't unknown. Your anti-virus doesn't have the ability to protect your system from manipulation and modification and so my "professional" advice is to back up any important data and then reformat and reinstall the operating system.
There is no way to guarantee the cleanliness of your computer as legitimate system files may have been corrupted, infected or replaced and detection of these is no a simple matter. There is also the risk that security settings may have been compromised making reinfection more likely in future.
While I accept that this is a time-consuming process, it offers the best way to clean your system and is the quickest solution in the long term.

If you need, I can let you have links to various free security programs that will help to keep your machine slime-free in the future.

So long, and thanks for all the fish.



#5 Glenn Neufeld

Glenn Neufeld
  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:40 AM

Posted 06 April 2010 - 11:19 PM

Once again, thanks for your advice.

Are you telling me that this is not a case for attempting removal of an infection in place? Should I *not* wait for removal instructions and/or help?

Seeing as how I don't have the tools with me at this remote location to reload, nor any assurance the using any of the backed up data would be any safer than using it in-place, is this your only suggestion?

I'm pretty patient about computer disinfection and repair, and I'd love to wait for someone with specific scripting instructions for ComboFix, rather than running it unsupervised, but unfortunately, your suggestions are neither:

1) Practical at the moment (though important for future implementation).
2) Possible at the moment (though eventually possible)
3) The reason I came here for help, posted these logs, and waited patiently for help.

In other words, so far you've given me good advice that I'm well aware of - being involved in a very IT-dependent profession, I've cleaned and/or reloaded more computers than most anyone you've ever known, and rescued more time and money-critical data than you can imagine.

So, at the risk of offending anyone who is donating their personal time and effort to helping others get their computers cleaned up and back in operation, as I so often do, in order that they can use their computer *until* it can be properly reloaded and/or repaired, allow me to ask the following question without offending anyone or putting anyone off:

When does the lecture end and the help begin?

Not *following* proper procedures and not *knowing* proper procedures are completely different things, as I pointed out in my first reply. I assure you that I'm aware of the shortcuts I've had to engage in to get the job at hand underway, and what I'm going to do when I have the *time* to do things properly.

In the time it has taken you to respond twice with good advice and no practical application, I could have learned enough about ComboFix's internals and capabilities to have done this myself.

The people in this Enterprise are clearly the foremost experts in Windows internals and Security around. That's why I came here - for that expertise.

For preventative advice I could have watched a Norton Anti-Virus commercial. thumbup.gif

The reason tools like ComboFix exist is to remove unwanted and/or foreign software from computers, is it not? Or does it just exist to entice people to come here for advice like "reload your computer"?

But I digress...

Please give me specific removal advice based on my uploaded log files if possible, or advise me that this is not a case for using removal tools of this ilk.

Thanks in advance! smile.gif

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:40 AM

Posted 07 April 2010 - 02:28 PM

Good evening.

I posted what I considered to be the best advice given the situation that exists with regard to your PC and have given reasons for that advice. It was not intended to either be be a lecture or imply that you were in some way inexperienced in computers or the removal of malware from the same, so I am sorry if you chose to interpret it as such.
My advice however remains the same and should you feel that it is not appropriate in your situation, then you are free to discard it and proceed in a different direction.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users