Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys and more


  • This topic is locked This topic is locked
27 replies to this topic

#1 rainwater

rainwater

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 11 April 2010 - 01:54 PM

Hello

Got something going on that started with Google chrome not loading at all. This was coupled with google redirects. Tried to fight it off with various products (eset, ad-aware, tdesskiller) to no avail, though everything keeps on pointing to atapi.sys. Recently started getting "warnings" from two non-legit security programs, windows security center and xp internet security. one of them has to be ave.exe. Having trouble running many many programs - when i try to run even notepad from start>run, windows searches for a program to open it with.

Also just got an alert about generic host process for win32 services (encountered problem and needs to close), and another for svchost.exe (insruction at "0x100e5ac0" referenced memory at "0x00000017". the memory could not be "read". This happened after i manually killed the process ave.exe from my task manager.

Priot to posting i was able to run defogger, dds and gmer, but was unable to check firewall status as when clicking on "settings" nothing happens. This one seems pretty severe, here is my information. I appreciate any assistance you can provide! smile.gif


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 00:56:02
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\axgdypog.sys

here's the GMER (run in safe mode):

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF773087E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7730BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xF76DBE94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[580] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[580] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007C000C
.text C:\WINDOWS\Explorer.EXE[808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[808] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[808] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F6FF7400
Device -> \Driver\atapi \Device\Harddisk0\DR0 82AD4AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


and here is the DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 19:05:14.48 on Sat 04/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.101 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MtdAcqu] "c:\program files\creative\mediasource5\MtdAcqu.exe" /s
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [{1C1655EC-0710-1033-0309-050624040001}] "c:\program files\common files\{1c1655ec-0710-1033-0309-050624040001}\Update.exe" te-110-12-0000213
mRun: [{1C1655EC-0711-1033-0309-050624040001}] "c:\program files\common files\{1c1655ec-0711-1033-0309-050624040001}\Update.exe" te-110-12-0000213
mRun: [{1C1655EC-070F-1033-0309-050624040001}] "c:\program files\common files\{1c1655ec-070f-1033-0309-050624040001}\Update.exe" te-110-12-0000213
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NPSStartup]
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRunOnce: [RunNarrator] Narrator.exe
uExplorerRun: [{1C1655EC-0710-1033-0309-050624040001}] "c:\program files\common files\{1c1655ec-0710-1033-0309-050624040001}\Update.exe" te-110-12-0000213
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Update Page Content - c:\program files\msn\msnia\cc\msncc\wa\refreshpage.htm
IE: View All Originals On Page - c:\program files\msn\msnia\cc\msncc\wa\getoriginal.htm
IE: View Original Image - c:\program files\msn\msnia\cc\msncc\wa\getoriginal.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-10 64160]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2004-8-27 234616]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-27 164984]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2004-8-30 176768]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2004-7-23 49808]
S2 COM+ Messages;COM+ Messages;"c:\windows\system32\svchosts.exe" -e te-110-12-0000213 --> c:\windows\system32\svchosts.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-17 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20041117.006\NAVENG.Sys [2005-2-26 72712]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20041117.006\NavEx15.Sys [2005-2-26 629544]
S3 RDID1044;Roland SP-606;c:\windows\system32\drivers\rdwm1044.sys [2005-12-2 161422]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2004-7-23 335504]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2004-7-23 197864]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2010-4-3 90240]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2010-4-3 14976]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2010-4-3 121856]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-04-11 02:03:50 0 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable
2010-04-09 06:35:20 0 d-----w- c:\program files\ESET
2010-04-09 05:43:38 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 05:39:37 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 05:39:24 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 04:53:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-09 04:29:22 0 d-----w- c:\program files\common files\PC Tools
2010-04-09 04:29:21 0 d-----w- c:\program files\Spyware Doctor
2010-04-09 03:38:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-04 00:01:28 0 d-----w- c:\program files\Conduit
2010-04-04 00:01:25 0 d-----w- c:\program files\Zynga
2010-04-03 17:57:20 14976 ----a-w- c:\windows\system32\drivers\sscemdfl.sys
2010-04-03 17:57:20 121856 ----a-w- c:\windows\system32\drivers\sscemdm.sys
2010-04-03 17:57:20 12160 ----a-w- c:\windows\system32\drivers\sscecmnt.sys
2010-04-03 17:57:20 12160 ----a-w- c:\windows\system32\drivers\sscecm.sys
2010-04-03 17:57:19 90240 ----a-w- c:\windows\system32\drivers\sscebus.sys
2010-04-03 17:57:19 12160 ----a-w- c:\windows\system32\drivers\sscewhnt.sys
2010-04-03 17:57:19 12160 ----a-w- c:\windows\system32\drivers\sscewh.sys
2010-04-03 17:57:15 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-04-03 17:56:54 0 d-----w- c:\docume~1\compaq~1\applic~1\Samsung
2010-04-03 17:56:32 0 d-----w- c:\program files\MarkAny
2010-04-03 17:56:01 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-04-10 18:43:10 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 19:06:34.89 ===============


Thank you!!

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:20 PM

Posted 14 April 2010 - 09:21 AM

Hello, rainwater

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Now, lets first do this:

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    ohci1394.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by Jat90, 14 April 2010 - 10:22 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 14 April 2010 - 08:36 PM

Here are the results, thanks!!


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:32 on 14/04/2010 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "ohci1394.sys"
C:\WINDOWS\$NtServicePackUninstall$\ohci1394.sys -----c 61056 bytes [23:38 31/01/2009] [04:00 04/08/2004] 0951DB8E5823EA366B0E408D71E1BA2A
C:\WINDOWS\system32\drivers\ohci1394.sys --a--- 61056 bytes [10:38 26/02/2005] [04:00 04/08/2004] 0951DB8E5823EA366B0E408D71E1BA2A

-=End Of File=-

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:20 PM

Posted 15 April 2010 - 04:01 AM

Hello,

We need to copy a file now (some files may be hidden, see here on how to see all files), so please locate:

C:\WINDOWS\$NtServicePackUninstall$\ohci1394.sys
Right click that file and hit "copy"
Then paste it at C:\

Note -- Its highly important you get that right, let me know if you have any problems or questions.

File Replacement via Recovery Console

For this fix be sure you have the Recovery Console installed, if not then see HERE for instructions on how to install it.

We need to replace that file manually:
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    cd C:\windows\system32\drivers

  6. At the next prompt type the following bolded text, and press Enter:

    ren ohci1394.sys ohci1394.vir

  7. At the next prompt type the following bolded text, and press Enter:

    copy C:\ohci1394.sys ohci1394.sys

  8. The command should then show 1 file(s) copied
  9. At the next prompt type the following bolded text, and press Enter:

    exit
Windows will now begin loading.

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by Jat90, 15 April 2010 - 04:02 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 16 April 2010 - 02:26 PM

completed step 1, but i don't have a windows CD to install the recovery console - doesn't look like it is installed. my system recovery is partitioned, and for system restores, I'm directed to hit F10 upon boot, which takes me to full system recovery. Tried looking around for windows CDs, but can't seem to get one.

is there another way that the file can be manually replaced?

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:20 PM

Posted 16 April 2010 - 03:48 PM

Hello,

It appears that the driver concerned does not load on your computer during safe mode for some reason, therefore we can access safe mode to manually replace the file instead.

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

Then simply copy ohci1394.sys from C:\
Then paste in C:\Windows\System32\drivers, overwriting the one there.

That should do the trick, then reboot normally and run a gmer scan, and post the results here.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 16 April 2010 - 05:53 PM

Here are the results of the GMER scan. It crashed out the first time i ran it, so i unchecked "devices" for this scan.
Thanks smile.gif
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 15:49:46
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\axgdypog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763587E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7635BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xF75E0E94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007D000A
.text C:\WINDOWS\System32\svchost.exe[844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007C000C
.text C:\WINDOWS\Explorer.EXE[1196] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[1196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[1196] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C6000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:20 PM

Posted 17 April 2010 - 09:58 AM

Hello,

Are you sure you overwrote ohci1394.sys in C:\windows\system32\drivers?

Your Gmer log shows the malicious file is still present in the drivers folder.

Run this batch in safe mode:

Let's create a batch:
  • Open Notepad
  • Copy and paste the following text:
QUOTE
@echo off
cd C:\
copy C:\WINDOWS\$NtServicePackUninstall$\ohci1394.sys ohci1394.sys
cd C:\windows\system32\drivers
copy C:\ohci1394.sys ohci1394.sys
exit
del %0
  • Change "Save as type" to All Files
  • Save it as fix.bat to the desktop
  • Locate the file on your desktop and double click it.
  • The file should delete itself after use.
Then re-run Gmer and post the results.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 17 April 2010 - 12:28 PM

Did as directed, couple of things: The BAT did not self-delete, and while GMER has not finished running yet, the 3rd thing that came up on my screen upon scan was system32\drivers\ohci1394.sys. Other than hopping online to grab the the text from your post, everything was done in safe mode without a reboot between actions. On a diff comp right now while GMER finishes running - so far it appears identical to the last run.

Additional note: the "XP security center" stuff popped up when i started the GMER scan in safe mode. - the ethernet was connected when i started GMER, wondering if this made a difference.

I'll post the log upon completion of the scan, thank you!

#10 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 17 April 2010 - 01:47 PM

Here is the GMER log, pretty much the same as the last one, except atapi.sys popped back in and i was able to run devices.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 11:27:56
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.YOU\LOCALS~1\Temp\axgdypog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF773087E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7730BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xF76DBE94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[584] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[584] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007C000C
.text C:\WINDOWS\Explorer.EXE[804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82AD4AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:20 PM

Posted 17 April 2010 - 03:17 PM

Darn it, it still persists. The file replacement method usually works.. Let's see if this tool can pull it off:

TDSS Killer
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 17 April 2010 - 04:05 PM

i don't have vista, so i dont' know if this makes a difference but...

i went to accessories > command prompt - clicked on it and got the usual noise prompting me to select which progam i want to open comand prompt with. argh.

so then i right click on it, select run as, try to type administrator into the username field, doesn't work. i then select run as and select current user (YOUR-F78BF48CE2\Compaq_Owner).

Command prompt starts up just fine, but i can't copy the text from a notepad file into the command prompt. So i just type it in and it gives me "access denied"..

I don't want to sabotage TDSSKiller by doing my now-normal routine when starting a program by right clicking on it and hitting "start" so if there's another way we can run this that would be great. I can log back in as admin or run as admin in safe mode, whatever works. I already ran TDSSKiller once prior to posting this topic initially, btw. Please advise, thanks!

#13 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 17 April 2010 - 06:10 PM

Update: I was able to get into recovery console, so I proceeded with your initial set of instructions there rather than what we tried in safe mode and with the batch file.

Here is a new GMER, looks like atapi and ohci went unreported. I was able to run the full GMER scan while not in safe mode. Additionally, the fake anti-spyware applications have ceased for now (ave.exe is not running upon boot).

That said, I'm still having problems launching apps, as even when trying to run notepad from start>run i get the dialog about what program i would like to open notepad with. Progress nonetheless, I'd say.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 16:01:13
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\axgdypog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763587E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7635BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:20 PM

Posted 18 April 2010 - 05:17 AM

Hello,

It's gone thumbup2.gif Your redirect issues should be resolved, let's proceed with combofix:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 rainwater

rainwater
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 18 April 2010 - 11:03 AM

OK, so I tried the suggested steps for disabling norton internet security, which did not work, as i could not run programs. It just refused to start altogether. So i go into my processes, research what each one is and kill the ones affiliated with norton... but as you can see from the results of the log, it doesn't appear to have killed off internet security entirely.

that said, things do seem to be working better. google chrome works again, and i was even able to run notepad from start>run.

ComboFix 10-04-17.07 - Compaq_Owner 04/18/2010 8:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.167 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\{1C165~1
c:\progra~1\COMMON~1\{1C165~2
c:\progra~1\COMMON~1\{1C165~3
c:\progra~1\COMMON~1\{3C165~1
c:\progra~1\COMMON~1\{3C165~1\UnInstall.exe
c:\program files\cowabanga
c:\program files\cowabanga\License.txt
c:\program files\oin search
c:\program files\pppatc~1
c:\program files\WinBudget
c:\recycler\S-1-5-21-2362390659-1705188828-1737974124-1003
c:\recycler\S-1-5-21-3154830541-1346053881-3790109864-1003
c:\windows\explorer(2).exe
c:\windows\fnts~1
c:\windows\system32\mcroso~1.net
c:\windows\system32\svchosts.lzma
c:\windows\system32\unsvchosts.lzma
c:\windows\system32\wnsintsu.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_MESSAGES
-------\Service_COM+ Messages


((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-17 17:17 . 2010-04-17 17:17 52344 ----a-w- c:\documents and settings\Administrator.YOUR-F78BF48CE2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-16 21:17 . 2010-04-16 21:17 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-F78BF48CE2\IETldCache
2010-04-16 18:39 . 2004-08-04 04:00 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-16 18:39 . 2004-08-04 04:00 61056 ----a-w- C:\ohci1394.sys
2010-04-09 06:35 . 2010-04-09 06:35 -------- d-----w- c:\program files\ESET
2010-04-09 05:43 . 2010-04-09 14:07 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 05:39 . 2010-04-10 15:34 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 05:39 . 2010-04-09 05:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 04:53 . 2010-04-09 04:53 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-09 04:29 . 2010-04-09 04:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-09 04:29 . 2010-04-09 04:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-09 03:38 . 2010-04-09 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-04 00:01 . 2010-04-04 00:01 -------- d-----w- c:\program files\Conduit
2010-04-04 00:01 . 2010-04-04 00:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Conduit
2010-04-04 00:01 . 2010-04-04 00:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Zynga
2010-04-04 00:01 . 2010-04-04 00:01 -------- d-----w- c:\program files\Zynga
2010-04-03 17:57 . 2009-05-13 18:41 14976 ----a-w- c:\windows\system32\drivers\sscemdfl.sys
2010-04-03 17:57 . 2009-05-13 18:41 121856 ----a-w- c:\windows\system32\drivers\sscemdm.sys
2010-04-03 17:57 . 2009-05-13 18:41 12160 ----a-w- c:\windows\system32\drivers\sscecmnt.sys
2010-04-03 17:57 . 2009-05-13 18:41 12160 ----a-w- c:\windows\system32\drivers\sscecm.sys
2010-04-03 17:57 . 2009-05-13 18:41 12160 ----a-w- c:\windows\system32\drivers\sscewhnt.sys
2010-04-03 17:57 . 2009-05-13 18:41 12160 ----a-w- c:\windows\system32\drivers\sscewh.sys
2010-04-03 17:57 . 2009-05-13 18:41 90240 ----a-w- c:\windows\system32\drivers\sscebus.sys
2010-04-03 17:57 . 2010-04-03 17:57 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Samsung
2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\program files\MarkAny
2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\program files\Samsung
2010-04-03 17:53 . 2010-04-03 17:53 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
2010-03-31 04:15 . 2010-03-31 04:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 15:31 . 2005-02-26 15:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-17 19:18 . 2008-04-24 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-17 17:16 . 2005-02-26 10:38 61056 ----a-w- c:\windows\system32\drivers\ohci1394.vir
2010-04-10 18:43 . 2005-02-26 12:09 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-06 14:33 . 2005-02-26 14:38 -------- d-----w- c:\program files\Common Files\Java
2010-04-06 14:32 . 2005-02-26 14:38 -------- d-----w- c:\program files\Java
2010-04-03 17:56 . 2005-02-26 15:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 06:24 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-14 18:42 . 2008-10-04 02:49 1 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-20 14:14 . 2010-01-20 14:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-02-26 14:54 . 2004-10-14 21:54 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2005-02-26 14:49 . 2003-02-11 19:02 61440 c:\hp\KBD\bak\KBD.EXE

2005-02-26 14:52 . 2005-02-26 14:52 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2004-08-27 23:22 . 2004-08-27 23:22 58488 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2004-08-05 17:23 . 2004-08-05 17:23 218240 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

2004-10-14 00:04 . 2004-10-14 00:04 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2009-11-13 00:33 . 2009-11-13 00:33 141600 c:\program files\iTunes\iTunesHelper.exe

2005-02-26 14:38 . 2005-02-26 14:38 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2004-08-17 22:36 . 2004-08-17 22:36 132248 c:\program files\Norton Internet Security\bak\cfgwiz.exe

2004-08-31 02:29 . 2004-08-31 02:29 33936 c:\program files\Norton Internet Security\bak\UrlLstCk.exe

2005-02-26 15:00 . 2005-02-26 15:00 98304 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 07:08 . 2009-11-11 07:08 417792 c:\program files\QuickTime\QTTask.exe

2005-02-26 15:00 . 2004-12-14 02:23 663552 c:\windows\CREATOR\bak\Remind_XP.exe

2004-04-14 20:43 . 2004-04-14 20:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2005-02-26 14:41 . 1998-05-07 16:04 52736 c:\windows\system\bak\hpsysdrv.exe

2004-08-04 11:00 . 2004-08-04 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 11:00 . 2004-08-04 11:00 15360 c:\windows\system32\ctfmon.exe

2005-02-26 14:49 . 2003-09-12 19:13 98304 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 19:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-24 68856]
"Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [N/A]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"KBD"="c:\hp\KBD\KBD.EXE" [N/A]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 544768]
"{1C1655EC-0710-1033-0309-050624040001}"="c:\program files\Common Files\{1C1655EC-0710-1033-0309-050624040001}\Update.exe" [N/A]
"{1C1655EC-0711-1033-0309-050624040001}"="c:\program files\Common Files\{1C1655EC-0711-1033-0309-050624040001}\Update.exe" [N/A]
"{1C1655EC-070F-1033-0309-050624040001}"="c:\program files\Common Files\{1C1655EC-070F-1033-0309-050624040001}\Update.exe" [N/A]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"NPSStartup"="" [N/A]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-09 5650240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-2-26 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=rddv1044.dll
"midi1"=rddv1044.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/10/2009 8:40 PM 64160]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2009 6:51 AM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
S3 RDID1044;Roland SP-606;c:\windows\system32\drivers\rdwm1044.sys [12/2/2005 4:21 PM 161422]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [4/3/2010 10:57 AM 90240]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [4/3/2010 10:57 AM 14976]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [4/3/2010 10:57 AM 121856]
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-23 02:21]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac64fde014d46.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-17 13:51]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1003998786-1393084440-3941918824-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-30 02:50]

2005-02-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-26 01:26]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Update Page Content - c:\program files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
IE: View All Originals On Page - c:\program files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
IE: View Original Image - c:\program files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-klmdb.sys
AddRemove-KBD - c:\hp\KBD\KBD.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 08:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(592)
c:\windows\system32\rddv1044.dll

- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\AGRSMMSG.exe
c:\windows\sm56hlpr.exe
c:\windows\ALCXMNTR.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-18 08:54:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-18 15:54

Pre-Run: 49,933,881,344 bytes free
Post-Run: 50,339,594,240 bytes free

- - End Of File - - E527C26E010C9031005CBCDEA1DFED72





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users