Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS/TDL3


  • This topic is locked This topic is locked
20 replies to this topic

#1 S.Daedalus

S.Daedalus

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 12 April 2010 - 12:02 PM

I am hoping that someone can help me with the following problem.

On 10 April my PC was infected with Windows Security Tool. I got rid of it using Malwarebytes and Combofix which seemd to do the trick. A full day later, Norton AV repeatedly showed a pop up saying that it had blocked Packed.Generic.295. I again used Malwarebytes and Combofix. Norton no longer warns about Packed.generic.295. Instead, it repeatedly warns about blocked intrusion attempts. The warnings are:

An intrusion attempt by m01n83kjf7.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEEXPLORE.EXE.
An intrusion attempt by zz87jhfda88.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE.
An intrusion attempt by 19js810300z.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE.

Another symptom of infection is that occasionally, when clicking on a link, the current IE window will go to the correct URL, but another IE window will open and try to go to another URL which is not found.
The third symptom is that Google chrome no longer works. When opening Chrome, it hangs and then opens a pop up saying the page is unresponsive.

Neither Norton nor Malwarebytes scans find anything. Combofix deletes c:\Windows\temp\LVPrcinj01.dll which is used by my Logitech Quickcam and is recreated on rebooting.

TDSSKiller finds a problem with atapi.sys which it claims to fix. However, on rebooting it finds the same problem again, claims to fix it again, and so on.

I am running out of ideas and would really appreciate some help. Thanks.


DDS (Ver_10-03-17.01) - NTFSx86
Run by daedalus at 23:01:13.37 on Mon 12/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2533 [GMT 10:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\IBM\unishared\unirpc\unirpcd.exe
C:\IBM\UV\bin\uvservice.exe
C:\WINDOWS\Explorer.EXE
C:\IBM\UV\bin\tl_service.exe
C:\IBM\UV\bin\uvdlockd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett Packard\Recovery\Recovery.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Philips\VOIP321\VOIP321.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Documents and Settings\daedalus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\daedalus\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recovery] c:\program files\hewlett packard\recovery\Recovery.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [kmw_run.exe] kmw_run.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\daedalus\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\daedalus\startm~1\programs\startup\voip321.lnk - c:\program files\philips\voip321\VOIP321.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turnerfreeman.com.au\tfapps
Trusted Zone: westpac.com.au\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244442783796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-6 329592]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-4-12 67584]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-5-21 576024]
R2 unirpc;Uni RPC Service;c:\ibm\unishared\unirpc\unirpcd.exe [2009-6-7 28672]
R2 universe;UniVerse Resource Service;c:\ibm\uv\bin\uvservice.exe [2009-6-7 20480]
R2 uvtelnet;UniVerse Telnet Service;c:\ibm\uv\bin\tl_service.exe [2009-6-7 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100411.019\NAVENG.SYS [2010-4-12 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100411.019\NAVEX15.SYS [2010-4-12 1324720]
R3 PEGAIO;PEGAIO;c:\program files\hewlett packard\recovery\PegaIo32.sys [2009-5-21 18488]
S2 gupdate1c9e78272d5ea1a;Google Update Service (gupdate1c9e78272d5ea1a);c:\program files\google\update\GoogleUpdate.exe [2009-6-8 133104]
S4 0055191244212240mcinstcleanup;McAfee Application Installer Cleanup (0055191244212240);c:\docume~1\admini~1\locals~1\temp\005519~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\005519~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2010-04-12 12:54:28 0 d-----w- c:\program files\Cobian Backup 10
2010-04-12 12:33:32 0 ----a-w- c:\documents and settings\daedalus\defogger_reenable
2010-04-12 08:15:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-04-12 06:06:39 118784 ----a-w- c:\windows\system32\chg.exe
2010-04-11 17:44:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-11 17:44:02 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-11 16:38:26 98816 ----a-w- c:\windows\sed.exe
2010-04-11 16:38:26 77312 ----a-w- c:\windows\MBR.exe
2010-04-11 16:38:26 261632 ----a-w- c:\windows\PEV.exe
2010-04-11 16:38:26 161792 ----a-w- c:\windows\SWREG.exe
2010-04-04 06:10:37 0 d-----w- C:\Theary Visa
2010-03-27 03:47:00 83 ----a-w- c:\windows\webica.ini

==================== Find3M ====================

2010-04-12 12:10:49 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-12 12:09:20 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-12 03:49:28 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-12 03:49:28 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 23:41:48 220112 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2010-02-25 00:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-16 04:50:23 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-07 12:04:12 389120 ----a-w- c:\windows\system32\CF2133.exe
2009-06-15 14:30:08 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 23:02:43.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:08 PM

Posted 12 April 2010 - 02:18 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *
  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 12 April 2010 - 10:19 PM

Thanks for getting back to me so soon. smile.gif

I followed the instructions and ran ComboFix. Interestingly, this time it found no problems and hence did not reboot. However, the symptoms are still occurring. Norton has blocked the following intrusion attempts:
An intrusion attempt by m01n83kjf7.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE.
An intrusion attempt by 30xc1cjh91.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE.
An intrusion attempt by 19js810300z.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE.

Here is the ComboFix log:

ComboFix 10-04-12.03 - daedalus 13/04/2010 12:53:48.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2296 [GMT 10:00]
Running from: c:\documents and settings\daedalus\Desktop\kfg.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 02:09 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVENG.SYS
2010-04-13 02:09 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVEX15.SYS
2010-04-13 02:09 . 2010-01-16 23:17 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\EECTRL.SYS
2010-04-13 02:09 . 2010-01-16 23:17 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\CCERASER.DLL
2010-04-13 02:09 . 2010-01-16 23:17 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\ECMSVR32.DLL
2010-04-13 02:09 . 2010-01-16 23:17 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVENG32.DLL
2010-04-13 02:09 . 2010-01-16 23:17 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVEX32A.DLL
2010-04-13 02:09 . 2010-01-16 23:17 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\ERASER.SYS
2010-04-12 18:53 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSvix86.sys
2010-04-12 18:53 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\Scxpx86.dll
2010-04-12 18:53 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSxpx86.dll
2010-04-12 18:53 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSXpx86.sys
2010-04-12 18:53 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSviA64.sys
2010-04-12 12:56 . 2010-04-12 12:56 -------- d-----w- c:\documents and settings\daedalus\Local Settings\Application Data\Safe mirror
2010-04-12 12:54 . 2010-04-12 12:55 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-12 06:06 . 2010-04-12 15:48 118784 ----a-w- c:\windows\system32\chg.exe
2010-04-11 17:44 . 2010-04-11 17:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-11 17:44 . 2010-04-11 17:44 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-11 17:43 . 2010-04-11 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-05 21:31 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-05 21:31 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-05 21:31 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-05 21:31 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-05 21:31 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSviA64.sys
2010-04-04 06:10 . 2010-04-12 02:48 -------- d-----w- C:\Theary Visa
2010-03-31 08:29 . 2010-03-31 08:29 -------- d-----w- c:\program files\Common Files\Skype
2010-03-23 21:51 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\Scxpx86.dll
2010-03-23 21:51 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSxpx86.dll
2010-03-23 21:51 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSvix86.sys
2010-03-23 21:51 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSXpx86.sys
2010-03-23 21:51 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 02:48 . 2009-09-14 09:17 -------- d-----w- c:\documents and settings\daedalus\Application Data\Skype
2010-04-12 22:09 . 2009-09-14 09:57 -------- d-----w- c:\documents and settings\daedalus\Application Data\skypePM
2010-04-12 15:47 . 2009-07-22 11:54 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-12 12:09 . 2004-08-04 00:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-12 08:48 . 2009-08-26 10:55 -------- d-----w- c:\program files\3GP Player 2009
2010-04-12 08:15 . 2010-04-12 08:15 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-04-12 03:49 . 2006-02-28 02:00 24576 ------w- c:\windows\system32\drivers\kbdclass.sys
2010-04-11 15:07 . 2009-10-07 10:28 -------- d-----w- c:\documents and settings\daedalus\Application Data\BitTorrent
2010-04-10 15:47 . 2009-06-19 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 15:47 . 2010-02-07 10:54 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-29 14:46 . 2009-06-19 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 14:45 . 2009-06-19 18:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 13:25 . 2009-05-21 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-07 23:41 . 2009-05-21 05:33 220112 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2010-02-25 06:24 . 2006-02-28 02:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:24 . 2010-02-24 13:24 161696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-07 12:04 . 2010-02-07 12:06 389120 ----a-w- c:\windows\system32\CF2133.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-04-11_16.51.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-12 15:48 . 2010-04-12 15:48 16384 c:\windows\Temp\Perflib_Perfdata_37c.dat
+ 2010-04-12 15:48 . 2010-04-12 15:48 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat
+ 2006-04-25 17:43 . 2010-04-11 16:55 96684 c:\windows\system32\perfc009.dat
- 2006-04-25 17:43 . 2010-04-10 15:44 96684 c:\windows\system32\perfc009.dat
+ 2008-02-28 17:13 . 2008-02-28 17:13 28944 c:\windows\system32\drivers\LUsbFilt.sys
- 2006-02-28 02:00 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\kbdclass.sys
+ 2006-02-28 02:00 . 2010-04-12 03:49 24576 c:\windows\system32\dllcache\kbdclass.sys
+ 2010-04-12 15:48 . 2010-04-12 15:49 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
- 2010-04-11 16:50 . 2010-04-11 16:52 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2006-04-25 17:43 . 2010-04-11 16:55 512110 c:\windows\system32\perfh009.dat
- 2006-04-25 17:43 . 2010-04-10 15:44 512110 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-07 39408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-08 26100520]
"Google Update"="c:\documents and settings\daedalus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"Recovery"="c:\program files\Hewlett Packard\Recovery\Recovery.exe" [2008-11-04 647168]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-28 76304]
"kmw_run.exe"="kmw_run.exe" [2006-08-03 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-07 2780432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\daedalus\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
VOIP321.lnk - c:\program files\Philips\VOIP321\VOIP321.exe [2007-5-3 376832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-11 805392]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 16:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"Ati HotKey Poller"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/02/2010 6:19 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/02/2010 6:19 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/02/2010 6:19 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSXpx86.sys [13/04/2010 4:53 AM 329592]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [12/04/2010 10:55 PM 67584]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/02/2010 6:19 PM 117640]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [21/05/2009 3:54 PM 576024]
R2 unirpc;Uni RPC Service;c:\ibm\unishared\unirpc\unirpcd.exe [7/06/2009 4:13 PM 28672]
R2 universe;UniVerse Resource Service;c:\ibm\UV\bin\uvservice.exe [7/06/2009 4:13 PM 20480]
R2 uvtelnet;UniVerse Telnet Service;c:\ibm\UV\bin\tl_service.exe [7/06/2009 4:13 PM 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/08/2009 3:42 AM 102448]
R3 PEGAIO;PEGAIO;c:\program files\Hewlett Packard\Recovery\PegaIo32.sys [21/05/2009 3:54 PM 18488]
S2 gupdate1c9e78272d5ea1a;Google Update Service (gupdate1c9e78272d5ea1a);c:\program files\Google\Update\GoogleUpdate.exe [8/06/2009 1:12 AM 133104]
S4 0055191244212240mcinstcleanup;McAfee Application Installer Cleanup (0055191244212240);c:\docume~1\ADMINI~1\LOCALS~1\Temp\005519~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\005519~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SWPRV
*NewlyCreated* - VSS
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-07 15:11]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 15:12]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 15:12]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-793307784-3032878767-1339094377-1011Core.job
- c:\documents and settings\daedalus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 18:41]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-793307784-3032878767-1339094377-1011UA.job
- c:\documents and settings\daedalus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 18:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turnerfreeman.com.au\tfapps
Trusted Zone: westpac.com.au\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 13:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA94AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
\Driver\iaStor -> iaStor.sys @ 0xb9d02e74
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9dcebb0
PacketIndicateHandler -> NDIS.sys @ 0xb9ddbb21
SendHandler -> NDIS.sys @ 0xb9db987b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5144)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-13 13:03:46
ComboFix-quarantined-files.txt 2010-04-13 03:03
ComboFix2.txt 2010-04-12 15:54
ComboFix3.txt 2010-04-11 17:23
ComboFix4.txt 2010-04-11 16:57
ComboFix5.txt 2010-04-13 02:52

Pre-Run: 409,184,890,880 bytes free
Post-Run: 409,196,900,352 bytes free

- - End Of File - - A9D1854BF1FAF0E106EB1C3EFF79D172




#4 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 13 April 2010 - 03:36 AM

There is one other thing I forgot to mention that may give you a clue. Since the infection IE occasionally gives an error such as 'The instruction at "oxo2f57776" referenced memory at "0x6bf54c08". The memory could not be "read".'
Hope this helps. smile.gif

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:08 PM

Posted 13 April 2010 - 02:12 PM

Good evening. smile.gif

The nasty you have is the latest generation and takes a little more shifting than previous versions i'm afraid. Please work through the following and post accordingly:

Please download BootCheck.exe and save it to your Desktop.
  • Double click BootCheck.exe to run the tool.
  • A Command Window will open and close a few seconds later and a Notepad window will then appear, as if by magic, with some text in it
  • Assuming you can contain your excitement, please post the contents in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :filefind
    *kbdclass*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#6 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 13 April 2010 - 10:09 PM

Good afternoon. smile.gif

The results follow below.

Yours with a due sense of awe. ohmy.gif

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 13:03 on 14/04/2010 by daedalus (Administrator - Elevation successful)

========== filefind ==========

Searching for "*kbdclass*"
C:\cmdcons\KBDCLASS.SY_ --a--- 12223 bytes [11:58 03/08/2004] [11:58 03/08/2004] 9C0B5DF5E22E6F17A8D40CDFCDACACD8
C:\i386\KBDCLASS.SY_ --a--- 12223 bytes [07:00 28/02/2006] [07:00 28/02/2006] 9C0B5DF5E22E6F17A8D40CDFCDACACD8
C:\WINDOWS\$NtServicePackUninstall$\kbdclass.sys -----c 24576 bytes [23:05 05/06/2009] [02:00 28/02/2006] EBDEE8A2EE5393890A1ACEE971C4C246
C:\WINDOWS\ERDNT\cache\kbdclass.sys --a--- 24576 bytes [12:23 07/02/2010] [03:49 12/04/2010] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys ------ 24576 bytes [18:39 13/04/2008] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\system32\dllcache\kbdclass.sys --a--- 24576 bytes [02:00 28/02/2006] [03:49 12/04/2010] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\system32\drivers\kbdclass.sys ------ 24576 bytes [02:00 28/02/2006] [03:49 12/04/2010] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\system32\ReinstallBackups\0029\DriverFiles\i386\kbdclass.sys --a--- 24576 bytes [12:55 11/09/2009] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128

-=End Of File=-

#7 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 14 April 2010 - 10:38 AM

Hi Noviciate, smile.gif

I just wanted to let you know 2 things that I discovered today. The first is that the rotten little bugger tries to cover its tracks by periodically clearing the "intrusion attempt" entries from Norton's security history.

The second thing is puzzling, at least to me. Sometimes when I have an IE window open, a new window will open automatically. Usually, it opens a URL and then goes to my home page - www.google.com.au. Sometimes however it stays at the first URL. In either case, the URL is saved in my browsing history. I have gone through the history and in each case the URL is for a reputable organisation. But the thing that really puzzles me is that there are parameters in the URL that are to do with the site that I was viewing. For example, I was reading The Economist online when a new window took me to La Trobe university as follows:
http://www.latrobe.edu.au/postgrad/?src=pa...&OVNDID=ND2

I don't know if any of this is useful to you, but do you know what the story is with these URLs?scratchhead.gif

Thanks heaps.



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:08 PM

Posted 14 April 2010 - 01:40 PM

Good evening. smile.gif

I can't say I know much about the inner workings of this slime, but hopefully I know enough to help you get rid of it - fingers crossed. The first thing you need to do is to copy a file to the root of your hard drive - the location is important.

C:\WINDOWS\system32\ReinstallBackups\0029\DriverFiles\i386\kbdclass.sys needs to become C:\kbdclass.sys.

Please note that you are copying rather than cut and pasting as you might need a back-up in the future.

Now read through the following instructions to be sure that you understand what is required and if you are unclear about anything at all, ask BEFORE you begin:
  • Restart your computer.
  • Before Windows loads, you will be prompted to choose which Operating System to start.
  • Use the up/down arrow keys to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto (there may be more than one) - select the C:\Windows option and press Enter.

You are now revisiting the early days of computers before the pretty clicky buttons where everything was text based. You will need to enter the following three commands one at a time, pressing Enter after each, ensuring that you do so exactly as shown:
    cd c:\windows\system32\drivers
    ren kbdclass.sys kbdclass.old
    copy c:\kbdclass.sys c:\windows\system32\drivers
The first command is just to change the location to the relevant folder.
The second command renames the infected file, disabling it but keeping it in the same location should it be required.
The third command copies the file you placed in the root of drive and places it in the correct folder.

After entering the final command you should see the message 1 file(s) copied which indicates that it has been successful. If you do not see this message you need to enter the copy command again ensuring that you have done so correctly.
If you still do not see the message, you should enter the following command:
    ren kbdclass.old kbdclass.sys
This will restore the infected file so that your system will reboot OK.

If you should be prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

Regardless of whether all went well or not, once you have completed the three commands, to exit the Recovery Console you need to enter exit and hit Enter - this will reboot your system as normal.

Let me know how you got on.

So long, and thanks for all the fish.

 

 


#9 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 15 April 2010 - 05:07 AM

Good evening. smile.gif

Its looking good. I followed your instructions. Since then Norton has not raised any alerts and I have not had any pop ups.

We may not be out of the woods yet though. Esafe still gives a positive result when I run atapi.sys through virustotal. I won't run any clean up tools like ComboFix or TDSSKiller until you give me the all clear.

Thanks so much for your help. You have been fantastic.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:08 PM

Posted 15 April 2010 - 01:11 PM

Good evening. smile.gif

Will you copy and paste the results that Virus Total is giving you - there should be some file information as well as the results from the various scans.

So long, and thanks for all the fish.

 

 


#11 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 16 April 2010 - 05:15 AM

Good evening. smile.gif

Here are the Virus Total results.

It may be a false positive as TDSSKiller does not see any infections, but did before I applied your fix.

Thanks again.

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.16 -
AhnLab-V3 5.0.0.2 2010.04.16 -
AntiVir 7.10.6.111 2010.04.16 -
Antiy-AVL 2.0.3.7 2010.04.16 -
Authentium 5.2.0.5 2010.04.16 -
Avast 4.8.1351.0 2010.04.14 -
Avast5 5.0.332.0 2010.04.14 -
AVG 9.0.0.787 2010.04.16 -
BitDefender 7.2 2010.04.16 -
CAT-QuickHeal 10.00 2010.04.16 -
ClamAV 0.96.0.3-git 2010.04.16 -
Comodo 4612 2010.04.16 -
DrWeb 5.0.2.03300 2010.04.16 -
eSafe 7.0.17.0 2010.04.15 Win32.Rootkit
eTrust-Vet 35.2.7429 2010.04.16 -
F-Prot 4.5.1.85 2010.04.16 -
F-Secure 9.0.15370.0 2010.04.16 -
Fortinet 4.0.14.0 2010.04.15 -
GData 19 2010.04.16 -
Ikarus T3.1.1.80.0 2010.04.16 -
Jiangmin 13.0.900 2010.04.16 -
Kaspersky 7.0.0.125 2010.04.16 -
McAfee 5.400.0.1158 2010.04.16 -
McAfee-GW-Edition 6.8.5 2010.04.16 -
Microsoft 1.5605 2010.04.16 -
NOD32 5032 2010.04.15 -
Norman 6.04.11 2010.04.16 -
nProtect 2010-04-16.01 2010.04.16 -
Panda 10.0.2.7 2010.04.15 -
PCTools 7.0.3.5 2010.04.16 -
Prevx 3.0 2010.04.16 -
Rising 22.43.04.03 2010.04.16 -
Sophos 4.52.0 2010.04.16 -
Sunbelt 6182 2010.04.16 -
Symantec 20091.2.0.41 2010.04.16 -
TheHacker 6.5.2.0.262 2010.04.15 -
TrendMicro 9.120.0.1004 2010.04.15 -
VBA32 3.12.12.4 2010.04.15 -
ViRobot 2010.4.16.2279 2010.04.16 -
VirusBuster 5.0.27.0 2010.04.15 -
Additional information
File size: 96512 bytes
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159F7
timedatestamp.....: 0x4802539D (Sun Apr 13 20:40:29 2008)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97BA 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9B80 0x18E8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xB480 0xA64 0xA80 4.31 8523651899e28819a14bf9415af25708
.data 0xBF00 0xD94 0xE00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xCD00 0x157F 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xE280 0x61DA 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22BE 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3E0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16B80 0xD20 0xD80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 0 imports )


( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...f062c712cfa2674
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
sigcheck: publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:08 PM

Posted 16 April 2010 - 01:48 PM

Good evening. smile.gif

Although I also tend to think that this is a false positive given the lack of supporting detections, I think that it wouldn't hurt to replace the file just to be on the safe side - assuming you have a back-up handy.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :filefind
    *atapi*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

If you still have the file from your previous search, you get to save the bandwidth and use that.

So long, and thanks for all the fish.

 

 


#13 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 April 2010 - 05:27 AM

Good Evening. smile.gif

Here it is. I am guessing that we will replace it with C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys as we did with kbdcass.sys, but I will wait until you give the go ahead.

Thanks


========== filefind ==========

Searching for "*atapi*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [11:59 03/08/2004] [11:59 03/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Documents and Settings\Flavio\Local Settings\Temporary Internet Files\Content.IE5\7MWQ66UJ\Atapisys-infected_84382[1].html --a--- 72159 bytes [09:16 13/04/2010] [09:16 13/04/2010] C40F761D47EC7433069ADF230DD8E40B
C:\Documents and Settings\Flavio\Local Settings\Temporary Internet Files\Content.IE5\7MWQ66UJ\Backdoor-tidserv-infection-atapi-sys-virus-t261987[1].html --a--- 8029 bytes [13:34 13/04/2010] [13:34 13/04/2010] 2365C2F92A40F9A55EA7A429F06995E0
C:\Documents and Settings\Flavio\Local Settings\Temporary Internet Files\Content.IE5\7MWQ66UJ\cdrom-sys-atapi-sys[1].htm --a--- 26808 bytes [16:04 13/04/2010] [16:04 13/04/2010] 2BFB8E6CB827DC1C9E93E941031DC244
C:\Documents and Settings\Flavio\Local Settings\Temporary Internet Files\Content.IE5\E6FYW1PG\Backdoor-tidserv-infection-atapi-sys-virus-t261987[1].html --a--- 8031 bytes [13:34 13/04/2010] [13:34 13/04/2010] 30B5FE08C3D3E3D427BE6342498BAD0A
C:\Documents and Settings\Flavio\Local Settings\Temporary Internet Files\Content.IE5\ZH34U084\Backdoor-tidserv-infection-atapi-sys-virus-t261987[1].html --a--- 845786 bytes [13:34 13/04/2010] [13:34 13/04/2010] 1FA164D626EC7ADB7AE58806941008DF
C:\i386\ATAPI.SY_ --a--- 49558 bytes [07:00 28/02/2006] [07:00 28/02/2006] 28541D14647BB58502D09D1CEAEE6684
C:\i386\COMPDATA\DECATAPI.HTM --a--- 881 bytes [07:00 28/02/2006] [07:00 28/02/2006] FDA00ABB8831E4903E9442E9B01843ED
C:\i386\COMPDATA\DECATAPI.TXT --a--- 449 bytes [07:00 28/02/2006] [07:00 28/02/2006] F5A5EAC5B4790D90031B913DD5D559A5
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [23:05 05/06/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [12:23 07/02/2010] [12:09 12/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [00:59 04/08/2004] [12:09 12/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--- 95360 bytes [05:37 21/05/2009] [00:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:08 PM

Posted 17 April 2010 - 02:19 PM

Good evening. smile.gif

Just out of interest I submitted my copy of atapi.sys to VirusTotal and got the same result (eSafe 7.0.17.0 2010.04.15 Win32.Rootkit), which suggests to me that the AV in question is a little confused. Given that your system doesn't show any symptoms of the infection i'd say that the issue was resolved, but i'd like a scan to support the theory:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log (run in Normal Mode) AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#15 S.Daedalus

S.Daedalus
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 18 April 2010 - 05:35 AM

Good evening. smile.gif

Here are the MBAM and DDS logs. MBAM did not find anything and the PC is working very well. The only concern is that a few hours ago Norton detected and quarantined Trojan.Gen. This was strange as I have not used the internet much over the last few days and all the sites I have visited have been super safe. When the trojan was detected I was actually in the Malwarebytes download page.

Thanks

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4003

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/04/2010 5:39:11 PM
mbam-log-2010-04-18 (17-39-11).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 228363
Time elapsed: 58 minute(s), 41 second(s)



Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_10-03-17.01) - NTFSx86
Run by daedalus at 20:26:22.06 on Sun 18/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2256 [GMT 10:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\IBM\unishared\unirpc\unirpcd.exe
C:\IBM\UV\bin\uvservice.exe
C:\IBM\UV\bin\tl_service.exe
C:\IBM\UV\bin\uvdlockd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett Packard\Recovery\Recovery.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Philips\VOIP321\VOIP321.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\MCUI32.EXE
C:\Documents and Settings\daedalus\Desktop\Defogger.exe
C:\Documents and Settings\daedalus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\daedalus\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recovery] c:\program files\hewlett packard\recovery\Recovery.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [kmw_run.exe] kmw_run.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\daedalus\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\daedalus\startm~1\programs\startup\voip321.lnk - c:\program files\philips\voip321\VOIP321.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turnerfreeman.com.au\tfapps
Trusted Zone: westpac.com.au\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244442783796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100415.001\IDSXpx86.sys [2010-4-17 329592]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-4-12 67584]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-5-21 576024]
R2 unirpc;Uni RPC Service;c:\ibm\unishared\unirpc\unirpcd.exe [2009-6-7 28672]
R2 universe;UniVerse Resource Service;c:\ibm\uv\bin\uvservice.exe [2009-6-7 20480]
R2 uvtelnet;UniVerse Telnet Service;c:\ibm\uv\bin\tl_service.exe [2009-6-7 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-20 38224]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100417.020\NAVENG.SYS [2010-4-18 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100417.020\NAVEX15.SYS [2010-4-18 1324720]
R3 PEGAIO;PEGAIO;c:\program files\hewlett packard\recovery\PegaIo32.sys [2009-5-21 18488]
S2 gupdate1c9e78272d5ea1a;Google Update Service (gupdate1c9e78272d5ea1a);c:\program files\google\update\GoogleUpdate.exe [2009-6-8 133104]
S4 0055191244212240mcinstcleanup;McAfee Application Installer Cleanup (0055191244212240);c:\docume~1\admini~1\locals~1\temp\005519~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\005519~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2010-04-18 03:03:35 0 d-----w- c:\docume~1\daedalus\applic~1\Uniblue
2010-04-16 00:50:22 0 d-----w- c:\program files\VirusTotalUploader2
2010-04-15 09:23:40 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-15 09:23:40 24576 ----a-w- C:\kbdclass.sys
2010-04-12 12:54:28 0 d-----w- c:\program files\Cobian Backup 10
2010-04-12 12:33:32 0 ----a-w- c:\documents and settings\daedalus\defogger_reenable
2010-04-12 08:15:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-04-11 17:44:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-11 17:44:02 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-11 16:38:26 98816 ----a-w- c:\windows\sed.exe
2010-04-11 16:38:26 77312 ----a-w- c:\windows\MBR.exe
2010-04-11 16:38:26 261632 ----a-w- c:\windows\PEV.exe
2010-04-11 16:38:26 161792 ----a-w- c:\windows\SWREG.exe
2010-04-04 06:10:37 0 d-----w- C:\Theary Visa
2010-03-27 03:47:00 83 ----a-w- c:\windows\webica.ini

==================== Find3M ====================

2010-04-18 05:29:22 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-12 12:09:20 96512 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-04-12 12:09:20 96512 ----a-w- C:\atapi.sys
2010-04-12 03:49:28 24576 ----a-w- c:\windows\system32\drivers\kbdclass.old
2010-04-12 03:49:28 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-07 23:41:48 220112 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2010-02-25 00:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-16 23:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-16 04:50:23 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-02-07 12:04:12 389120 ----a-w- c:\windows\system32\CF2133.exe
2009-06-15 14:30:08 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 20:26:43.82 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users