Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM and Avast scanned. Unknown malware still remains.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 September 2010 - 10:44 PM

There is malware on this windows XP Home box. Whenever I run a file system scanner from explorer (in both safe mode and not), the malware will kill the process after it runs for a bit then sets the file permissions to:

CODE
m.exe Everyone:(NP)(special access:)
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES


so the program cannot be executed again.

I thought maybe it was using system event notification to watch the other tasks, but alas, it still kills them and locks them with this service off.

I dropped back to the earliest system restore point (July) and it's still loading. It's either a long term infection or a rootkit.

The system was infected witha TDL3 variant and about 13 various other malware packages. I assume there is some kind of program dropping stuff on here. using GMER i found the atapi.sys and tcpip.sys were both hooked so i replaced them with orriginals and those detections went away.

Something still remains. I found 2 suspiciously named/dated .dll files in the windows directory and uploaded them to virscan.org and were exact match positives only on 3 of the databases (microsoft, nprotect, and sophos) and none of the heuristics picked them up. I assume this is a fairly new variant.

I can operate win safe mode with command prompt without the process killing tasks and changing permissions on me. I'm a 20 year tech, but this one has got me by the balls.

Anyone with more experience in malware is welcome to help me out here. Also, anyone know of a tool that I can use to fix the file permission as a batch process on the system to give access back to the programs this malware has locked out?


I didn't finish the gmer files scan, as i ran out of time and there are oodles of misc porn on the drive to scan through. I'll do it later (when i get access to the box again) if I can't get it resolved by this, but the scan did run through the user profiles and WINDOWS as far as I could tell.

-----



DDS (Ver_10-03-17.01) - NTFSx86
Run by Marc at 19:31:35.10 on Wed 09/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.494 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\Program Files\palmOne\AlarmApp.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\D-Link\DWA-130 revE\wirelesscm.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marc\Desktop\AV Rootkit\GMER.exe
C:\Documents and Settings\Marc\Desktop\AV Combofix\dds.scr
C:\WINDOWS\system32\wscntfy.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\alarmm~1.lnk - c:\program files\palmone\AlarmApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-130 reve\wirelesscm.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: gainskeeper.com\amtd
Trusted Zone: nxcore.net\bar1
Trusted Zone: nxcore.net\bar2
Trusted Zone: pcc.edu
Trusted Zone: scottrade.com\trading
Trusted Zone: streamer.com
Trusted Zone: streamer.com\ameritrade01
Trusted Zone: streamer.com\ameritrade02
Trusted Zone: streamer.com\ameritrade03
Trusted Zone: streamer.com\ameritrade04
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\apis
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184055392375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://devryonline.webex.com/client/T26L/nbr/ieatgpc.cab
DPF: {E7B6AC3E-4F3F-41E2-BD03-F1772CC343E6} - hxxp://tools.wordenresearch.com/wsinstall/WordenStudioInstall.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marc\applic~1\mozilla\firefox\profiles\4ptae3ef.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\4ptae3ef.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\marc\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101059100&s=
============= SERVICES / DRIVERS ===============

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [2010-3-2 22016]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-22 165456]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-22 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-22 40384]
R2 KillTheHooker;KillTheHooker;e:\tools\tdl3 razor\TizerBruteForceEx.sys [2010-9-22 22320]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-5-21 20480]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-22 40384]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [2005-11-4 12800]
S0 qdiyu;qdiyu;c:\windows\system32\drivers\sqgdlny.sys --> c:\windows\system32\drivers\sqgdlny.sys [?]
S2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S2 WLSVC;WLSVC;c:\program files\d-link\dwa-130 reve\WLSVC.exe [2010-5-21 167936]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-22 40384]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-5-21 588032]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

=============== Created Last 30 ================

2010-09-23 01:19:17 0 d-----w- C:\20100922
2010-09-23 01:06:00 38848 ----a-w- c:\windows\avastSS.scr
2010-09-23 00:01:33 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 00:00:20 0 d-----w- c:\program files\Microsoft Security Essentials
2010-09-22 23:48:33 0 d-----w- c:\program files\Tizerô Rootkit Razor
2010-09-22 23:12:35 0 d-----w- c:\documents and settings\marc\DoctorWeb
2010-09-22 22:37:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-22 19:35:27 0 d--h--w- c:\windows\PIF
2010-09-22 19:29:30 0 d-----w- c:\docume~1\marc\applic~1\SUPERAntiSpyware.com
2010-09-22 19:29:30 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-22 19:08:40 0 d-----w- c:\program files\CCleaner
2010-09-22 18:15:50 0 d-sha-r- C:\cmdcons
2010-09-22 18:10:08 70 ----a-w- C:\ComboFix Download Link #2.URL
2010-09-22 17:55:01 78848 ----a-w- C:\~kbclpr.dll.old
2010-09-22 17:55:01 203776 ----a-w- C:\~efipuqaz.dll.old
2010-09-22 17:54:35 0 d-----w- C:\ErdUndoCache
2010-09-22 17:17:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-22 17:02:33 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2010-09-22 17:02:29 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-09-22 17:02:25 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2010-09-22 17:02:21 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2010-09-22 17:02:16 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2010-09-22 17:02:12 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-09-22 17:02:08 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2010-09-22 17:02:04 67167 -c--a-w- c:\windows\system32\dllcache\hsf_bsc2.sys
2010-09-22 17:02:00 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-09-22 17:00:57 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-09-22 16:59:56 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-09-22 16:58:57 34816 -c--a-w- c:\windows\system32\dllcache\esuimg.dll
2010-09-22 16:57:57 19996 -c--a-w- c:\windows\system32\dllcache\em556n4.sys
2010-09-22 16:56:58 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2010-09-22 16:55:59 24648 -c--a-w- c:\windows\system32\dllcache\dfe650.sys
2010-09-22 16:54:59 6912 -c--a-w- c:\windows\system32\dllcache\ctlfacem.sys
2010-09-22 16:53:59 244224 -c--a-w- c:\windows\system32\dllcache\camext20.ax
2010-09-22 16:52:58 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-09-22 16:51:59 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-09-22 16:03:07 98816 ----a-w- c:\windows\sed.exe
2010-09-22 16:03:07 77312 ----a-w- c:\windows\MBR.exe
2010-09-22 16:03:07 256512 ----a-w- c:\windows\PEV.exe
2010-09-22 16:03:07 161792 ----a-w- c:\windows\SWREG.exe
2010-09-22 16:02:39 0 d-----w- C:\20100921
2010-09-21 09:29:43 120 ----a-w- c:\windows\Orofuj.dat
2010-09-21 09:29:43 0 ----a-w- c:\windows\Wkadevopebasus.bin
2010-09-14 18:35:06 4142592 ----a-w- c:\windows\system32\qtintf.dll
2010-09-14 18:35:05 0 d-----w- c:\program files\APC
2010-09-14 18:30:02 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2010-09-14 18:30:02 20352 ----a-w- c:\windows\system32\drivers\hidbatt.sys
2010-08-31 03:51:49 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-31 03:51:48 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-08-31 03:39:06 274432 ----a-w- c:\windows\system32\FFTIFF16.dll
2010-08-31 03:39:06 208896 ----a-w- c:\windows\system32\FFRafShellEx.dll
2010-08-31 03:39:05 155648 ----a-w- c:\windows\system32\FFRAFLIB.DLL
2010-08-31 03:37:50 81924 ------w- c:\windows\system32\drivers\VC4CB104.SYS
2010-08-31 03:37:49 65536 ------w- c:\windows\system32\FINFCHECK.dll
2010-08-31 03:37:49 45056 ------w- c:\windows\system32\FINFCOPY.dll
2010-08-31 03:37:49 0 d-----w- c:\program files\REGSHAVE
2010-08-31 03:37:47 69632 ------w- c:\windows\system32\FREGSHEX.DLL
2010-08-31 03:37:47 45056 ------w- c:\windows\system32\FCLKBTN.DLL

==================== Find3M ====================

2009-11-13 04:51:15 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-05-09 19:42:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 19:32:48.07 ===============

I left the machine at the owners house running DrWeb over night. I was just looking through the above reports after getting something to eat and noticed:

S0 qdiyu;qdiyu;c:\windows\system32\drivers\sqgdlny.sys --> c:\windows\system32\drivers\sqgdlny.sys [?]

why doesn't it have a date? I'm assuming this is a hostile file.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 23 September 2010 - 01:32 AM.


BC AdBot (Login to Remove)

 


#2 Gabrial

Gabrial
  • Topic Starter

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 24 September 2010 - 09:43 AM

Ok, I went back over last night and found it. It was a payload loading as a driver. I uploaded it to virscan.org and none of the 36 engines detected it. Guess I should submit it. Mission accomplished. This can close.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:21 PM

Posted 24 September 2010 - 04:56 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users