Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

have a rootkited file (volsnap.sys)


  • This topic is locked This topic is locked
5 replies to this topic

#1 Ldurbin

Ldurbin

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 12 June 2011 - 04:00 PM

Was redirected here, link to former post and help received is below:
My link


Thank you!




.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Durbin at 16:42:07 on 2011-06-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.847 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\system32\hkcmd.exe
C:\Windows\system32\igfxpers.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.112.12
TCP: Interfaces\{38345E4D-9E2C-42F5-AC8A-C5DAC44F2AD7} : DhcpNameServer = 192.168.1.1 68.238.112.12
TCP: Interfaces\{E715EB81-CCCE-4E86-9678-5331D8709E8A} : DhcpNameServer = 192.168.1.1 68.238.112.12
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-5-25 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-5-25 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20110519.002\BHDrvx86.sys [2011-5-19 810616]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20110604.001\IDSvix86.sys [2011-6-2 367736]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2010-6-30 20352]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-5-25 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys [2011-5-25 331384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-5-25 130008]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-25 135664]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2010-6-30 937984]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-09 22:42:36 -------- d-----w- c:\users\durbin\appdata\roaming\Tific
2011-06-09 22:24:05 35960 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2011-06-08 20:09:54 725586 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-07 00:59:19 -------- d--h--w- c:\program files\Zero G Registry
2011-06-07 00:59:19 -------- d--h--w- c:\program files\PEM
2011-06-07 00:54:30 -------- d--h--w- c:\program files\Practice Test
2011-06-07 00:52:07 -------- d--h--w- c:\users\durbin\InstallAnywhere
2011-05-26 10:53:16 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 23:33:34 26600 ---ha-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-25 23:32:38 744568 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys
2011-05-25 23:32:38 516216 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-05-25 23:32:38 50168 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-05-25 23:32:38 340088 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys
2011-05-25 23:32:38 331384 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-05-25 23:32:38 296568 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-05-25 23:32:38 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys
2011-05-25 23:32:24 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
.
==================== Find3M ====================
.
2011-05-25 23:33:25 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 16:43:06.53 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 12 June 2011 - 04:07 PM

Hello there :)

I read your other thread.....let's see if we can get that nasty volsnap replaced! :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Ldurbin .exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Ldurbin

Ldurbin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 13 June 2011 - 12:42 PM

I disabled Norton. How can I be sure all other anti-virus and anti malware programs are disabled?

Any help you can offer will help.

#4 Ldurbin

Ldurbin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 13 June 2011 - 12:53 PM

Hey tea,

I will forward $25 via my wifes Pal pal account when she get home. If that is lame, I appologize.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 13 June 2011 - 01:45 PM

Lame? No, it isn't lame and I appreciate it. :)

Can you please post the report? I want to see if anything else might be going on. If you haven't run it due to your previous question, then have a look here and see if any of it applies : http://www.bleepingcomputer.com/forums/topic114351.html


How is it running today? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:51 PM

Posted 07 August 2011 - 12:59 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users