Page 10 of 13 FirstFirst ... 678910111213 LastLast
Results 91 to 100 of 123

Thread: Virtumonde-New Thread-As Per request

  1. #91
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default

    OK Blade!
    I'll post the GMER scan as soon as it's finished

  2. #92
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Gmer

    Hi Blade,

    Here is the GMER scan results... For such a loooong scan, I was expecting a bigger report. I hope that's because it was looking very closely and there wasn't much left to find!

    GMER 1.0.15.15252 - http://www.gmer.net
    Rootkit scan 2009-11-26 18:44:53
    Windows 5.1.2600 Service Pack 3
    Running: kfps4pjg.exe; Driver: C:\DOCUME~1\TOMMCN~1\LOCALS~1\Temp\fwdoapog.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \Fat B486FD20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\00000210 -> \Driver\atapi \Device\Harddisk0\DR0 83B5A170

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

  3. #93
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    That went fine . Reboot your system using bootcd created earlier.

    When booted with CD, access command prompt. Then write following bolded two commands (each line presents command, have enter pressed after each one):
    copy /y C:\windows\system32\drivers\atapi.sys C:\atapi.sys.vir
    exit


    Reboot back to normal mode.

    After that upload following file to http://www.virustotal.com and post back the results:
    C:\atapi.sys.vir
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #94
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default suspect atapi.sys Scan

    Quote Originally Posted by Blade81 View Post
    Hi,

    That went fine . Reboot your system using bootcd created earlier.

    When booted with CD, access command prompt. Then write following bolded two commands (each line presents command, have enter pressed after each one):
    copy /y C:\windows\system32\drivers\atapi.sys C:\atapi.sys.vir
    exit


    Reboot back to normal mode.

    After that upload following file to http://www.virustotal.com and post back the results:
    C:\atapi.sys.vir
    Good morning Blades,
    Accomplished the above... Here are the results...

    File atapi.sys.vir received on 2009.11.27 06:20:22 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 12/41 (29.27%)
    Loading server information...
    Your file is queued in position: ___.
    Estimated start time is between ___ and ___ .
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    a-squared 4.5.0.43 2009.11.27 Rootkit.Win32.TDSS!IK
    AhnLab-V3 5.0.0.2 2009.11.27 -
    AntiVir 7.9.1.79 2009.11.26 -
    Antiy-AVL 2.0.3.7 2009.11.27 -
    Authentium 5.2.0.5 2009.11.26 -
    Avast 4.8.1351.0 2009.11.26 -
    AVG 8.5.0.426 2009.11.26 -
    BitDefender 7.2 2009.11.27 -
    CAT-QuickHeal 10.00 2009.11.27 Rootkit.TDSS.y
    ClamAV 0.94.1 2009.11.27 -
    Comodo 3051 2009.11.27 -
    DrWeb 5.0.0.12182 2009.11.27 BackDoor.Tdss.1133
    eSafe 7.0.17.0 2009.11.26 -
    eTrust-Vet 35.1.7145 2009.11.27 -
    F-Prot 4.5.1.85 2009.11.26 -
    F-Secure 9.0.15370.0 2009.11.24 -
    Fortinet 4.0.14.0 2009.11.27 -
    GData 19 2009.11.27 -
    Ikarus T3.1.1.74.0 2009.11.27 Rootkit.Win32.TDSS
    Jiangmin 11.0.800 2009.11.27 Rootkit.TDSS.cwf
    K7AntiVirus 7.10.905 2009.11.25 -
    Kaspersky 7.0.0.125 2009.11.27 Rootkit.Win32.TDSS.y
    McAfee 5814 2009.11.26 -
    McAfee+Artemis 5814 2009.11.26 -
    McAfee-GW-Edition 6.8.5 2009.11.27 -
    Microsoft 1.5302 2009.11.26 Virus:Win32/Alureon.C
    NOD32 4640 2009.11.26 Win32/Olmarik.PV
    Norman 6.03.02 2009.11.25 W32/TDSS.drv.gen2
    nProtect 2009.1.8.0 2009.11.26 Trojan/W32.Rootkit.96512.D
    Panda 10.0.2.2 2009.11.26 -
    PCTools 7.0.3.5 2009.11.27 -
    Prevx 3.0 2009.11.27 Medium Risk Malware
    Rising 22.23.04.03 2009.11.27 -
    Sophos 4.48.0 2009.11.27 -
    Sunbelt 3.2.1858.2 2009.11.26 -
    Symantec 1.4.4.12 2009.11.27 -
    TheHacker 6.5.0.2.079 2009.11.26 -
    TrendMicro 9.100.0.1001 2009.11.27 -
    VBA32 3.12.12.0 2009.11.27 Rootkit.Win32.TDSL
    ViRobot 2009.11.27.2057 2009.11.27 -
    VirusBuster 5.0.21.0 2009.11.26 -
    Additional information
    File size: 96512 bytes
    MD5...: 23a5d11a9d87374466748f4eb1b6be82
    SHA1..: 17ab6e11b8307e888a11808de45a8e893aab0673
    SHA256: bb4b081f5f0b328ce14dd6c308e68c16db0eb9c74d59eb74d8af1319bb6aad82
    ssdeep: 1536:twXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
    DD0u9:tQ+N74vkEZIxMohjsimBoDTRMBwFktZ+

    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x167a4
    timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
    machinetype.......: 0x14c (I386)

    ( 9 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
    NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
    .rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
    .data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
    PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
    PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
    INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
    .rsrc 0x16780 0x3e0 0x400 6.10 252605c67663982c400fac25a6e36150
    .reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

    ( 3 imports )
    > ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
    > HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
    > WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

    ( 0 exports )

    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00EFE7066A' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00EFE7066A</a>
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

  5. #95
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Good Time to introduce next tool.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      atapi.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #96
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default SystemLook atapi.sys

    Here is the SystemLook Report...

    SystemLook v1.0 by jpshortstuff (29.08.09)
    Log created at 00:41 on 27/11/2009 by Tom McNeal (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "atapi.sys"
    C:\I386\atapi.sys --a--- 87040 bytes [15:16 24/03/2003] [23:31 16/10/2002] 3DF589B9A15FF9EF4AA499F98C1C16D5
    C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [04:49 25/12/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
    C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [18:42 25/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
    C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 96512 bytes [07:27 29/08/2002] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

    -=End Of File=-

  7. #97
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Time to reboot from bootcd again and use command prompt for these commands:
    copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\windows\system32\drivers\atapi.sys
    exit


    Then reboot back into normal mode and run GMER. Post back the results.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #98
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default

    Quote Originally Posted by Blade81 View Post
    Hi,

    Time to reboot from bootcd again and use command prompt for these commands:
    copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\windows\system32\drivers\atapi.sys
    exit


    Then reboot back into normal mode and run GMER. Post back the results.
    Hi Blades,

    Accomplished the above.... Here is the results of the fresh GMER Scan...

    ======================================================

    GMER 1.0.15.15252 - http://www.gmer.net
    Rootkit scan 2009-11-27 03:49:49
    Windows 5.1.2600 Service Pack 3
    Running: kfps4pjg.exe; Driver: C:\DOCUME~1\TOMMCN~1\LOCALS~1\Temp\fwdoapog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

  9. #99
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #100
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default New ComboFix & DDS

    Quote Originally Posted by Blade81 View Post
    Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.
    Good morning / Good evening Blades!

    Accomplished the above instructions... Logs are copied below...

    QUESTION: When I started ComboFix, message box popped up saying "A newer Update is Available. Update Now? YES/NO... I clicked YES and then thought, "I wonder if this is a real update or a fraud modification of ComboFix???" (CF appeared to run normally) Do you believe this was a valid CF Update?

    QUESTION: Do you want me to paste (or attach) the DDS_Attach Log?

    The system appears to be running pretty good except for Windows Security Alert in Tray... "AVG A/V is out of date!" (I have not run or updated AVG or SpyBot for awhile.) Windows Automatic Updates are also turned off.

    Tom
    ==================================
    ComboFix Log
    ==================================
    ComboFix 09-11-26.02 - Tom McNeal 11/27/2009 9:51.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.333 [GMT -6:00]
    Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
    .

    2009-11-27 00:06 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys.vir
    2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Malwarebytes
    2009-11-26 20:25 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-11-26 20:25 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-26 18:07 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Tom McNeal\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
    2009-11-26 18:05 . 2009-11-26 18:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-11-26 18:03 . 2009-11-26 18:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2009-11-26 18:03 . 2009-11-26 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
    2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
    2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
    2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
    2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
    2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-26 18:06 . 2005-03-22 02:19 -------- d-----w- c:\program files\Common Files\Adobe
    2009-11-26 01:07 . 2005-09-12 16:32 -------- d-----w- c:\program files\Google
    2009-11-26 00:59 . 2003-03-19 05:59 -------- d-----w- c:\program files\Corel
    2009-11-26 00:51 . 2006-06-26 20:20 -------- d-----w- c:\program files\Panasonic
    2009-11-26 00:51 . 2006-06-26 20:29 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Panasonic
    2009-11-26 00:49 . 2003-03-24 15:59 -------- d-----w- c:\program files\Hewlett-Packard
    2009-11-26 00:45 . 2003-03-19 05:57 -------- d-----w- c:\program files\Britannica
    2009-11-26 00:45 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-26 00:21 . 2009-01-13 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
    2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-11-25_18.32.03 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-28 18:02 . 2009-08-30 18:27 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
    + 2009-11-26 18:12 . 2009-11-26 18:12 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
    + 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
    - 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
    - 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
    + 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
    + 2002-09-03 19:45 . 2009-11-27 06:10 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
    - 2002-09-03 19:45 . 2009-11-25 18:30 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
    + 2009-11-26 18:07 . 2009-11-26 18:07 21504 c:\windows\Installer\7f5af5.msi
    + 2009-11-26 18:05 . 2009-11-26 18:05 27648 c:\windows\Installer\7f5aeb.msi
    + 2009-11-26 18:07 . 2009-11-26 18:07 3940352 c:\windows\Installer\7f5af0.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
    "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
    "DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
    S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
    S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - fwdoapog
    .
    Contents of the 'Scheduled Tasks' folder

    2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
    - c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]

    2009-11-27 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]

    2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

    2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

    2009-11-27 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: turbotax.com
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-11-27 10:00
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2176)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2009-11-27 10:05
    ComboFix-quarantined-files.txt 2009-11-27 16:05
    ComboFix2.txt 2009-11-26 00:10
    ComboFix3.txt 2009-11-25 18:47

    Pre-Run: 20,230,172,672 bytes free
    Post-Run: 20,207,677,440 bytes free

    - - End Of File - - 78F338B5766500ED5A375984C93014CD

    =================================
    DDS Log
    =================================

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Tom McNeal at 10:13:22.95 on Fri 11/27/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.311 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: H - No File
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
    mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: turbotax.com
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
    DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
    S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
    S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

    =============== Created Last 30 ================

    2009-11-27 00:06:27 96512 ----a-w- C:\atapi.sys.vir
    2009-11-26 20:25:20 0 d-----w- c:\docume~1\tommcn~1\applic~1\Malwarebytes
    2009-11-26 20:25:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-26 20:25:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-26 20:25:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-26 20:25:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-11-26 00:21:08 0 d-----w- c:\windows\system32\appmgmt
    2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
    2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
    2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
    2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
    2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
    2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
    2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
    2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
    2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
    2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
    2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

    ==================== Find3M ====================

    2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
    2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

    ============= FINISH: 10:13:47.87 ===============

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •