Troublesome Malware (viaide.sys.vir_)
Hi,
I'm having trouble with some malware that I can't get rid of with the tools at my disposal. Neither my Norton Corporate Edition Anti-Virus nor Malwarebytes alone finds any problems, but running Malwarebytes flushes them out for Norton to then detect. Similarly, ComboFix showed no problems earlier today.
Here are the offending files that Norton notes (3X10 instances of each):
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\viaide.sys.vir_
C:\System Volume Information_restore{92EC12A7-0098-4D77-899D-FF91068A8284}\RP493\A0039392.sys
I have backed up the registry with ERUNT.
I have run DDS; below are the logs.
I would appreciate any assistance you could provide.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 20:28:43.87 on Sat 08/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.177 [GMT 2:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\LaCie\Backup Software\LaCieBackup.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\OWNER\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\OWNER\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.intellicast.com/Local/Weather.aspx?location=FRXX0076
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcPro7_0_0
uRun: [LaCie Backup] c:\program files\lacie\backup software\\LaCieBackup.exe /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\ica client\pnagent.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: citrix.com
Trusted Zone: citrix.com\www
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-18 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-18 161392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-5-9 1724512]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100813.009\naveng.sys [2010-8-14 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100813.009\navex15.sys [2010-8-14 1362608]
S1 rkerypfv;rkerypfv;\??\c:\windows\system32\drivers\rkerypfv.sys --> c:\windows\system32\drivers\rkerypfv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-18 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-5-9 127584]
=============== Created Last 30 ================
2010-08-11 22:28:53 186 ----a-w- c:\windows\system32\MRT.INI
2010-08-11 22:28:53 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-10 20:11:16 0 d-----w- c:\windows\system32\Adobe
2010-08-03 12:48:49 0 d-----w- C:\Climate5
2010-08-03 12:38:13 122880 ----a-w- c:\windows\UnGins.exe
2010-08-03 12:37:54 0 d-----w- c:\program files\Climate5
2010-07-26 18:18:12 0 d-----w- c:\docume~1\OWNER\applic~1\LimeWire
2010-07-26 18:16:55 0 d-----w- c:\program files\360Share Pro
2010-07-24 23:10:06 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
2010-07-24 23:10:06 5376 ----a-w- c:\windows\system32\dllcache\viaide.sys
2010-07-24 23:07:17 0 d-sha-r- C:\cmdcons
2010-07-21 12:46:04 0 d-----w- c:\docume~1\OWNER\applic~1\GetRightToGo
2010-07-21 10:03:16 150 ----a-w- C:\zrpt.xml
==================== Find3M ====================
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 15:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
2009-10-15 01:26:54 22 --sha-w- c:\windows\sminst\HPCD.sys
2006-10-29 21:13:25 56 --sh--r- c:\windows\system32\3D76C09D5D.sys
2006-10-29 21:13:25 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-03 13:29:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat
2009-10-29 19:00:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102920091030\index.dat
============= FINISH: 20:29:39.64 ===============
