OK Blade!
I'll post the GMER scan as soon as it's finished
OK Blade!
I'll post the GMER scan as soon as it's finished
Hi Blade,
Here is the GMER scan results... For such a loooong scan, I was expecting a bigger report. I hope that's because it was looking very closely and there wasn't much left to find!
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-26 18:44:53
Windows 5.1.2600 Service Pack 3
Running: kfps4pjg.exe; Driver: C:\DOCUME~1\TOMMCN~1\LOCALS~1\Temp\fwdoapog.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Fastfat \Fat B486FD20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\00000210 -> \Driver\atapi \Device\Harddisk0\DR0 83B5A170
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Hi,
That went fine . Reboot your system using bootcd created earlier.
When booted with CD, access command prompt. Then write following bolded two commands (each line presents command, have enter pressed after each one):
copy /y C:\windows\system32\drivers\atapi.sys C:\atapi.sys.vir
exit
Reboot back to normal mode.
After that upload following file to http://www.virustotal.com and post back the results:
C:\atapi.sys.vir
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Good morning Blades,
Accomplished the above... Here are the results...
File atapi.sys.vir received on 2009.11.27 06:20:22 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 12/41 (29.27%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.27 Rootkit.Win32.TDSS!IK
AhnLab-V3 5.0.0.2 2009.11.27 -
AntiVir 7.9.1.79 2009.11.26 -
Antiy-AVL 2.0.3.7 2009.11.27 -
Authentium 5.2.0.5 2009.11.26 -
Avast 4.8.1351.0 2009.11.26 -
AVG 8.5.0.426 2009.11.26 -
BitDefender 7.2 2009.11.27 -
CAT-QuickHeal 10.00 2009.11.27 Rootkit.TDSS.y
ClamAV 0.94.1 2009.11.27 -
Comodo 3051 2009.11.27 -
DrWeb 5.0.0.12182 2009.11.27 BackDoor.Tdss.1133
eSafe 7.0.17.0 2009.11.26 -
eTrust-Vet 35.1.7145 2009.11.27 -
F-Prot 4.5.1.85 2009.11.26 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.27 -
GData 19 2009.11.27 -
Ikarus T3.1.1.74.0 2009.11.27 Rootkit.Win32.TDSS
Jiangmin 11.0.800 2009.11.27 Rootkit.TDSS.cwf
K7AntiVirus 7.10.905 2009.11.25 -
Kaspersky 7.0.0.125 2009.11.27 Rootkit.Win32.TDSS.y
McAfee 5814 2009.11.26 -
McAfee+Artemis 5814 2009.11.26 -
McAfee-GW-Edition 6.8.5 2009.11.27 -
Microsoft 1.5302 2009.11.26 Virus:Win32/Alureon.C
NOD32 4640 2009.11.26 Win32/Olmarik.PV
Norman 6.03.02 2009.11.25 W32/TDSS.drv.gen2
nProtect 2009.1.8.0 2009.11.26 Trojan/W32.Rootkit.96512.D
Panda 10.0.2.2 2009.11.26 -
PCTools 7.0.3.5 2009.11.27 -
Prevx 3.0 2009.11.27 Medium Risk Malware
Rising 22.23.04.03 2009.11.27 -
Sophos 4.48.0 2009.11.27 -
Sunbelt 3.2.1858.2 2009.11.26 -
Symantec 1.4.4.12 2009.11.27 -
TheHacker 6.5.0.2.079 2009.11.26 -
TrendMicro 9.100.0.1001 2009.11.27 -
VBA32 3.12.12.0 2009.11.27 Rootkit.Win32.TDSL
ViRobot 2009.11.27.2057 2009.11.27 -
VirusBuster 5.0.21.0 2009.11.26 -
Additional information
File size: 96512 bytes
MD5...: 23a5d11a9d87374466748f4eb1b6be82
SHA1..: 17ab6e11b8307e888a11808de45a8e893aab0673
SHA256: bb4b081f5f0b328ce14dd6c308e68c16db0eb9c74d59eb74d8af1319bb6aad82
ssdeep: 1536:twXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0u9:tQ+N74vkEZIxMohjsimBoDTRMBwFktZ+
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x167a4
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 6.10 252605c67663982c400fac25a6e36150
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45
( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00EFE7066A' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00EFE7066A</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Good Time to introduce next tool.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
Code::filefind atapi.sys- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Here is the SystemLook Report...
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:41 on 27/11/2009 by Tom McNeal (Administrator - Elevation successful)
========== filefind ==========
Searching for "atapi.sys"
C:\I386\atapi.sys --a--- 87040 bytes [15:16 24/03/2003] [23:31 16/10/2002] 3DF589B9A15FF9EF4AA499F98C1C16D5
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [04:49 25/12/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [18:42 25/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 96512 bytes [07:27 29/08/2002] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
-=End Of File=-
Hi,
Time to reboot from bootcd again and use command prompt for these commands:
copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\windows\system32\drivers\atapi.sys
exit
Then reboot back into normal mode and run GMER. Post back the results.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Hi Blades,
Accomplished the above.... Here is the results of the fresh GMER Scan...
======================================================
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 03:49:49
Windows 5.1.2600 Service Pack 3
Running: kfps4pjg.exe; Driver: C:\DOCUME~1\TOMMCN~1\LOCALS~1\Temp\fwdoapog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Good morning / Good evening Blades!
Accomplished the above instructions... Logs are copied below...
QUESTION: When I started ComboFix, message box popped up saying "A newer Update is Available. Update Now? YES/NO... I clicked YES and then thought, "I wonder if this is a real update or a fraud modification of ComboFix???" (CF appeared to run normally) Do you believe this was a valid CF Update?
QUESTION: Do you want me to paste (or attach) the DDS_Attach Log?
The system appears to be running pretty good except for Windows Security Alert in Tray... "AVG A/V is out of date!" (I have not run or updated AVG or SpyBot for awhile.) Windows Automatic Updates are also turned off.
Tom
==================================
ComboFix Log
==================================
ComboFix 09-11-26.02 - Tom McNeal 11/27/2009 9:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.333 [GMT -6:00]
Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-27 00:06 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys.vir
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Malwarebytes
2009-11-26 20:25 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 20:25 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 18:07 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Tom McNeal\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-26 18:05 . 2009-11-26 18:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-26 18:03 . 2009-11-26 18:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-26 18:03 . 2009-11-26 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 18:06 . 2005-03-22 02:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 01:07 . 2005-09-12 16:32 -------- d-----w- c:\program files\Google
2009-11-26 00:59 . 2003-03-19 05:59 -------- d-----w- c:\program files\Corel
2009-11-26 00:51 . 2006-06-26 20:20 -------- d-----w- c:\program files\Panasonic
2009-11-26 00:51 . 2006-06-26 20:29 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Panasonic
2009-11-26 00:49 . 2003-03-24 15:59 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-26 00:45 . 2003-03-19 05:57 -------- d-----w- c:\program files\Britannica
2009-11-26 00:45 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-26 00:21 . 2009-01-13 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-25_18.32.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-28 18:02 . 2009-08-30 18:27 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2009-11-26 18:12 . 2009-11-26 18:12 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-27 06:10 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-11-26 18:07 . 2009-11-26 18:07 21504 c:\windows\Installer\7f5af5.msi
+ 2009-11-26 18:05 . 2009-11-26 18:05 27648 c:\windows\Installer\7f5aeb.msi
+ 2009-11-26 18:07 . 2009-11-26 18:07 3940352 c:\windows\Installer\7f5af0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - fwdoapog
.
Contents of the 'Scheduled Tasks' folder
2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]
2009-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]
2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]
2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]
2009-11-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 10:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-27 10:05
ComboFix-quarantined-files.txt 2009-11-27 16:05
ComboFix2.txt 2009-11-26 00:10
ComboFix3.txt 2009-11-25 18:47
Pre-Run: 20,230,172,672 bytes free
Post-Run: 20,207,677,440 bytes free
- - End Of File - - 78F338B5766500ED5A375984C93014CD
=================================
DDS Log
=================================
DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 10:13:22.95 on Fri 11/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.311 [GMT -6:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]
=============== Created Last 30 ================
2009-11-27 00:06:27 96512 ----a-w- C:\atapi.sys.vir
2009-11-26 20:25:20 0 d-----w- c:\docume~1\tommcn~1\applic~1\Malwarebytes
2009-11-26 20:25:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:25:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 20:25:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 20:25:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 00:21:08 0 d-----w- c:\windows\system32\appmgmt
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software
==================== Find3M ====================
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat
============= FINISH: 10:13:47.87 ===============