Jump to content
Sign in to follow this  
raiden1701

Trojan.Agent/Gen-TDSS False Positive??

Recommended Posts

I ran a SAS scan and it came up with this:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 06/13/2011 at 08:49 PM

Application Version : 4.42.1000

Core Rules Database Version : 7263

Trace Rules Database Version: 5075

Scan type : Quick Scan

Total Scan Time : 00:06:53

Memory items scanned : 398

Memory threats detected : 0

Registry items scanned : 1657

Registry threats detected : 17

File items scanned : 5806

File threats detected : 1

Trojan.Agent/Gen-TDSS

HKLM\System\ControlSet001\Services\atapi

C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS

HKLM\System\ControlSet001\Enum\Root\LEGACY_atapi

HKLM\System\ControlSet002\Services\atapi

HKLM\System\ControlSet002\Enum\Root\LEGACY_atapi

HKLM\System\CurrentControlSet\Services\atapi

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_atapi

Trojan.Agent/Gen-SSHNAS

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc

Malware.Trace

HKU\.DEFAULT\Software\Microsoft\Handle

HKU\S-1-5-18\Software\Microsoft\Handle

When I removed them, my PC would boot into Windows XP Pro but then freeze on a BSOD (same in Safe Mode). When I did a system restore (one I created before the SAS scan) with ERD Commander 2007, XP booted properly but upon scanning again with SAS the same trojan results came up. Are these just false positives? Cause removing them mess's up my PC.

Share this post


Link to post
Share on other sites

You are running a very old version of SAS. The latest version of SAS is V4.54.1000. I recommend that you upgrade to the latest version of SAS. Then rescan and see if the same detections occur.

I pretty confident that these pretaining to Atapi are a False Positive. Submit them as potential false positives per the instructions at the link below.

https://www.superantispyware.com/supportfaqdisplay.html?faq=28

Share this post


Link to post
Share on other sites

@ raiden1701:

I don't think these are false positives

Download aswMBR to your Desktop

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the Save log button, save it to your desktop and post it in your next reply.

Share this post


Link to post
Share on other sites

Here is the newest SAS log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 06/14/2011 at 00:24 AM

Application Version : 4.54.1000

Core Rules Database Version : 7263

Trace Rules Database Version: 5075

Scan type : Complete Scan

Total Scan Time : 00:25:03

Memory items scanned : 383

Memory threats detected : 0

Registry items scanned : 7346

Registry threats detected : 15

File items scanned : 20511

File threats detected : 4

Trojan.Agent/Gen-TDSS

HKLM\System\ControlSet001\Services\atapi

C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS

HKLM\System\ControlSet001\Enum\Root\LEGACY_atapi

HKLM\System\ControlSet002\Services\atapi

HKLM\System\ControlSet002\Enum\Root\LEGACY_atapi

HKLM\System\CurrentControlSet\Services\atapi

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_atapi

C:\SYSTEM VOLUME INFORMATION\_RESTORE{A61960BB-35B8-40B0-BBE3-BB585486DD17}\RP657\A0090702.SYS

Trojan.Agent/Gen-SSHNAS

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc

Adware.MyWebSearch/FunWebProducts

C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSIMG32.DLL

C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\RICHED20.DLL

Here is the aswMRB log:

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software

Run date: 2011-06-14 12:14:55

-----------------------------

12:14:55.609 OS Version: Windows 5.1.2600 Service Pack 3

12:14:55.609 Number of processors: 2 586 0xF0B

12:14:55.609 ComputerName: LORNE-5C72D303D UserName: LH

12:14:56.468 Initialize success

12:15:06.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

12:15:06.031 Disk 0 Vendor: WDC_WD3200AAKS-75VYA0 12.01B02 Size: 305245MB BusType: 3

12:15:06.031 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-e

12:15:06.031 Disk 1 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3

12:15:06.031 Disk 0 MBR read error 0

12:15:06.031 Disk 0 MBR scan

12:15:06.031 Disk 0 unknown MBR code

12:15:06.031 MBR BIOS signature not found 0

12:15:06.031 Disk 0 scanning sectors +625121280

12:15:06.031 Disk 0 scanning C:\WINDOWS\system32\drivers

12:15:09.890 Service scanning

12:15:10.703 Disk 0 trace - called modules:

12:15:10.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spqz.sys >>UNKNOWN [0x8aeb5938]<<

12:15:10.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ade7ab8]

12:15:10.718 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8ae69f18]

12:15:10.718 5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8adf0940]

12:15:10.718 Scan finished successfully

12:15:31.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LH\Desktop\MBR.dat"

12:15:31.125 The log file has been saved successfully to "C:\Documents and Settings\LH\Desktop\aswMBR.txt"

Share this post


Link to post
Share on other sites

This definitely isn't false positive, you are infected with TDSS

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites

OK, here is the scan. It didn't seem to find anything though.

2011/06/14 13:35:14.0390 3360 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48

2011/06/14 13:35:15.0031 3360 ================================================================================

2011/06/14 13:35:15.0031 3360 SystemInfo:

2011/06/14 13:35:15.0031 3360

2011/06/14 13:35:15.0031 3360 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/14 13:35:15.0031 3360 Product type: Workstation

2011/06/14 13:35:15.0031 3360 ComputerName: LORNE-5C72D303D

2011/06/14 13:35:15.0031 3360 UserName: LH

2011/06/14 13:35:15.0031 3360 Windows directory: C:\WINDOWS

2011/06/14 13:35:15.0031 3360 System windows directory: C:\WINDOWS

2011/06/14 13:35:15.0031 3360 Processor architecture: Intel x86

2011/06/14 13:35:15.0031 3360 Number of processors: 2

2011/06/14 13:35:15.0031 3360 Page size: 0x1000

2011/06/14 13:35:15.0031 3360 Boot type: Normal boot

2011/06/14 13:35:15.0031 3360 ================================================================================

2011/06/14 13:35:16.0593 3360 Initialize success

2011/06/14 13:35:49.0093 1624 ================================================================================

2011/06/14 13:35:49.0093 1624 Scan started

2011/06/14 13:35:49.0093 1624 Mode: Manual;

2011/06/14 13:35:49.0093 1624 ================================================================================

2011/06/14 13:35:49.0593 1624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/14 13:35:49.0640 1624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/14 13:35:49.0703 1624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/06/14 13:35:49.0750 1624 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/06/14 13:35:49.0828 1624 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/06/14 13:35:49.0859 1624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/14 13:35:49.0875 1624 atapi (cc08a15b7efda14f43d807dfec18eacb) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/14 13:35:49.0921 1624 atksgt (5b80e84af6b02ecab72dae9afee06309) C:\WINDOWS\system32\DRIVERS\atksgt.sys

2011/06/14 13:35:49.0921 1624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/14 13:35:49.0968 1624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/14 13:35:50.0015 1624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/14 13:35:50.0078 1624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/14 13:35:50.0125 1624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/14 13:35:50.0140 1624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/14 13:35:50.0187 1624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/14 13:35:50.0265 1624 DefragFS (d7ac073bafcf98786d3b85100d4288ab) C:\WINDOWS\system32\drivers\DefragFS.sys

2011/06/14 13:35:50.0281 1624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/14 13:35:50.0312 1624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/14 13:35:50.0328 1624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/14 13:35:50.0359 1624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/14 13:35:50.0359 1624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/14 13:35:50.0390 1624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/14 13:35:50.0421 1624 dtsoftbus01 (555e54ac2f601a8821cef58961653991) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys

2011/06/14 13:35:50.0468 1624 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/06/14 13:35:50.0500 1624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/14 13:35:50.0546 1624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/06/14 13:35:50.0546 1624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/14 13:35:50.0562 1624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/06/14 13:35:50.0578 1624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/06/14 13:35:50.0625 1624 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/06/14 13:35:50.0625 1624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/14 13:35:50.0640 1624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/14 13:35:50.0656 1624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/14 13:35:50.0671 1624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/06/14 13:35:50.0687 1624 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/14 13:35:50.0734 1624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/14 13:35:50.0765 1624 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2011/06/14 13:35:50.0796 1624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/14 13:35:50.0937 1624 IntcAzAudAddService (39a817320087ef1c851d7a8f1701b3e0) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/06/14 13:35:50.0984 1624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/14 13:35:51.0000 1624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/06/14 13:35:51.0031 1624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/14 13:35:51.0031 1624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/14 13:35:51.0046 1624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/14 13:35:51.0046 1624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/14 13:35:51.0062 1624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/14 13:35:51.0062 1624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/14 13:35:51.0093 1624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/14 13:35:51.0109 1624 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/06/14 13:35:51.0140 1624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/14 13:35:51.0171 1624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/14 13:35:51.0218 1624 lirsgt (975b6cf65f44e95883f3855bae8cecaf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys

2011/06/14 13:35:51.0250 1624 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2011/06/14 13:35:51.0265 1624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/06/14 13:35:51.0281 1624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/14 13:35:51.0281 1624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/14 13:35:51.0296 1624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/06/14 13:35:51.0312 1624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/14 13:35:51.0312 1624 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

2011/06/14 13:35:51.0390 1624 MpKsl5a5880a8 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8D715B13-39BF-4890-A2E7-2B94965E271C}\MpKsl5a5880a8.sys

2011/06/14 13:35:51.0437 1624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/14 13:35:51.0484 1624 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/14 13:35:51.0500 1624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/14 13:35:51.0531 1624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/14 13:35:51.0546 1624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/14 13:35:51.0546 1624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/14 13:35:51.0562 1624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/14 13:35:51.0578 1624 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/14 13:35:51.0578 1624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/14 13:35:51.0593 1624 NDISAH (7f41e6c6261224e509c6d6ecc23ab8d8) C:\WINDOWS\system32\drivers\NDISAH.sys

2011/06/14 13:35:51.0625 1624 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/14 13:35:51.0671 1624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/14 13:35:51.0671 1624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/14 13:35:51.0718 1624 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/14 13:35:51.0734 1624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/14 13:35:51.0750 1624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/14 13:35:51.0765 1624 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/06/14 13:35:51.0781 1624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/14 13:35:51.0796 1624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/14 13:35:51.0859 1624 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

2011/06/14 13:35:51.0921 1624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/14 13:35:52.0078 1624 nv (5950e6cc9fb3fabb61604d395dbc8550) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/06/14 13:35:52.0140 1624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/14 13:35:52.0171 1624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/14 13:35:52.0203 1624 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/06/14 13:35:52.0234 1624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/06/14 13:35:52.0265 1624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/14 13:35:52.0265 1624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/14 13:35:52.0281 1624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/14 13:35:52.0296 1624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/06/14 13:35:52.0328 1624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/06/14 13:35:52.0375 1624 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys

2011/06/14 13:35:52.0437 1624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/14 13:35:52.0453 1624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/14 13:35:52.0453 1624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/14 13:35:52.0468 1624 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/06/14 13:35:52.0531 1624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/14 13:35:52.0546 1624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/14 13:35:52.0562 1624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/14 13:35:52.0578 1624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/14 13:35:52.0593 1624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/14 13:35:52.0625 1624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/14 13:35:52.0656 1624 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/06/14 13:35:52.0703 1624 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/14 13:35:52.0718 1624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/06/14 13:35:52.0812 1624 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2011/06/14 13:35:52.0828 1624 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2011/06/14 13:35:52.0843 1624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/14 13:35:52.0859 1624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/06/14 13:35:52.0890 1624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/06/14 13:35:52.0921 1624 SmartDefragDriver (972dea0d8149d73c5b7a2c97b2e749e3) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys

2011/06/14 13:35:52.0968 1624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/14 13:35:53.0015 1624 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys

2011/06/14 13:35:53.0015 1624 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505

2011/06/14 13:35:53.0031 1624 sptd - detected LockedFile.Multi.Generic (1)

2011/06/14 13:35:53.0046 1624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/06/14 13:35:53.0078 1624 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/14 13:35:53.0078 1624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/14 13:35:53.0093 1624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/14 13:35:53.0156 1624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/14 13:35:53.0203 1624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/14 13:35:53.0234 1624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/14 13:35:53.0250 1624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/14 13:35:53.0250 1624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/14 13:35:53.0296 1624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/14 13:35:53.0343 1624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/06/14 13:35:53.0421 1624 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/14 13:35:53.0484 1624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/14 13:35:53.0531 1624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/14 13:35:53.0578 1624 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/06/14 13:35:53.0578 1624 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/14 13:35:53.0640 1624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/06/14 13:35:53.0656 1624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/06/14 13:35:53.0671 1624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/14 13:35:53.0687 1624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/14 13:35:53.0718 1624 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/06/14 13:35:53.0765 1624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/14 13:35:53.0812 1624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/06/14 13:35:53.0828 1624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/06/14 13:35:53.0875 1624 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/06/14 13:35:53.0953 1624 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1

2011/06/14 13:35:53.0953 1624 ================================================================================

2011/06/14 13:35:53.0953 1624 Scan finished

2011/06/14 13:35:53.0953 1624 ================================================================================

2011/06/14 13:35:53.0968 3324 Detected object count: 1

2011/06/14 13:35:53.0968 3324 Actual detected object count: 1

2011/06/14 13:36:30.0984 3324 LockedFile.Multi.Generic(sptd) - User select action: Skip

Share this post


Link to post
Share on other sites

Very strange...

Please download Defogger to your desktop.

Double click DeFogger to run the tool.

  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

-------------------------------------------------------------------------------------------------------------

Please download DDS and save it to your desktop.

  • Disable any script blocking protection.
  • Double click dds.com to run the tool..
  • When done, DDS will open two logs (DDS.txt and Attach.txt).
  • Save both reports to your desktop.

Please include the contents of DDS.txt in your next reply.

-------------------------------------------------------------------------------------------------------------

Please download Rootkit Unhooker and save it to your Desktop

  • Temporarily disable your antivirus( instructions here )
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Share this post


Link to post
Share on other sites

Here is the combofix log:

ComboFix 11-06-15.01 - LH 15/06/2011 11:19:27.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2938 [GMT -7:00]

Running from: c:\documents and settings\LH\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\LH\Application Data\inst.exe

c:\documents and settings\LH\Local Settings\Application Data\wxpfree\CuSTomsearch.dll

C:\readme.txt

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\Temp

c:\windows\system32\Temp\DE99B447R3

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_SSHNAS

.

.

((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))

.

.

2011-06-14 06:21 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll

2011-06-14 06:21 . 2011-06-14 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark

2011-06-14 06:21 . 2011-06-14 06:21 -------- d-----w- c:\program files\BurnInTest

2011-06-14 05:29 . 2011-06-14 05:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-14 03:56 . 2011-06-14 03:56 -------- d-----w- c:\program files\WOT

2011-06-14 03:39 . 2011-06-14 03:39 -------- d-----w- C:\~ErdUserProfile.$$$

2011-06-13 19:13 . 2011-06-13 19:13 -------- d-----w- c:\documents and settings\LH\Application Data\SUPERAntiSpyware.com

2011-06-13 19:13 . 2011-06-13 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-06-13 19:13 . 2011-06-14 05:32 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-13 19:11 . 2011-06-13 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-06-13 19:11 . 2011-06-13 19:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-06-13 19:10 . 2011-06-13 19:10 -------- d-----w- c:\documents and settings\LH\Application Data\Malwarebytes

2011-06-13 19:10 . 2011-06-13 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-13 19:10 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-13 19:10 . 2011-06-13 19:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-13 19:10 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-13 19:08 . 2011-06-13 19:08 -------- d-----w- c:\program files\Common Files\Java

2011-06-13 19:06 . 2011-06-13 19:06 -------- d-----w- c:\program files\CCleaner

2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\program files\Raxco

2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\program files\Common Files\Raxco

2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco

2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\program files\VS Revo Group

2011-06-02 22:35 . 2011-06-02 22:35 -------- d-----w- c:\documents and settings\Dagen\Application Data\Search Settings

2011-06-02 15:26 . 2011-02-23 23:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-06-02 15:26 . 2011-02-24 00:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-06-02 15:25 . 2011-06-02 16:43 -------- d-----w- c:\documents and settings\LH\Application Data\Search Settings

2011-06-02 15:25 . 2011-06-02 15:25 -------- d-----w- c:\program files\Application Updater

2011-06-02 15:25 . 2011-06-02 15:25 -------- d-----w- c:\program files\IObit Toolbar

2011-06-02 15:25 . 2011-06-02 15:25 -------- d-----w- c:\program files\Common Files\Spigot

2011-06-02 02:30 . 2005-01-20 03:48 8192 ----a-w- c:\program files\Mozilla Firefox\plugins\npiPLATO_22.dll

2011-06-02 02:30 . 2005-01-20 03:48 8192 ----a-w- c:\program files\Internet Explorer\Plugins\npiPLATO_22.dll

2011-06-02 02:30 . 2002-04-18 15:39 8192 ----a-w- c:\program files\Mozilla Firefox\plugins\npipcd3.dll

2011-06-02 02:30 . 2002-04-18 15:39 8192 ----a-w- c:\program files\Internet Explorer\Plugins\npipcd3.dll

2011-06-02 02:30 . 2011-06-02 02:30 -------- d-----w- c:\windows\PWLN

2011-06-02 02:30 . 1999-09-22 22:56 32768 ----a-w- c:\windows\system32\PHONETIC.FON

2011-05-17 23:18 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2011-05-17 23:18 . 2009-09-05 00:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2011-05-17 23:18 . 2009-09-05 00:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll

2011-05-17 01:27 . 2011-05-17 22:25 -------- d-----w- C:\LOTRO Standard Res Install Files

2011-05-17 01:26 . 2011-05-17 01:26 -------- d-----w- c:\program files\Pando Networks

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-25 02:14 . 2009-12-24 00:36 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-04 11:52 . 2010-04-27 21:01 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 09:25 . 2010-04-27 21:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-18 14:37 . 2011-04-18 14:37 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2011-04-10 19:41 . 2011-04-06 17:11 47360 ----a-w- c:\documents and settings\LH\Application Data\pcouffin.sys

2011-04-09 20:29 . 2011-04-09 20:29 12672524 ----a-w- C:\SD_Setup_20110315.exe

2011-04-06 23:04 . 2011-04-06 17:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2011-03-18 01:21 . 2011-03-18 01:21 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2010-12-12 05:12 . 2010-12-11 21:56 2279803967 ----a-w- c:\program files\MSSetupv93.exe

2011-04-14 16:41 . 2011-05-01 00:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-03-09 01:45 . CC08A15B7EFDA14F43D807DFEC18EACB . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2010-03-05 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-30 210216]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]

2009-06-04 04:59 103720 ------w- c:\program files\CyberLink\Power2Go\CLMLSvc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2007-09-17 16:07 8491008 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]

2011-05-17 01:26 3071384 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-05-29 00:32 16132608 ----a-w- c:\windows\RTHDCPL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchEngineProtection]

2011-03-03 14:33 591248 ----a-w- c:\program files\GamesBar\SearchEngineProtection.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]

2011-05-07 01:15 532320 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-12-28 20:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Dagen\\Local Settings\\Apps\\2.0\\AT0X8X4D.YO1\\RC3TWXLM.6RW\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=

"c:\\Program Files\\StarCraft II Demo\\StarCraft II.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"c:\\Program Files\\StarCraft II Demo\\Versions\\Base15405\\SC2.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58714:TCP"= 58714:TCP:Pando Media Booster

"58714:UDP"= 58714:UDP:Pando Media Booster

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"56283:TCP"= 56283:TCP:Pando Media Booster

"56283:UDP"= 56283:UDP:Pando Media Booster

"57500:TCP"= 57500:TCP:Pando Media Booster

"57500:UDP"= 57500:UDP:Pando Media Booster

"58865:TCP"= 58865:TCP:Pando Media Booster

"58865:UDP"= 58865:UDP:Pando Media Booster

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"56825:TCP"= 56825:TCP:Pando Media Booster

"56825:UDP"= 56825:UDP:Pando Media Booster

"59079:TCP"= 59079:TCP:Pando Media Booster

"59079:UDP"= 59079:UDP:Pando Media Booster

"57350:TCP"= 57350:TCP:Pando Media Booster

"57350:UDP"= 57350:UDP:Pando Media Booster

.

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [02/06/2011 8:26 AM 13496]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [17/03/2011 6:21 PM 218688]

R1 NDISAH;NDISAH;c:\windows\system32\drivers\ndisah.sys [20/02/2011 2:40 PM 24448]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 11:41 AM 67656]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [20/04/2011 8:11 AM 353168]

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [06/05/2011 5:33 PM 393112]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [02/06/2011 8:25 AM 821080]

S1 MpKsl82860010;MpKsl82860010;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{058D3542-7C4C-4DB7-89BC-B419AD00A5FE}\MpKsl82860010.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{058D3542-7C4C-4DB7-89BC-B419AD00A5FE}\MpKsl82860010.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 5:34 PM 135664]

S2 IObitBarService;IObit Toolbar Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe --> c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 5:34 PM 135664]

S3 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [?]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [13/06/2011 12:10 PM 39984]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 5:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [08/05/2010 3:48 PM 691696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-15 c:\windows\Tasks\ASC4_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-04-20 21:46]

.

2011-06-15 c:\windows\Tasks\Game_Booster_Startup.job

- c:\program files\IObit\Game Booster\gbtray.exe [2011-06-02 23:20]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 00:34]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 00:34]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1078145449-682003330-1005Core.job

- c:\documents and settings\Dagen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-04 02:02]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1078145449-682003330-1005UA.job

- c:\documents and settings\Dagen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-04 02:02]

.

2011-06-15 c:\windows\Tasks\SmartDefrag_Startup.job

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-06-02 00:31]

.

2011-06-14 c:\windows\Tasks\User_Feed_Synchronization-{045420DF-F4CA-49F0-BEA4-419B986CAA19}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.1.254 192.168.1.254

FF - ProfilePath - c:\documents and settings\LH\Application Data\Mozilla\Firefox\Profiles\g5fjla11.default\

FF - prefs.js: browser.search.selectedEngine - bing

FF - prefs.js: browser.startup.homepage - hxxp://start.msn.iplay.com/?o=shp

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: browser.xul.error_pages.enabled - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 3000000

FF - user.js: content.maxtextrun - 8191

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 32

FF - user.js: network.http.max-connections-per-server - 8

FF - user.js: network.http.max-persistent-connections-per-proxy - 8

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{7757CBCC-0975-4b79-A519-90B142CA3A23} - (no file)

BHO-{EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-15 11:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1085031214-1078145449-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:4e,4f,68,26,14,c2,32,d2,fa,03,6e,ac,33,2c,ef,55,d0,60,d0,23,5b,

8c,ec,b8,05,02,d7,48,d5,b6,a3,b0,1a,fa,5c,34,30,75,42,ef,7f,27,fe,e3,d2,18,\

"rkeysecu"=hex:c0,1c,20,f6,42,a6,8d,d3,81,a0,ba,39,c1,ce,ab,36

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(828)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(2200)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Windows Media Player\WMPNetwk.exe

.

**************************************************************************

.

Completion time: 2011-06-15 11:41:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-15 18:41

.

Pre-Run: 148,591,001,600 bytes free

Post-Run: 148,898,729,984 bytes free

.

- - End Of File - - D7CC5262003B996B9DB3C086A4EB88ED

Share this post


Link to post
Share on other sites

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-03-09 01:45 . CC08A15B7EFDA14F43D807DFEC18EACB . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2010-03-05 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

Interesting that ComboFix shows the above...

Step #1

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step #2

We need to run aswMBR again but now I'll need the MBR.dat

Download aswMBR to your Desktop

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the Save log button, save it to your desktop and post it in your next reply.

On your Desktop there should also be a MBR.dat, zip that file(right click on MBR.dat > Send to... > Compressed(zipped)Folder) and attach it here

Step #3

Pleae download MBR.exe to your Desktop

  • Duble click to run it
  • Copy mbr.log which should be on your Desktop

Share this post


Link to post
Share on other sites

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software

Run date: 2011-06-15 13:05:12

-----------------------------

13:05:12.062 OS Version: Windows 5.1.2600 Service Pack 3

13:05:12.062 Number of processors: 2 586 0xF0B

13:05:12.062 ComputerName: LORNE-5C72D303D UserName: LH

13:05:18.875 Initialize success

13:05:20.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

13:05:20.406 Disk 0 Vendor: WDC_WD3200AAKS-75VYA0 12.01B02 Size: 305245MB BusType: 3

13:05:20.406 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-e

13:05:20.406 Disk 1 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3

13:05:22.453 Disk 0 MBR read successfully

13:05:22.453 Disk 0 MBR scan

13:05:22.453 Disk 0 Windows XP default MBR code

13:05:24.453 Disk 0 scanning sectors +625121280

13:05:24.531 Disk 0 scanning C:\WINDOWS\system32\drivers

13:05:33.718 Service scanning

13:05:41.453 Disk 0 trace - called modules:

13:05:41.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys

13:05:41.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac55ab8]

13:05:41.484 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8ac701c0]

13:05:41.484 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac6b940]

13:05:41.484 Scan finished successfully

13:05:47.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LH\Desktop\MBR.dat"

13:05:47.765 The log file has been saved successfully to "C:\Documents and Settings\LH\Desktop\aswMBR.txt"

MBR.zip

Share this post


Link to post
Share on other sites

Ok these is false positive, SAS has been little confused with MD5 of atapi.sys

Report FP to SAS from siliconman01 link https://www.superantispyware.com/supportfaqdisplay.html?faq=28

Double click DeFogger to run the tool.

Click the Re-enable button to disable your CD Emulation drivers

Click Yes to continue

A 'Finished!' message will appear

Click OK

DeFogger will now ask to reboot the machine - click OK

Go to Start > Run and copy/paste the following in runbox ComboFix /Uninstall and click OK.

CF-Uninstall.png

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×