11 replies to this topic

[blackdogg]

Here are the logs. Any help would be greatly appreciated.
Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:16 PM, on 10/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FairPoint\FairPoint Servicepoint Agent\FairPointServicepoint.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\SysInspector.exe
C:\Documents and Settings\Owner\Desktop\02HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [FairPointServicepoint.exe] "C:\Program Files\FairPoint\FairPoint Servicepoint Agent\FairPointServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5917 bytes


Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 5.1.2600 Service Pack 2

10/2/2009 9:55:07 PM
mbam-log-2009-10-02 (21-55-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193469
Time elapsed: 1 hour(s), 51 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort1\byueoriw\byueoriw\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort1\byueoriw\byueoriw\tdlwsp.dll (Rootkit.TDSS) -> No action taken.


ComboFix 09-10-01.05 - Owner 10/02/2009 22:16.8.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.257 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-02 16:04 . 2009-10-02 16:04 574 ----a-w- C:\cleanup.bat
2009-10-02 16:04 . 2009-10-02 16:04 135168 ----a-w- C:\zip.exe
2009-10-02 04:15 . 2009-10-02 04:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-26 01:56 . 2009-09-26 01:55 23552 ----a-w- c:\windows\system32\drivers\phooks.sys
2009-09-25 16:12 . 2009-09-26 03:10 -------- d-----w- c:\program files\Tizer Secure
2009-09-24 23:26 . 2009-09-26 03:09 -------- d-----w- c:\program files\Sophos
2009-09-24 21:52 . 2009-09-24 21:52 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-24 20:22 . 2009-09-24 20:22 2 --shatr- c:\windows\winstart.bat
2009-09-24 20:20 . 2009-09-25 02:44 -------- d-----w- c:\program files\UnHackMe
2009-09-24 02:25 . 2009-09-24 02:25 -------- d-----w- c:\program files\CCleaner
2009-09-24 01:10 . 2009-09-24 01:10 -------- d-----w- C:\tdsskiller
2009-09-22 03:48 . 2009-09-22 03:48 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-22 03:41 . 2009-09-22 03:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-22 03:36 . 2002-04-27 22:08 60776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-17 13:57 . 2009-09-17 13:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-09 06:17 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 01:46 . 2009-04-02 22:44 -------- d-----w- c:\program files\Common Files\Motive
2009-09-24 14:45 . 2007-09-01 20:42 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-09-23 02:40 . 2009-06-05 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 16:37 . 2009-08-31 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-10 18:54 . 2009-06-05 14:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-05 14:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 16:35 . 2004-07-09 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-08-31 16:35 . 2005-12-05 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-08-31 16:34 . 2003-02-24 18:34 -------- d-----w- c:\program files\Yahoo!
2009-08-18 21:25 . 2007-09-14 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-18 05:44 . 2009-08-18 05:44 -------- d-----w- c:\documents and settings\Owner\Application Data\TMInc
2009-08-18 05:16 . 2009-08-18 05:16 144 ----a-w- C:\domains.dat
2009-08-18 05:14 . 2009-08-18 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2009-08-05 09:11 . 2005-07-22 04:50 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2005-07-22 04:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-05-10 14:15 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2004-08-04 04:56 . 2001-08-18 05:36 1028096 --sh--w- c:\windows\SYSTEM32\mfc42.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-26_05.42.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-09-05 03:16 . 2009-10-02 22:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2001-09-05 03:16 . 2009-09-26 03:08 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-09-05 03:16 . 2009-10-02 22:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2001-09-05 03:16 . 2009-09-26 03:08 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-09-17 13:57 . 2009-09-26 03:08 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
+ 2009-09-17 13:57 . 2009-10-02 22:06 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
+ 2001-09-05 03:16 . 2009-10-02 22:06 16384 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2001-09-05 03:16 . 2009-09-26 03:08 16384 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FairPointServicepoint.exe"="c:\program files\FairPoint\FairPoint Servicepoint Agent\FairPointServicepoint.exe" [2008-10-21 2286832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 esihdrv;esihdrv;\??\c:\docume~1\Owner\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\Owner\LOCALS~1\Temp\esihdrv.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664]
S4 phooks;phooks;c:\windows\SYSTEM32\drivers\phooks.sys [9/25/2009 9:56 PM 23552]
S4 rkhdrv40;Rootkit Unhooker Driver; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ESIHDRV
*Deregistered* - kwedakog

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{3CF784A6-C491-4BDB-9E9F-CCFC51EBF640}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{BE829261-2C5D-4CA0-8B6D-E74DD505A5FC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 22:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\RGIA.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3020190987-2389969595-2291903390-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:00000256
"Time"=hex:d9,07,08,00,05,00,1c,00,0e,00,1c,00,16,00,f4,01
"LoadTime"=dword:00000001
"LoadTimeCount"=dword:00000252

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(536)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\IdePort1\byueoriw\byueoriw\tdlwsp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-03 22:51
ComboFix-quarantined-files.txt 2009-10-03 02:51
ComboFix2.txt 2009-10-02 16:25
ComboFix3.txt 2009-10-02 06:37
ComboFix4.txt 2009-10-02 04:01
ComboFix5.txt 2009-10-03 02:08

Pre-Run: 14,367,440,896 bytes free
Post-Run: 14,354,616,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
timeout=2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30

174 --- E O F --- 2009-09-24 19:14

Attached Files

•  SysInspector_YOUR_ZE8CXVR8TT_091002_1829.zip   110.91K   50 downloads

[LonnyRJ]

Welcome to the forum blackdogg

Who intructed you to run combofix ?
You should never use the program without an analysts asstistance !


Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

sc query type= driver group= "SCSI Miniport" >report.txt
For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\atapi.sys'
) Do @echo "%%~g":%%~zg:%%~tg:%%~ag >>report.txt 2>nul
start notepad report.txt & exit

A text should open post it please.

Zip up these files which are in C:\qoobox
ComboFix-quarantined-files.txt 2009-10-03 02:51
ComboFix2.txt 2009-10-02 16:25
ComboFix3.txt 2009-10-02 06:37
ComboFix4.txt 2009-10-02 04:01
ComboFix5.txt 2009-10-03 02:08
and attach it to your next reply

[blackdogg]

Hello Lonny, Thank you.

My apologies for running combofix. From reading through the threads i had seen no harm running it and assumed the log would be of assistance.
I can not post the logs, as i had uninstalled combofix after posting the logs.


SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
"C:\WINDOWS\$NtServicePackUninstall$\atapi.sys":86912:08/29/2002 01:27 AM:-----c---
"C:\WINDOWS\ServicePackFiles\i386\atapi.sys":95360:08/03/2004 10:59 PM:---------
"C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys":96512:04/13/2008 02:40 PM:--a------
"C:\WINDOWS\SYSTEM32\drivers\ATAPI.SYS":95360:02/28/2006 08:00 AM:--a------

LonnyRJ, on Oct 3 2009, 11:40 PM, said:

Welcome to the forum blackdogg

Who intructed you to run combofix ?
You should never use the program without an analysts asstistance !


Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

sc query type= driver group= "SCSI Miniport" >report.txt
For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\atapi.sys'
) Do @echo "%%~g":%%~zg:%%~tg:%%~ag >>report.txt 2>nul
start notepad report.txt & exit

A text should open post it please.

Zip up these files which are in C:\qoobox
ComboFix-quarantined-files.txt 2009-10-03 02:51
ComboFix2.txt 2009-10-02 16:25
ComboFix3.txt 2009-10-02 06:37
ComboFix4.txt 2009-10-02 04:01
ComboFix5.txt 2009-10-03 02:08
and attach it to your next reply

[blackdogg]

Also, I should note, while reading some threads, i noticed that atapi.sys seems to be a culprit, i had renamed and replaced the existing one with a known clean one.

blackdogg, on Oct 4 2009, 03:39 AM, said:

Hello Lonny, Thank you.

My apologies for running combofix. From reading through the threads i had seen no harm running it and assumed the log would be of assistance.
I can not post the logs, as i had uninstalled combofix after posting the logs.


SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
"C:\WINDOWS\$NtServicePackUninstall$\atapi.sys":86912:08/29/2002 01:27 AM:-----c---
"C:\WINDOWS\ServicePackFiles\i386\atapi.sys":95360:08/03/2004 10:59 PM:---------
"C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys":96512:04/13/2008 02:40 PM:--a------
"C:\WINDOWS\SYSTEM32\drivers\ATAPI.SYS":95360:02/28/2006 08:00 AM:--a------

[LonnyRJ]

Quote

i had renamed and replaced the existing one with a known clean one.

With a copy from what location ? and with what tool ?

Did you Uninstall SP3 at some time ?

[blackdogg]

I had used UBCD4Win, which was created using a XP SP2 disc, to access the hard drive, I copied atapi.sys from that. SP3 was never installed on this pc.

LonnyRJ, on Oct 4 2009, 06:13 AM, said:

With a copy from what location ? and with what tool ?

Did you Uninstall SP3 at some time ?

[blackdogg]

Latest log.

Malwarebytes' Anti-Malware 1.41
Database version: 2903
Windows 5.1.2600 Service Pack 2 (Safe Mode)

10/4/2009 9:40:42 AM
mbam-log-2009-10-04 (09-40-37).txt

Scan type: Quick Scan
Objects scanned: 96990
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[blackdogg]

thank you for your time, i believe the issue is addressed.
the info in the threads is invaluable.


Malwarebytes' Anti-Malware 1.41
Database version: 2905
Windows 5.1.2600 Service Pack 2

10/4/2009 1:15:54 PM
mbam-log-2009-10-04 (13-15-54).txt

Scan type: Quick Scan
Objects scanned: 97727
Time elapsed: 14 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[LonnyRJ]

Looks fine blackdogg

What antivirus and firewall programs do you use ?
Why havent you updated to SP3 ?

[blackdogg]

This PC is owned by a friend of mine. I wasn't aware it was in such sad shape until he asked me to take a look at it.
I will be installing AVG 8.5 and zonealarm on it before returning it to him.

Once again, thank you for your time and all the effort you put into helping people like me.

LonnyRJ, on Oct 4 2009, 11:04 PM, said:

Looks fine blackdogg

What antivirus and firewall programs do you use ?
Why havent you updated to SP3 ?

[LonnyRJ]

Get him a hosts file to if possible

Think Prevention: Put in place a good hosts file
http://www.mvps.org/...p2002/hosts.htm
Repeat that proccess about once or even twice a month

To help avoid reinfection see "So how did I get infected in the first place?" http://www.malwarebytes.org/forums/index.p...65&hl=place?

Note: Make sure your programs are up to date - older versions may contain Security Leaks.
To find out what programs need to be updated, run the Secunia Software Inspector Scan.
http://secunia.com/software_inspector/

[blackdogg]

Thanks, Lorry! I think I will be going with the hosts file. That page is some great reading.