Security Experts,

 

thanks in advance for any help.

 

Have an advanced new rootkit I can't fix thus far.    This is a friends work laptop, so a reformat is not what he wants.  Trend and Kaspersky find the trojan, but it's always reinstalled on reboot.  Also used Hijack This and Malwarebytes, with same result.  Also used combofix.  I just ran a check disk /f /r, without any luck in helping the problem.

 

 

I'm hoping we can have some luck here.  Below is details on the rootkit, along with logs. 

 

C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7308f530
 (this dir is reinstalled on reboot, and path namme always changes)
 
Infected: Trojan-Downloader.Java.OpenConnection.at

globalroot\Device\Ide\IdePort1\pwtpetyn\pwtpetyn\tdlwsp.dll/globalroot\Device\Ide\IdePort1\pwtpetyn\pwtpetyn\tdlwsp.dll
Infected: Packed.Win32.TDSS.z

 

I tried to attach hijack this and combofix logs, but it shows mime for some reason?

 

Combo Log:

 

ComboFix 09-10-01.05 - mike 10/02/2009 14:44.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -4:00]
Running from: c:\documents and settings\mike\Desktop\123.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-527237240-725345543-1801674531-500
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\1025eda6.msi
c:\windows\Installer\103d4067.msi
c:\windows\system32\tmp.reg
c:\windows\Temp\tmp3.tmp

----- BITS: Possible infected sites -----

.
(((((((((((((((((((((((((   Files Created from 2009-09-02 to 2009-10-02  )))))))))))))))))))))))))))))))
.

2009-10-02 19:04 . 2009-10-02 19:04 40586 ----a-w- c:\windows\system32\api_hook_list.dat
2009-10-02 19:03 . 2008-10-30 19:29 38016 ----a-w- c:\windows\system32\HIPIS0e0118e.dll
2009-10-02 01:14 . 2009-10-02 01:14 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-02 01:12 . 2009-10-02 01:17 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-02 01:12 . 2009-10-02 01:17 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-02 01:10 . 2009-10-02 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-02 01:10 . 2009-10-02 01:10 -------- d-----w- c:\program files\Kaspersky Lab
2009-10-02 00:49 . 2009-10-02 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-01 00:45 . 2009-10-01 02:42 -------- d-----w- c:\windows\BDOSCAN8
2009-10-01 00:33 . 2009-10-01 00:15 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-01 00:14 . 2009-10-02 00:53 -------- d-----w- c:\documents and settings\mike\.housecall6.6
2009-09-30 16:48 . 2009-09-30 16:48 -------- d-----w- c:\documents and settings\mike\Application Data\Malwarebytes
2009-09-30 16:48 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 16:47 . 2009-09-30 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 16:47 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 16:47 . 2009-09-30 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-29 20:30 . 2009-09-29 23:41 -------- d-----w- c:\program files\thinkorswim
2009-09-23 20:30 . 2009-09-23 20:30 -------- d-----w- c:\documents and settings\mike\Local Settings\Application Data\Algebrator
2009-09-23 20:22 . 2009-09-23 20:30 -------- d-----w- c:\program files\Algebrator
2009-09-21 04:30 . 2009-09-21 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-21 02:29 . 2009-09-21 02:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-18 17:29 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-18 17:29 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-18 17:29 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-18 17:29 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-18 14:07 . 2009-09-18 14:07 -------- d-----w- c:\program files\Trend Micro
2009-09-18 07:18 . 2004-03-29 20:23 90112 ----a-w- c:\windows\unvise32.exe
2009-09-18 07:15 . 2009-09-18 12:45 -------- d-----w- c:\program files\The Logo Creator v5
2009-09-18 06:46 . 2009-10-01 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-18 06:44 . 2009-10-01 19:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-18 06:44 . 2009-10-01 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-17 16:05 . 2009-09-17 16:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-17 15:57 . 2009-09-17 15:57 -------- d-----w- c:\windows\system32\Adobe
2009-09-15 15:29 . 2009-09-15 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 15:26 . 2009-10-01 00:22 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-15 13:14 . 2009-09-15 15:28 -------- d-----w- c:\program files\QuickTime
2009-09-15 13:14 . 2009-09-15 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-08 22:48 . 2009-10-01 00:30 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-09-06 03:23 . 2009-09-06 03:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-09-03 19:45 . 2009-09-03 19:53 -------- d-----w- c:\windows\871DF2BE41D24334AC33839AF16FC8FE.TMP
2009-09-03 18:41 . 2009-09-03 20:20 -------- d-----w- C:\MyBackup
2009-09-03 18:39 . 2009-09-15 03:28 -------- d-----w- c:\program files\Premium Booster
2009-09-03 15:06 . 2009-09-08 22:44 -------- d-----w- C:\Downloads
2009-09-03 00:28 . 2009-10-02 18:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 00:11 . 2008-12-08 16:53 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2009-09-03 00:11 . 2008-06-09 02:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-09-03 00:11 . 2009-09-03 00:11 -------- d-----w- c:\program files\ffdshow
2009-09-03 00:11 . 2009-09-03 00:11 -------- d-----w- c:\program files\Haali
2009-09-03 00:11 . 2009-09-03 00:11 -------- d-----w- c:\program files\AviSynth 2.5
2009-09-03 00:11 . 2009-08-17 13:54 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:11 . 2009-08-18 15:51 -------- d-----w- c:\program files\Taskbar Shuffle
2009-10-02 16:13 . 2009-08-17 19:58 -------- d-----w- c:\documents and settings\mike\Application Data\.purple
2009-10-02 00:52 . 2009-01-13 14:49 -------- d-----w- c:\program files\McAfee
2009-10-02 00:52 . 2009-01-13 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-01 00:32 . 2009-08-28 16:23 -------- d-----w- c:\program files\Wondershare
2009-10-01 00:31 . 2009-08-18 00:37 -------- d-----w- c:\program files\Common Files\SourceTec
2009-09-29 20:27 . 2009-01-13 09:30 -------- d-----w- c:\program files\DellTPad
2009-09-18 16:49 . 2009-08-17 19:39 68456 ----a-w- c:\documents and settings\mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-18 16:48 . 2009-01-13 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-17 16:03 . 2009-01-13 14:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-08 23:02 . 2009-01-13 16:01 330864 ----a-w- c:\windows\system32\nvModes.dat
2009-09-08 03:46 . 2009-08-17 14:50 259392 ----a-w- c:\windows\system32\KevlarSigs.dll
2009-09-04 13:35 . 2009-08-17 14:54 -------- d-----w- c:\program files\Cisco Systems
2009-09-03 00:25 . 2009-08-31 17:12 -------- d-----w- c:\program files\Advanced Registry Doctor
2009-09-03 00:11 . 2009-08-18 00:37 -------- d-----w- c:\program files\SourceTec
2009-08-31 18:43 . 2009-08-31 18:43 -------- d-----w- c:\program files\EmergingSoft
2009-08-28 16:19 . 2009-08-25 17:07 -------- d-----w- c:\documents and settings\mike\Application Data\gtk-2.0
2009-08-24 03:11 . 2009-01-13 14:51 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-20 17:20 . 2009-08-20 17:18 -------- d-----w- c:\documents and settings\mike\Application Data\Juniper Networks
2009-08-20 17:20 . 2009-08-20 17:20 -------- d-----w- c:\program files\Juniper Networks
2009-08-20 17:18 . 2009-08-20 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-08-19 18:58 . 2009-08-19 18:58 -------- d-----w- c:\documents and settings\mike\Application Data\FSL
2009-08-19 18:58 . 2009-08-19 18:58 -------- d-----w- c:\program files\FSL
2009-08-19 14:52 . 2009-08-19 14:52 -------- d-----w- c:\documents and settings\mike\Application Data\Active Whois
2009-08-18 20:39 . 2009-08-18 20:38 -------- d-----w- c:\program files\ShortKeys2
2009-08-18 20:38 . 2009-08-18 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Insight Software Solutions
2009-08-18 20:38 . 2009-08-18 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Insight Software
2009-08-18 20:38 . 2009-08-18 20:38 -------- d-----w- c:\program files\Common Files\Insight Software Solutions
2009-08-18 15:52 . 2009-08-18 15:52 -------- d-----w- c:\program files\VideoLAN
2009-08-18 13:01 . 2009-08-18 13:01 -------- d-----w- c:\program files\WinSCP
2009-08-18 12:29 . 2009-08-18 12:29 -------- d-----w- c:\documents and settings\mike\Application Data\IDMComp
2009-08-18 12:29 . 2009-08-18 12:29 -------- d-----w- c:\program files\IDM Computer Solutions
2009-08-17 23:33 . 2009-08-17 23:33 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-08-17 23:23 . 2009-08-17 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-08-17 23:02 . 2009-08-17 23:02 -------- d-----w- c:\documents and settings\mike\Application Data\Realtime Soft
2009-08-17 23:02 . 2009-08-17 23:02 -------- d-----w- c:\program files\Common Files\Realtime Soft
2009-08-17 23:02 . 2009-08-17 23:02 -------- d-----w- c:\program files\UltraMon
2009-08-17 23:02 . 2009-08-17 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2009-08-17 22:56 . 2009-08-17 22:56 -------- d-----w- c:\program files\Siber Systems
2009-08-17 20:06 . 2009-08-17 20:06 -------- d-----w- c:\program files\Google
2009-08-17 20:02 . 2009-08-17 20:01 -------- d-----w- c:\program files\Xobni
2009-08-17 19:54 . 2009-08-17 19:54 -------- d-----w- c:\program files\Pidgin
2009-08-17 19:54 . 2009-08-17 19:54 -------- d-----w- c:\program files\Common Files\GTK
2009-08-17 19:44 . 2009-08-17 19:44 0 ----a-w- c:\windows\nsreg.dat
2009-08-17 19:32 . 2009-08-17 19:32 -------- d-----w- c:\documents and settings\mike\Application Data\emergingsoft
2009-08-17 19:08 . 2009-08-17 19:07 -------- d-----w- c:\program files\AR System 71
2009-08-17 19:07 . 2009-08-17 19:07 -------- d-----w- c:\program files\Common Files\Business Objects
2009-08-17 19:07 . 2009-08-17 19:07 -------- d-----w- c:\program files\Business Objects
2009-08-17 14:55 . 2009-08-17 14:55 -------- d-----w- c:\program files\Pointsec
2009-08-17 14:55 . 2009-08-17 14:55 2097152 --sh--r- C:\PROT_INS.SYS
2009-08-17 14:55 . 2009-08-17 14:55 6 ----a-w- C:\VOL_CHAR.DAT
2009-08-17 14:55 . 2009-08-17 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Pointsec
2009-08-17 14:54 . 2009-08-17 14:54 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-08-17 14:49 . 2009-08-17 14:49 -------- d-----w- c:\program files\Common Files\McAfee Inc
2009-08-17 14:43 . 2009-08-17 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2009-08-17 20:06 . 2009-08-17 20:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"Web Video Downloader"="c:\program files\SourceTec\Sothink Web Video Downloader Stand-alone\VideoDownloader.exe" [2009-01-07 5472256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-12-01 972096]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2009-01-15 674368]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-17 30192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\mike\Start Menu\Programs\Startup\
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-8-17 5689344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-448539723-1801674531-256429\Scripts\Logon\0\0]
"Script"=CHQ-MapDrives_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-448539723-1801674531-256429\Scripts\Logon\0\1]
"Script"=cabletcc2.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^mike^Start Menu^Programs^Startup^IconRestorer.lnk]
path=c:\documents and settings\mike\Start Menu\Programs\Startup\IconRestorer.lnk
backup=c:\windows\pss\IconRestorer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [1/15/2009 12:33 PM 217024]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [12/1/2008 3:18 PM 1467712]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/17/2009 10:49 AM 67904]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [1/15/2009 12:34 PM 150080]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 8:22 PM 11776]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [8/6/2009 11:57 PM 44776]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [8/17/2009 10:49 AM 42056]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [8/17/2009 10:49 AM 108280]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [8/17/2009 10:49 AM 37400]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [8/17/2009 10:49 AM 34432]
R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [8/17/2009 10:49 AM 34408]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 8:23 PM 3584]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [8/17/2009 10:49 AM 42056]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/17/2009 4:06 PM 30192]
S4 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [1/15/2009 12:34 PM 621120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-448539723-1801674531-256429Core.job
- c:\documents and settings\mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-17 19:40]

2009-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-448539723-1801674531-256429UA.job
- c:\documents and settings\mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-17 19:40]

2009-10-02 c:\windows\Tasks\User_Feed_Synchronization-{0507A150-ECC7-483F-8BC4-46C2592A27AC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: twitter.com
FF - ProfilePath - c:\documents and settings\mike\Application Data\Mozilla\Firefox\Profiles\6k2bxhf7.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.zecco.com/trading/signin.aspx?state=1|https://www.tradeking.com/Modules/Login/challengeSubmit.php|http://www.hotstockmarket.com/forums/showthread.php?t=70148&page=467|http://twitter.com/|http://stockcharts.com/school/doku.php?id=chart_school
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\mike\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 15:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-448539723-1801674531-256429\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{355FC896-42AB-A95F-3E54-4C0120789A62}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"nalhkjlfghddlljjmemiifmpinbh"=hex:6a,61,70,6c,6b,6c,65,68,65,70,62,61,6a,67,
   63,6e,6c,62,6f,66,00,14
"mafjafajbgpbieledkeehbbhnf"=hex:6a,61,70,6c,6b,6c,65,68,65,70,62,61,6a,67,63,
   6e,6c,62,6f,66,00,97

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1964)
c:\windows\system32\WININET.dll
c:\windows\system32\pssogina.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll

- - - - - - - > 'lsass.exe'(2024)
c:\windows\system32\WININET.dll
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
tdlwsp.dll      10000000    36864 \\?\globalroot\Device\Ide\IdePort1\ivitnmex\ivitnmex\tdlwsp.dll
c:\program files\SourceTec\Sothink Web Video Downloader Stand-alone\VideoDownloader.dll
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll

- - - - - - - > 'csrss.exe'(1936)
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2009-10-02 15:17 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-02 19:16

Pre-Run: 49,418,780,672 bytes free
Post-Run: 49,606,533,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

322

 

Hijack this:

 

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:34:58, on 10/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\pstartSr.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Xobni\XobniService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SourceTec\Sothink Web Video Downloader Stand-alone\VideoDownloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.execf
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\32788R22FWJFW\NirCmdC.cfxxe

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [Pointsec Tray] c:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Web Video Downloader] "C:\Program Files\SourceTec\Sothink Web Video Downloader Stand-alone\VideoDownloader.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: ScreenHunter 5.1 Free.lnk = C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
O4 - Global Startup: UltraMon.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = comcast.net
O17 - HKLM\Software\..\Telephony: DomainName = comcast.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = comcast.net
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - c:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Google Desktop Manager 5.9.906.4286 (GoogleDesktopManager-060409-093314) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - c:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - c:\WINDOWS\system32\pstartSr.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 8255 bytes

 

 

 

 

Download and run sysinspector
http://www.eset.com/download/sysinspector.php
once it opens go file (top right) generate > suitable for sending
when its finished go file save log.
It will save a a compressed file (zip), attach that please to your next reply.

---

 

Mike

File Attachment :
SysInspector-DIVWL-5CWNBG1-091002-2333.zip   157KB (application/x-zip-compressed)

 

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0 (0x0)
        SERVICE_EXIT_CODE  : 0 (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Hi,

Sophos found only one file:

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\drivers\atapi.sys
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Should I clean and reboot?

 

 

Please cownload the new tool from a_d_13 to desktop

http://ad13.geekstogo.com/DirQuery.exe

 

Run it.

A black window should show up that asks you to "Enter the link to query".
Copy this in:

 

If you don´t know how to copy in dos Propmpt - rightclick on the top of the window- Edit-copy

 

It will scan and produce a log file, please post it in next reply.

---

Hi Touch,

 

I start the scan:

 

Enter the link to query: \\?\globalroot\Device\Ide\IdePort1\ivitnmex\ivitnmex\tdlwsp.dll

 

Then dirquery crashes asking if I want to report the error.

 

Any suggestions?  I tried a few times, is the dir/path correct?

 

 

 

Type or copy this in the box:

 

And see if can produce a log

---

here is the log

 

File Attachment :
dirquery.zip   0KB (application/x-zip-compressed)

 

Let´s deal with atapi sys now ->

 

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

Run check.bat then post the text that will open please

---

 

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0 (0x0)
        SERVICE_EXIT_CODE  : 0 (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
"C:\WINDOWS\system32\drivers\pciidex.sys" 24960 04/13/2008 20:10 
"C:\WINDOWS\system32\drivers\pciide.sys" 3328 08/17/2001 09:51 
"C:\WINDOWS\system32\drivers\atapi.sys" 96512 04/13/2008 20:10 

Code:

 

Then I dropped CFscript.txt onto combofix. It did it's thing and restarted. 

 

Then re-ran the scan for mbam.  Doesn't appear any changes, attached is logs.

 

 

File Attachment :
new logs.zip   7KB (application/x-zip-compressed)

Open SP2/3 cab in i386 folder, find atapi.sys rightclick on it and unzip it to c:\

Code:

---