Jump to content

Recommended Posts

The other day, McAfee identified Patched-SYSFile.A in atapi.sys. It says it was cleaned, but the file is automatically regenerated and is re-cleaned every 5 seconds. In the meantime, when I click on any Google search result, I get what looks like a google default page, but it behaves suspiciously, with the top menu fading in. Also, Fiefox keeps opening new tabs with all manner of ads. It also appears that my laptop won't happily come back from standby, which it did reliably before the infection. McAfee suggests replacing atapi.sys under the Recovery console, but that doesn't appear to be possibility, as the HDD is encrypted using PointSec, and the volume can't be mounted under the recovery console.

Malwarebytes Quick and Full scans get no result.

Here is the result of the DDS scan:

DDS (Ver_09-12-01.01) - NTFSx86

Run by U05084 at 18:51:20.78 on Tue 01/26/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2036.1103 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Prot_srv.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

svchost.exe

C:\WINDOWS\system32\drivers\trcboot.exe

C:\Altiris\AClient\AClient.exe

C:\Program Files\Personal Communications\PCS_AGNT.EXE

C:\altiris\nsclient\Altiris Agent\AeXNSAgent.exe

C:\Program Files\Witness Systems\Screen Capture Module\CaptureService.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Witness Systems\Screen Capture Module\wcapw32.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Common Files\Passlogix\NotificationService\NotificationSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe

C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe

C:\WINDOWS\system32\drivers\ldlcserv.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\SYSTEM32\DWRCST.exe

C:\Program Files\Passlogix\v-GO SSO\ssoshell.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Dell\Dell Mobile Broadband\systray.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Altiris\AClient\AClntUsr.EXE

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Passlogix\v-GO SSO\Helper\Emulator\ssomho.exe

C:\Program Files\Passlogix\v-GO SSO\Helper\IE\ssobho.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe

C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe

C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe

C:\Program Files\Microsoft Office Communicator\communicator.exe

C:\altiris\nsclient\Altiris Agent\AeXAgentUIHost.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\u05084\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig

uWindow Title = Microsoft Internet Explorer provided by HealthNow New York, Inc.

mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\program files\passlogix\v-go sso\ssoshell.exe" /background,

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies inc\notebook software\NotebookPlugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"

uRun: [DBISQL9] "c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" -preload

uRun: [sybaseCentral43] "c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe" -preload

mRun: [systray] c:\program files\dell\dell mobile broadband\systray.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [Check Point Endpoint Tray Application] c:\program files\common files\check point\uiframework\cptray.exe

mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [AeXAgentLogon] c:\altiris\nsclient\altiris agent\AeXAgentActivate.exe /logon

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"

dRunOnce: [pcsmig] "c:\program files\personal communications\pcsmig.exe" -L

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{be5ad430-9e0c-4243-ab3f-593835869855}\MsblIco.Exe

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: NoWelcomeScreen = 1 (0x1)

uPolicies-system: SetVisualStyle =

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-system: LogonType = 0 (0x0)

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: wsb01

Trusted Zone: wsb06

DPF: PowerBuilder DW Control & JDBC - hxxp://awb05/webview/psdwc100.cab

DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www1.gotomeeting.com/default/applets/g2mdlax.cab

DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxp://nsb04.healthnow.org/dwa8W.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

AppInit_DLLs: AMINIT.dll famuhare.dll c:\windows\system32\

SSODL: boribobaw - {f5fe66ef-a487-403d-af69-ee970920db47} - c:\windows\system32\bupuyafo.dll

STS: {b965b32e-4c35-43af-bd7d-13462c13f80c}: jugezatag

STS: jugezatag: {f5fe66ef-a487-403d-af69-ee970920db47} - c:\windows\system32\bupuyafo.dll

LSA: Notification Packages = scecli lihovavo.dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 10.46.53.110 itsm.inergex.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\u05084\applic~1\mozilla\firefox\profiles\ypmoys2c.default\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

============= FINISH: 18:52:32.70 ===============

MalwareBytes Log

Malwarebytes' Anti-Malware 1.44

Database version: 3641

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

1/26/2010 3:40:42 PM

mbam-log-2010-01-26 (15-40-42).txt

Scan type: Quick Scan

Objects scanned: 172890

Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks for any help you can offer...trying to avoid having to rebuild if possible.

Attach.zip

ark.zip

Link to post
Share on other sites

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions: http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.