Things going from bad to worse

[Gavin74]

For the last couple of months I've been experiencing a whole catalog of issues with my PC.

Firstly things started off fairly tamely, with google search results being redirected.

Then lately things have got a lot worse.

I keep getting "Data Execution Prevention" message boxes, which say, "To help protect your computer, windows has closed this programe. Name:Generic Host process for Win32 Services".

This started happening about the same time as a windows shut down message, which gives me 60 second notice before shutting down because of "DCOM Server Proces sLauncher Service terminated unexpectedly".

I've started going through your check list of what to do, running MBAM which uncovered three trojans on called backdoor.bot...the others I cant remember but I have them writted down in work. Once "cleaning these up" subsequent runs all come back clean but symptoms persist.

I then moved down your list of actions running defrogger and dds before attempting to run GMER. GMER keeps giving me the blue screen of death.....again I've the specific error message written down in work and will post it when I get in.

Since these blue screen system crashes I'm getting a new message titled RunDLL "error loading lkmj.bdo the specific module can not be called".

Now this last bit could be down to a well intention friend claiming I needed to install some windows patches I was behind on. installation crashed on windows service pack 3 claiming "C:\WINDOWS\system32\drivers\atapi.sys was in use by another process".

After all this the machine seems totally screwed, Internet explor just doesnt open although connection to the net is possible through outlook.

I hope someone can shed some light on this, at the moment the only other option I have is to buy a new windows XP disk reformat and reinstall.

Thanks in advance.

Gavin

DDS log below:-

DDS (Ver_09-12-01.01) - NTFSx86

Run by Gavin Jones at 11:02:52.67 on 13/02/2010

Internet Explorer: 6.0.2900.2180

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell.co.uk/myway

uSearch Bar = hxxp://www.google.com/ie

uWindow Title = Microsoft Internet Explorer provided by Tiscali

mDefault_Page_URL = hxxp://www.tiscali.co.uk

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/

mStart Page = hxxp://www.dell.co.uk/myway

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet

mRun: [sunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"

mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"

mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe

mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\pacifi~1\pacificpoker.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: gamingclub.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxps://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-02-11 13:18:02 1374 ----a-w- c:\windows\imsins.BAK

2010-02-08 02:59:19 0 ----a-w- c:\documents and settings\gavin jones\defogger_reenable

2010-02-01 10:26:25 1409 ----a-w- c:\windows\QTFont.for

2010-02-01 10:26:24 54156 ---ha-w- c:\windows\QTFont.qfn

==================== Find3M ====================

2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe

2009-12-16 12:57:07 18432 ------w- c:\windows\system32\dllcache\iedw.exe

2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-08 09:13:51 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-27 17:33:35 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:33:35 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:33:35 1291264 ------w- c:\windows\system32\dllcache\quartz.dll

2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:37:27 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll

2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37:27 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37:27 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37:27 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll

2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37:27 11264 ------w- c:\windows\system32\dllcache\msrle32.dll

2009-11-21 16:36:13 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 11:04:39.54 ===============

zip attach.txt attached below:-

Attach.zip

[Gavin74]

Updated with log from MBAM.

Ran this again last night and it came up with the same three issues it founf some days ago, even though subsequent scans have been clean.

Issues found :-

bakdoor.bot

Trojan.agent

hijack.shell.

The log file is attached.

When I get in from work I'll attempt GMR again, but not hopefully as last three efforts have resulted in blue sceen.

It looks like you're all really busy, but hopefully someone is available to look at this.

Thanks

Malwarebytes' Anti-Malware 1.44

Database version: 3742

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

15/02/2010 17:59:30

mbam-log-2010-02-15 (17-59-30).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 257897

Time elapsed: 1 hour(s), 38 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe lkmj.bdo igtvkg) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\34.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\e.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[Gavin74]

Just ran GMER for probably the third time. And got a blue screen with the note:-

Stop C0000021a fatal system error.

The windows subsystem system process terminated unexpectedly with a status of 0xc0000005 (0v001d007b 0x00d2e004) The system has been shut down.

I know everyone is really busy, some help would be greatly appreciated.....I'm about to lose the plot and hurl the pc out the window.

Thanks in advance.

Gavin

[miekiemoes]

Hi,

Now this last bit could be down to a well intention friend claiming I needed to install some windows patches I was behind on. installation crashed on windows service pack 3 claiming "C:\WINDOWS\system32\drivers\atapi.sys was in use by another process".

Looks like you are dealing with an infected atapi.sys.

Good Windows update failed there, otherwise you wouldn't be able to boot anymore.

Do next please..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[Gavin74]

Hi Mieke,

Thanks for getting back to me. I appreciate it especially as it's obviouse you chaps kept pretty busy.

Here's the log from Combofix. It looks like some scary things have been going on, on another PC I've googled a few of the folders and files its deleted.

On a side point my icon for IE now doesnt respond so doing this from another PC.

Thanks again for your help.

Gavin

ComboFix 10-02-16.03 - Gavin Jones 17/02/2010 16:50:38.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.234 [GMT 0:00]

Running from: c:\documents and settings\Gavin Jones\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Gavin Jones\My Documents\ZbThumbnail.info

c:\windows\Downloaded Program Files\dlhelper.dll

c:\windows\patch.exe

c:\windows\system32\Data

c:\windows\system32\twain_32.dll

.

((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))

.

2010-02-17 16:17 . 2010-02-17 16:17 -------- d-----w- c:\windows\LastGood

2010-02-13 13:35 . 2010-02-13 13:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-02-13 13:35 . 2010-02-13 13:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-13 13:17 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-02-13 13:16 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-02-13 13:16 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-02-13 13:16 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-02-13 13:16 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-13 13:16 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-02-13 13:16 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-13 13:05 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2010-02-13 11:43 . 2010-02-13 11:43 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-16 17:20 . 2006-03-08 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-15 16:55 . 2009-12-13 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-26 15:53 . 2009-06-20 12:41 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-19 16:56 . 2010-01-03 19:51 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-13 10:22 . 2010-01-13 10:22 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM

2010-01-07 16:07 . 2009-12-13 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2009-12-13 14:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:14 . 2005-08-02 20:58 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-23 15:11 . 2009-12-23 15:11 -------- d--h--r- c:\documents and settings\Sarah Cork\Application Data\yahoo!

2009-12-21 19:14 . 2004-08-10 11:51 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-20 18:45 . 2009-12-20 18:45 79488 ----a-w- c:\documents and settings\Gavin Jones\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-16 12:58 . 2004-08-10 12:01 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35 . 2004-08-10 11:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-04 14:41 . 2005-08-02 20:58 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:33 . 2004-08-10 11:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:33 . 2004-08-03 23:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:37 . 2004-08-10 11:51 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37 . 2004-08-10 11:51 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37 . 2004-08-10 11:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37 . 2004-08-03 23:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37 . 2001-08-17 21:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-21 16:36 . 2004-08-10 11:50 470528 ----a-w- c:\windows\AppPatch\aclayers.dll

.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys

[-] 2004-08-03 21:59 . BBD92D042613F246D4B4D801D7303EE8 . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"P17Helper"="P17.dll" [2004-06-10 60928]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]

"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 294912]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 495616]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]

2004-02-16 13:04 147456 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 09:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-03-28 22:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aspnet_state"=3 (0x3)

"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PSA64F;PSA64F;c:\windows\system32\drivers\PSA64F.SYS [05/08/2005 16:21 12357]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [28/08/2008 18:27 93320]

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [03/06/2008 17:28 58288]

S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [10/08/2008 10:45 8336]

S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [10/08/2008 10:45 94064]

S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [24/06/2009 08:28 83344]

S3 psa64s;psa64s;c:\windows\system32\drivers\psa64s.sys [05/08/2005 16:21 52334]

S3 psa64u;Nike psa[64 Player Control Driver;c:\windows\system32\drivers\psa64u.sys [05/08/2005 16:21 36483]

S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [14/10/2005 09:52 41984]

S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [09/06/2007 08:55 61536]

S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [09/06/2007 08:55 9360]

S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [09/06/2007 08:55 97088]

.

Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2007-03-04 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-04 12:22]

2007-03-04 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-04 12:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\PACIFI~1\pacificpoker.exe

Trusted Zone: gamingclub.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe

AddRemove-HijackThis - c:\documents and settings\Gavin Jones\Local Settings\Temporary Internet Files\Content.IE5\CH6VCXEJ\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-17 17:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8255D50C]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf86abfc3

\Driver\ACPI -> ACPI.sys @ 0xf853ecb8

\Driver\atapi -> atapi.sys @ 0xf84f67b4

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(724)

c:\windows\system32\WININET.dll

.

Completion time: 2010-02-17 17:15:14

ComboFix-quarantined-files.txt 2010-02-17 17:15

Pre-Run: 17,091,219,456 bytes free

Post-Run: 17,126,506,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A73DF1D2344A13D385C84004847923F0

[miekiemoes]

Hi,

Your atapi.sys is indeed infected here.

Since this variant changes all the time and uses extra protection mechanisms, the safest way to deal with this is to do it via a boot cd.

You do have the Recovery console installed since you used Combofix, however, one single mistake can cause un unbootable situation. That's why I think it's safer to replace the infected atapi.sys with hiren boot cd, because, *in case something goes wrong, you'll still be able to access your files etc..

Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html

Just extract everything into a folder & double click on "BurnToCD.cmd" in order to burn it to cd.

Then, Boot the computer using the Hiren CD which you just burned. When you get to this screen, select "Start Mini Windows Xp"

It will then look like this:

In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\Windows\System32\Drivers\atapi.sys

2) Rename it to atapi.sys.bad

3) Then copy the atapi.sys from the c:\windows\system32\dllcache folder to the C:\Windows\System32\Drivers folder

When finsihed, restart the machine & boot back to your normal OS

Let me know how that went.

[Gavin74]

wow I seemed to have managed that without stuffing anything up!

You directions were great, boot disk created and atapi.sys renamed and replaced.

Not getting any of the scary messages I was getting about "Data Execution Prevention" or "DCOM Server Proces sLauncher Service terminated unexpectedly", which looks hopeful.

The internet explorer icon isnt responding and I'm now getting an "internet Explorer Script Error"

Line:142

Char 207

Error : 'null' is null or not an object

Code : 0

URL: http://uk.mc870.mail.yahoo.com/mc/welcom?....p;tm=1266525923

It then asks if I want to continue running the script.

If I click yes, another box eventually pops up saying "stop running this script? A script on this page is causing Internet Explorer to run slowly. If it continues to run, your computer might become unresponsive.

No matter what I click a browser window doesnt open.

**** As I type this a MCAfee pop up message has appeaed saying it automaticalled repaired an infected file: Detected Patch-SYSFile.b(Trogan)

MBAM just finished running and no problems reported.

Thanks

[miekiemoes]

Great!

For the Internet Explorer script errors, please see here how to troubleshoot them:

http://support.microsoft.com/kb/308260

[Gavin74]

Hi

Thanks for your help with all of this. Its really appreciated.

Everything seems to be running okay now.

Would you suggest I back up my important work, then format and reinstall.

One the things mbam detected was bakdoor.bot, which sounds quite scary.

Thanks again

Gavin

[miekiemoes]

Hi,

Would you suggest I back up my important work, then format and reinstall.

I'm confused here..

We cleaned everything so there's no need to format and reinstall though..

Just make sure this won't happen again, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[Gavin74]

Thanks for the tips, will check out those sites.

From reading other posts some advisors claim you can never be sure you've got rid of backdoor.bot and it might be best to format and install? What do you think?

Thanks

[miekiemoes]

This all depends with what you were dealing with exactly. In your case, it should be OK.

If you wanted to format and reinstall, then there was no need to clean this up anyway, because a format and reinstall would have cleaned up the malware as well.

[Gavin74]

Hi Mieke

I hate to have to say this but the "Data Execution Prevention" error as started again......bugger!

Ran MBAM and MCafee both come dont pick up on anything, any thoughts.

Thanks

[miekiemoes]

Hmmm, can you run Combofix again?

[Gavin74]

Here the latest combofix log.

The "Data Execution Prevention" error happened for the last 2-3 sessions.

Thanks

ComboFix 10-02-19.04 - Gavin Jones 20/02/2010 14:02:27.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.210 [GMT 0:00]

Running from: c:\documents and settings\Gavin Jones\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\GAVINJ~1\LOCALS~1\Temp\install_flash_player.exe

.

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))

.

2010-02-18 15:34 . 2004-08-03 21:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-02-17 17:46 . 2010-02-17 17:46 -------- d-sh--w- c:\documents and settings\Gavin Jones\IECompatCache

2010-02-17 17:15 . 2010-02-17 17:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-02-13 13:35 . 2010-02-13 13:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-02-13 13:35 . 2010-02-13 13:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-13 13:17 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-02-13 13:16 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-02-13 13:16 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-02-13 13:16 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-02-13 13:16 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-13 13:16 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-02-13 13:16 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-13 13:05 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2010-02-13 11:43 . 2010-02-13 11:43 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-18 18:20 . 2007-06-09 08:32 -------- d-----w- c:\program files\Common Files\Teleca Shared

2010-02-18 18:01 . 2006-03-08 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-18 17:21 . 2004-08-03 21:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys.bad

2010-02-15 16:55 . 2009-12-13 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-26 15:53 . 2009-06-20 12:41 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-19 16:56 . 2010-01-03 19:51 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-13 10:22 . 2010-01-13 10:22 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM

2010-01-07 16:07 . 2009-12-13 14:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2009-12-13 14:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:14 . 2005-08-02 20:58 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-23 15:11 . 2009-12-23 15:11 -------- d--h--r- c:\documents and settings\Sarah Cork\Application Data\yahoo!

2009-12-21 19:14 . 2004-08-10 11:51 916480 ------w- c:\windows\system32\wininet.dll

2009-12-20 18:45 . 2009-12-20 18:45 79488 ----a-w- c:\documents and settings\Gavin Jones\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-16 12:58 . 2004-08-10 12:01 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35 . 2004-08-10 11:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-04 14:41 . 2005-08-02 20:58 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:33 . 2004-08-10 11:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:33 . 2004-08-03 23:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:37 . 2004-08-10 11:51 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37 . 2004-08-10 11:51 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37 . 2004-08-10 11:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37 . 2004-08-03 23:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37 . 2001-08-17 21:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-02-17_17.08.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-19 03:22 . 2010-02-19 03:22 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

- 2005-08-05 13:05 . 2010-02-17 16:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2005-08-05 13:05 . 2010-02-20 13:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2005-08-05 13:05 . 2010-02-17 16:17 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-02-18 04:47 . 2010-02-20 13:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

- 2004-08-10 11:51 . 2009-03-08 04:33 726528 c:\windows\system32\jscript.dll

+ 2004-08-10 11:51 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll

+ 2009-12-20 18:42 . 2010-02-20 13:43 180224 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-12-20 18:42 . 2010-02-17 16:17 180224 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\system32\Macromed\Flash\NPSWF32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Gavin Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-18 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"P17Helper"="P17.dll" [2004-06-10 60928]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]

"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 294912]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]

2004-02-16 13:04 147456 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 09:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-03-28 22:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aspnet_state"=3 (0x3)

"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PSA64F;PSA64F;c:\windows\system32\drivers\PSA64F.SYS [05/08/2005 16:21 12357]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [28/08/2008 18:27 93320]

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [03/06/2008 17:28 58288]

S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [10/08/2008 10:45 8336]

S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [10/08/2008 10:45 94064]

S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [24/06/2009 08:28 83344]

S3 psa64s;psa64s;c:\windows\system32\drivers\psa64s.sys [05/08/2005 16:21 52334]

S3 psa64u;Nike psa[64 Player Control Driver;c:\windows\system32\drivers\psa64u.sys [05/08/2005 16:21 36483]

S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [14/10/2005 09:52 41984]

S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [09/06/2007 08:55 61536]

S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [09/06/2007 08:55 9360]

S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [09/06/2007 08:55 97088]

.

Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3879150906-4124075145-3384907290-1006Core.job

- c:\documents and settings\Gavin Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-18 16:00]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3879150906-4124075145-3384907290-1006UA.job

- c:\documents and settings\Gavin Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-18 16:00]

2007-03-04 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-04 12:22]

2007-03-04 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-04 12:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\PACIFI~1\pacificpoker.exe

Trusted Zone: gamingclub.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-20 14:10

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-02-20 14:14:44

ComboFix-quarantined-files.txt 2010-02-20 14:14

ComboFix2.txt 2010-02-17 17:15

Pre-Run: 16,445,231,104 bytes free

Post-Run: 16,595,533,824 bytes free

- - End Of File - - 0F19659ADF6431C630D63A82A4A862CA

[miekiemoes]

Hi,

It's strange that the atapi.sys you replaced previously shows a recent date...

Do next please...

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  atapi.sys

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[Gavin74]

Hi Mieke,

Thanks for persevering with this.

Log below.

Gavin

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 16:24 on 20/02/2010 by Gavin Jones (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"

C:\i386\atapi.sys --a--- 95360 bytes [16:24 05/08/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [14:12 20/02/2010] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a--- 96512 bytes [19:24 23/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\dllcache\atapi.sys --a--- 95360 bytes [21:59 03/08/2004] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [15:34 18/02/2010] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 95360 bytes [21:06 02/08/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys --a--- 95360 bytes [21:07 02/08/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

[miekiemoes]

Ok, I posted instructions how to replace the atapi.sys before with Hiren Boot cd.

Let's try this one more time again, but this time, copy the one from the C:\i386 folder to the C:\WINDOWS\system32\drivers folder.

Make sure you rename the atapi.sys already present in the drivers folder to atapi2.bad (since you already have an atapi.bad there) before you copy the new one. This also as a check afterwards so I can see if it was really infected or not.

Then, after you copied and replaced it, reboot back into windows...

Then, Use systemlook again and use this command in it:

:filefind

*atapi*

Then post the results in your next reply (this is after you have replaced the atapi.sys again)

[Gavin74]

okay, so replaced the atapi.sys file again this morning. calling it atapi.sys.bad2

Ran MBAM results clean, ran a full Mcafee scan and detected a trojan called artemis!671ECABDF46.

Here the log from system look.

Thanks

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 21:12 on 21/02/2010 by Gavin Jones (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"

C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [22:59 03/08/2004] [22:59 03/08/2004] 28541D14647BB58502D09D1CEAEE6684

C:\dell\ATAPI.EXE --a--- 28672 bytes [20:58 02/08/2005] [07:23 27/05/2004] 9C559E4CF8C3B2268818F1F6C6B1EE39

C:\i386\atapi.sys --a--- 95360 bytes [16:24 05/08/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\i386\COMPDATA\DECATAPI.HTM --a--- 881 bytes [11:42 10/08/2004] [04:00 04/08/2004] FDA00ABB8831E4903E9442E9B01843ED

C:\i386\COMPDATA\DECATAPI.TXT --a--- 449 bytes [11:42 10/08/2004] [04:00 04/08/2004] F5A5EAC5B4790D90031B913DD5D559A5

C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [14:12 20/02/2010] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a--- 96512 bytes [19:24 23/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\dllcache\atapi.sys --a--- 95360 bytes [21:59 03/08/2004] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\drivers\atapi.sys --a--- 95360 bytes [08:18 21/02/2010] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\drivers\atapi.sys.bad --a--- 95360 bytes [21:59 03/08/2004] [17:21 18/02/2010] 2070B05E0A661280A452D7284FCBFE63

C:\WINDOWS\system32\drivers\atapi.sys.bad2 --a--- 95360 bytes [15:34 18/02/2010] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 95360 bytes [21:06 02/08/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys --a--- 95360 bytes [21:07 02/08/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

[miekiemoes]

Hi,

From above log, the second time you replaced the atapi.sys... it looks like that one wasn't infected anyway. Only the first time you replaced it..

So not sure why you still got these data execution prevention error then, because it wasn't infected anymore then. maybe just a temporary glitch.

Please navigate to and delete this one you renamed previously:

C:\WINDOWS\system32\drivers\atapi.sys.bad

that was the only bad one.

The atapi.sys.bad2 looks like the genuine one, so you can leave it there (as an extra backup of that file) or delete it, your choice.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
  

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
  
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
  

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[miekiemoes]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!