Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

virtualized Trojan.zlob + embeded Rootkit [RESOLVED]

  • This topic is locked This topic is locked




  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry for double posting. Just remembered this problem that is related to it. On the other computer, now defunct, there were 2 monitors listed by the graphics card. After posting I decided to look at this one and found this. I don't have two monitors.

Attached Thumbnails

  • 2008_03_07_ATI_shows2instance.png

  • 0





  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here it is.

ComboFix 08-03-06.2 - N00dleIT 2008-03-07 22:11:05.5 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.1246 [GMT -5:00]
Running from: C:\Users\N00dleIT\Desktop\ComboFix.exe
Command switches used :: C:\Users\N00dleIT\Desktop\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))

2008-03-07 21:18 . 2008-03-07 21:18 <DIR> d-------- C:\Users\N00dleIT\AppData\Roaming\FastStone
2008-03-07 21:16 . 2008-03-07 21:16 <DIR> d-------- C:\Program Files\FastStone Capture
2008-03-07 17:51 . 2008-03-07 17:51 191,371,075 --a------ C:\Windows\MEMORY.DMP
2008-03-06 03:02 . 2008-03-06 03:02 <DIR> d-------- C:\_OTMoveIt
2008-03-05 09:57 . 2008-03-05 10:37 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-04 04:57 . 2008-03-04 04:57 <DIR> d-------- C:\Users\All Users\TEMP
2008-03-04 04:57 . 2008-03-04 04:57 <DIR> d-------- C:\ProgramData\TEMP
2008-03-03 09:31 . 2008-03-03 09:31 <DIR> d-------- C:\Deckard
2008-03-03 08:19 . 2008-03-03 08:19 <DIR> d-------- C:\Users\N00dleIT\AppData\Roaming\Malwarebytes
2008-03-03 08:19 . 2008-03-03 08:19 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-03-03 08:19 . 2008-03-03 08:19 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-03-03 08:19 . 2008-03-03 08:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-02 02:01 . 2008-03-02 02:01 211,893 --a------ C:\Windows\System32\drivers\IsDrv122.sys
2008-03-02 01:20 . 2008-03-07 17:42 <DIR> d-------- C:\Program Files\BHODemon 2
2008-02-29 14:07 . 2008-02-29 14:07 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-02-29 14:07 . 2008-02-29 14:07 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-02-29 14:06 . 2008-02-29 14:06 <DIR> d-------- C:\Users\N00dleIT\AppData\Roaming\SUPERAntiSpyware.com
2008-02-29 14:06 . 2008-02-29 14:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 14:05 . 2008-02-29 14:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 02:38 . 2008-02-29 02:38 <DIR> d-------- C:\Users\N00dleIT\AppData\Roaming\Grisoft
2008-02-29 02:38 . 2008-02-29 02:38 <DIR> d-------- C:\Users\All Users\Grisoft
2008-02-29 02:38 . 2008-02-29 02:38 <DIR> d-------- C:\ProgramData\Grisoft
2008-02-29 02:38 . 2007-05-30 07:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-02-28 20:35 . 2008-02-28 20:35 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-02-28 19:31 . 2008-02-28 19:32 <DIR> d-------- C:\Program Files\Java
2008-02-28 19:31 . 2008-02-28 19:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-27 03:04 . 2008-02-27 03:05 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-27 01:46 . 2008-02-27 01:46 11,264 --a------ C:\Windows\System32\drivers\uzm2ndi3.sys
2008-02-25 00:53 . 2008-03-03 16:45 26 --a------ C:\23990098.$$$
2008-02-24 23:54 . 2008-03-03 16:38 50 --a------ C:\Windows\Lic.xxx
2008-02-22 03:11 . 2008-03-03 09:28 <DIR> d-------- C:\Program Files\process monitor
2008-02-17 04:51 . 1998-04-24 00:00 1,045,776 --a------ C:\Windows\System32\msjet35.dll
2008-02-17 04:51 . 1998-10-29 15:45 306,688 --a------ C:\Windows\IsUninst.exe
2008-02-17 04:51 . 1998-04-24 00:00 252,176 --a------ C:\Windows\System32\msrd2x35.dll
2008-02-17 04:51 . 1998-04-24 00:00 123,664 --a------ C:\Windows\System32\msjint35.dll
2008-02-17 04:51 . 1998-04-24 00:00 24,848 --a------ C:\Windows\System32\msjter35.dll
2008-02-17 04:51 . 1996-08-28 17:14 13,312 --a------ C:\Windows\System32\SVRAPI.DLL
2008-02-15 22:05 . 2008-01-10 00:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-15 19:54 . 2008-02-15 19:54 <DIR> d-------- C:\Users\N00dleIT\AppData\Roaming\Template
2008-02-15 19:53 . 2008-02-15 20:55 130 --a------ C:\Users\N00dleIT\AppData\Roaming\wklnhst.dat
2008-02-15 18:18 . 2008-02-15 18:18 <DIR> d-------- C:\Program Files\7-Zip
2008-02-15 15:08 . 2008-02-15 15:10 <DIR> d-------- C:\Program Files\Super1
2008-02-14 23:34 . 2008-02-14 23:34 <DIR> d-------- C:\Users\N00dleIT\DoctorWeb
2008-02-14 23:29 . 2008-03-06 03:19 <DIR> d-------- C:\Program Files\Hijackdis
2008-02-14 13:26 . 2008-03-01 07:03 250 --a------ C:\Windows\gmer.ini
2008-02-14 03:08 . 2008-02-14 03:08 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 03:08 . 2008-02-14 03:08 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 03:04 . 2008-02-14 03:04 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-11 13:22 . 2008-02-11 13:22 <DIR> d-------- C:\Program Files\UltimateBet
2008-02-11 13:22 . 2002-03-25 10:30 995,383 --a------ C:\Windows\System32\temp.001
2008-02-11 13:22 . 2002-03-25 10:31 295,000 --a------ C:\Windows\System32\temp.000

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-03-04 21:25 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-02-16 05:10 --------- d-----w C:\Program Files\PokerStars
2008-02-14 08:07 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-14 08:07 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-14 08:07 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-14 08:07 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-14 08:07 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-14 08:07 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-14 08:07 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-14 08:04 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 08:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 08:04 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 08:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 08:04 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 08:04 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 08:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 08:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 08:04 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 08:04 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-14 08:04 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 08:01 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-06 16:56 --------- d-----w C:\Users\SupraLimit\AppData\Roaming\ATI
2008-02-04 20:46 174 --sha-w C:\Program Files\desktop.ini
2008-02-04 20:43 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-04 20:43 --------- d-----w C:\Program Files\Windows Mail
2008-02-04 20:43 --------- d-----w C:\Program Files\Windows Calendar
2008-02-04 20:35 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-02-04 20:35 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-02-04 20:35 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-02-04 20:35 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-02-04 20:35 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-02-04 20:34 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-02-04 20:34 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-02-04 20:34 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-02-04 20:34 2,923,520 ----a-w C:\Windows\explorer.exe
2008-02-04 20:34 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-02-04 20:31 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-02-04 20:31 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-02-04 20:31 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-02-04 20:27 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-02-04 20:27 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-02-04 20:27 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-02-04 20:27 193,536 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-02-04 20:27 19,456 ----a-w C:\Windows\system32\drivers\usbohci.sys
2008-02-04 20:22 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-04 20:22 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-02-04 20:20 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-02-04 20:20 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-02-04 20:20 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-02-04 20:20 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-02-04 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 03:00 --------- d-----w C:\Program Files\TOSHIBA Games
2008-02-04 02:58 --------- d-----w C:\ProgramData\WildTangent
2008-02-04 02:56 --------- d-----w C:\ProgramData\Napster
2008-02-04 02:53 --------- d-----w C:\ProgramData\McAfee
2008-02-04 02:47 --------- d-----w C:\Program Files\Google
2008-02-02 19:15 --------- d-----w C:\Program Files\Toshiba
2008-02-02 19:11 --------- d-----w C:\Program Files\REALTEK RTL8187B Wireless LAN Driver
2008-02-02 19:06 --------- d-----w C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2008-02-02 19:06 --------- d-----w C:\Program Files\Activation Assistant for the 2007 Microsoft Office suites
2008-02-02 19:04 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-02 19:02 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-02 18:59 --------- d-----w C:\Program Files\Microsoft Works
2008-02-02 16:56 --------- d-----w C:\Users\N00dleIT\AppData\Roaming\ATI

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 05:43 430080]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-22 14:11 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 21:26 4702208 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 12:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 23:01 448080]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 18:32 538744]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 17:31 102400]
"NDSTray.exe"="NDSTray.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 14:35 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"Hypersight"="C:\Program Files\Hypersight\hypersight.exe" [ ]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"{B7C406E3-3755-45A2-A6E4-80D0F4150E95}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B1C32325-921F-4E1B-A5A1-8B674F06FDBC}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{EBBF8CE5-E5FE-4319-8B7E-D2E21F204D16}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BD9D5B2B-D7CC-4CBA-BAD0-39595670BC86}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 13:23]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-08-01 16:37]
R1 uzm2ndi3;AVZ-RK Kernel Driver;C:\Windows\system32\Drivers\uzm2ndi3.sys [2008-02-27 01:46]
R2 setup_7.0.0.180_23.02.2008_07-11;setup_7.0.0.180_23.02.2008_07-11;"C:\Users\Public\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_23.02.2008_07-11.exe" -r []
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-08-01 16:39]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 23:55]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-28 01:36]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 01:11]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-12-28 11:21]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187B.sys [2007-12-26 02:20]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
S1 IsDrv122;IsDrv122;C:\Windows\system32\Drivers\IsDrv122.sys [2008-03-02 02:01]
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
S3 VICESYS;VICESYS;C:\Users\N00dleIT\Downloads\vice\EXE\VICESYS.sys [2008-02-22 12:31]
S3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-28 09:51]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-11-09 17:32]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2006-11-09 17:31]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2007-01-03 03:43]


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 22:14:58
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

------------------------ Other Running Processes ------------------------
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
Completion time: 2008-03-07 22:16:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 03:16:34
ComboFix2.txt 2008-03-08 01:55:51
ComboFix3.txt 2008-03-07 23:33:41
ComboFix4.txt 2008-03-07 01:19:31
ComboFix5.txt 2008-02-28 08:59:51
2008-03-07 05:26:49 --- E O F ---
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I figured out why Vista does not save files created by programs like Hijackthis in the Program Files folder:
To make Vista more secure, user programs are no longer allowed to store files or registry data in these areas unless their ssetup programs explicitly change Windows security settings to permit it. The application doesn't actually store information in the secure locations but thinks it has.
Vista incorporates virtualization to improve security by preventing programs from writing to the directories Windows and Program Files as well as preventing writing to the registry.
Files intended for \Windows or \Program Files, or any of their sub folders, will be placed into \users\username\AppData\Local\VirtualStore\Windows or\Program Files. Registry data intended for HKEY_LOCAL_MACHINE will be shunted to HKEY_CURRENT_USER\Software\Classes\VirtualStore\Machine. Also, some registry keys are not virtualized to prevent rogue applications from creating startup programs run entries. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows will not be virtualized and attempts to write data in this key or its sub keys will fail.
For older programs to maintain compatibility Vista gives them an assist called "file and registry virtualization". Try saving a notepad file in the \Program Files folder.

That explains some of the virtualization, but doesn't explain the screen blinks, the double instance of the video display and the HD chuggin after combofix.
  • 0




  • Retired Staff
  • 47,710 posts
How is your PC running ? Do you have any visible problems ?
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I still have two instances of the graphics card.
Pinfect.zip is still present.
The computer is running, but appears to be areas that need improvement.
I would like to be for **it sure. I know that stealth issues can be difficult to root out.
There is still export tables present and now a masked driver. Before there was ntdll.dll that was hooked by api code hijack method.
I have a USB flash drive that is infected. I used Flash disinfect on it, but not sure if it is disinfected. The infector on it is very fast at infecting, though it doesn't like Kaspersky it isn't hampered by it either.
I was not able to utilize online scans like Panda or Trendmicro because they used java. The bug disabling their ability to perform a scan.
Should I try one of the online scanners that did not work before?
Man this place sure is busy for you guys, I appreciate your time and effort.

a-squared Free - Version 3.1
Last update: 3/8/2008 5:18:31 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 3/8/2008 5:19:17 PM

c:\workssetup detected: Trace.Directory.SpyWare.MateWatcher
Key: HKEY_USERS\S-1-5-21-3191488394-1991106847-1560332406-1000\software\kazaa detected: Trace.Registry.KaZaA
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> AffiliateId detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> BitRate detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> CurrentUser detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> DownloadDir detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> EnableSystrayIcon detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> EULAAccepted detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> HelpFaqURL detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> HelpTutorialURL detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Client --> RegistrationURL detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Common --> ExternalLinkHandler detected: Trace.Registry.Napster
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Napster\Common --> ExternalLinkHandlerParams detected: Trace.Registry.Napster
C:\Windows\System32\sysprep\MakeLink.exe detected: IM-Worm.Win32.Sohanad.cf


Files: 109441
Traces: 307288
Cookies: 2
Processes: 54


Files: 1
Traces: 13
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 3/8/2008 5:54:35 PM
Scan time: 0:35:18

SUPERAntiSpyware Scan Log
Generated 03/09/2008 at 12:53 PM

Application Version : 3.6.1000

Core Rules Database Version : 3416
Trace Rules Database Version: 1408

Scan type : Complete Scan
Total Scan Time : 00:47:06

Memory items scanned : 615
Memory threats detected : 0
Registry items scanned : 6391
Registry threats detected : 0
File items scanned : 66615
File threats detected : 8

Adware.Tracking Cookie
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt

AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 3/9/2008 11:31:26 AM
Database loaded: signatures - 152842, NN profile(s) - 2, microprograms of healing - 55, signature database released 08.03.2008 16:55
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 69898
Heuristic analyzer mode: Maximum heuristics level
Healing mode: enabled
Windows version: 6.0.6000, ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Error loading driver - checking interrupted [C0000061]
1.4 Searching for masking processes and drivers
>> Driver masking: Base=9720B000, size=98304, name = "\SystemRoot\system32\drivers\parport.sys"
Searching for masking processes and drivers - complete
2. Scanning memory
Number of processes found: 23
Analyzer: process under analysis is 2040 C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 256 C:\Program Files\Toshiba\SmoothView\SmoothView.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 296 C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
[ES]:Contains network functionality
Analyzer: process under analysis is 632 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 884 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1512 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 2936 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
[ES]:Contains network functionality
Analyzer: process under analysis is 3088 C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1836 C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Number of modules loaded: 419
Scanning memory - complete
3. Scanning disks
C:\Deckard\System Scanner\20080305002640\backup\Users\N00dleIT\AppData\Local\Temp\mexe.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\Deckard\System Scanner\20080305002640\backup\Users\N00dleIT\AppData\Local\Temp\MWAVSCAN.COM - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\Deckard\System Scanner\backup\Users\N00dleIT\AppData\Local\Temp\mexe.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\Deckard\System Scanner\backup\Users\N00dleIT\AppData\Local\Temp\MWAVSCAN.COM - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\Windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut21_5DA0E02F970B424BBF41513A5018E4C0.chm - PE file with non-standard extension(dangerousness level is 5%)
C:\Windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut2_5DA0E02F970B424BBF41513A5018E4C0.chm - PE file with non-standard extension(dangerousness level is 5%)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
In the database 317 port descriptions
Opened at this PC: 9 TCP ports and 4 UDP ports
Checking complete, no suspicious ports detected
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal REG files association
Checking - complete
Files scanned: 140638, extracted from archives: 71115, malicious software found 0, suspicions - 0
Scanning finished at 3/9/2008 11:44:42 AM
Time of scanning: 00:13:16
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
  • 0




  • Retired Staff
  • 47,710 posts
Your logs are clean, but lets be 100% sure since you think this is a rootkit problem.

Any problems you have are more than likely cause you have so many anti-rootkit and other security programs on your PC. They all conflict.

Please download and unzip Icesword to its own folder on your desktop

If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :

Win32 Services
Message Hooks

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 14 posts


System Idle Process
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Users\Public\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_23.02.2008_07-11.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\ieuser.exe


Started Service:

Service Name:a2free Display Name:a-squared Free Service
Service Name:AeLookupSvc Display Name:Application Experience
Service Name:AgereModemAudio Display Name:Agere Modem Call Progress Audio
Service Name:Appinfo Display Name:Application Information
Service Name:Ati External Event Utility Display Name:Ati External Event Utility
Service Name:AudioEndpointBuilder Display Name:Windows Audio Endpoint Builder
Service Name:Audiosrv Display Name:Windows Audio
Service Name:AVG Anti-Spyware Guard Display Name:AVG Anti-Spyware Guard
Service Name:BFE Display Name:Base Filtering Engine
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:CFSvcs Display Name:ConfigFree Service
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:DPS Display Name:Diagnostic Policy Service
Service Name:EapHost Display Name:Extensible Authentication Protocol
Service Name:Eventlog Display Name:Windows Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FontCache3.0.0.0 Display Name:Windows Presentation Foundation Font Cache
Service Name:gpsvc Display Name:Group Policy Client
Service Name:hidserv Display Name:Human Interface Device Access
Service Name:KeyIso Display Name:CNG Key Isolation
Service Name:LanmanWorkstation Display Name:Workstation
Service Name:MMCSS Display Name:Multimedia Class Scheduler
Service Name:MpsSvc Display Name:Windows Firewall
Service Name:Netman Display Name:Network Connections
Service Name:netprofm Display Name:Network List Service
Service Name:NlaSvc Display Name:Network Location Awareness
Service Name:nsi Display Name:Network Store Interface Service
Service Name:PcaSvc Display Name:Program Compatibility Assistant Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:ProfSvc Display Name:User Profile Service
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:SENS Display Name:System Event Notification Service
Service Name:setup_7.0.0.180_23.02.2008_07-11 Display Name:setup_7.0.0.180_23.02.2008_07-11
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:slsvc Display Name:Software Licensing
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:SysMain Display Name:Superfetch
Service Name:TapiSrv Display Name:Telephony
Service Name:TNaviSrv Display Name:TOSHIBA Navi Support Service
Service Name:TODDSrv Display Name:TOSHIBA Optical Disc Drive Service
Service Name:TosCoSrv Display Name:TOSHIBA Power Saver
Service Name:TOSHIBA Bluetooth Service Display Name:TOSHIBA Bluetooth Service
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UleadBurningHelper Display Name:Ulead Burning Helper
Service Name:UxSms Display Name:Desktop Window Manager Session Manager
Service Name:W32Time Display Name:Windows Time
Service Name:WdiSystemHost Display Name:Diagnostic System Host
Service Name:WebClient Display Name:WebClient
Service Name:WinDefend Display Name:Windows Defender
Service Name:Winmgmt Display Name:Windows Management Instrumentation
Service Name:Wlansvc Display Name:WLAN AutoConfig
Service Name:WPDBusEnum Display Name:Portable Device Enumerator Service
Service Name:wscsvc Display Name:Security Center
Service Name:WSearch Display Name:Windows Search
Service Name:wuauserv Display Name:Windows Update
Service Name:wudfsvc Display Name:Windows Driver Foundation - User-mode Driver Framework

Start up


Windows Defender
%ProgramFiles%\Windows Defender\MSASCui.exe -hide


%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE




C:\Program Files\Synaptics\SynTP\SynTPStart.exe


C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

!AVG Anti-Spyware
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

C:\Program Files\Hypersight\hypersight.exe


C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

C:\Users\N00dleIT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup


\??\C:\Program Files\Grisoft\AVG Anti Spyware 7.5\Guard.sys
\??\C:\Program Files\Grisoft\AVG Anti Spyware 7.5\Guard.sys

Message Hooks

WH_KEYBOARD_LL C:\Windows\System32\Ati2evxx.exe
WH_KEYBOARD C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Mark Russanovich stated "with the current level of stealth malware and ability to attack anti malware tools you should get your hands on and scan with as many anti rootkit scanners as you can find." subject Malware Cleaning

My USB may still be infected. A 2gb micro sd card.

What do I do with pinfect.zip? It is supposedly a file of MWAV/escan scanner, the password is "infected". My version doesn't clean, so I don't know where it came from.

If you give me the thumbs up, I will go with it and return to my standard security set up, AV, AS, Firewall and all. Driver Detect is a new rootkit tool under development, currently beta testing @sysinternals forums. Works on XP and limited functionality for Vista. If developement continues may become replacement for RKU.

Erasing the tracks of stupidity. l8tr.

Edited by GglIt, 09 March 2008 - 09:29 PM.

  • 0




  • Retired Staff
  • 47,710 posts
I know of DriverDetect, and Hypersight. I have to warn you about using tools that are in beta, especially anti-rootkit ones.

Your logs are clean, there is no malware. Tell the guys over at VirusInfo you are clean please

What do I do with pinfect.zip?

Delete it if you want, it is related to MWAV so it is legitimate.

Few things to do

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Delete ALL the tools that you have ran yourself. You don't need multiple rootkit scanners.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from

* Take a good look at the following suggestions for malware prevention by reading Tony Kleins article 'How Did I Get Infected In The First Place'

Thank you for your patience, and performing all of the procedures requested.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Just a few questions before you go off saving the world and all.

I have this in my registry; What is it? To me looks like C++, some type of driver variables:


What do I do about the worm? sonahad. When I try to clean using Asquared the computer crashes causing a reinstall of the OS. I have not tried to clean this because of that.

How do I clean a usb/flash drive which has the infector you cleaned me of?

If you classified the malware that was bothering me, what was it called?

I am still unable to perform online scans at Panda and Trend micro housecall with java 6 4. Currently have no java.
I thought that trend also used active x as well as java. Active x was not available to me as a choice for scanning.
  • 0




  • Retired Staff
  • 47,710 posts
Not sure what those are, I wouldn't touch them

You don't have a worm on your PC, you are clean. There could be many other reasons why A-Squared is crashing

For the USB key, do this

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

The malware you had was some driver infection, not sure of it's exact name

I am still unable to perform online scans at Panda and Trend micro housecall with java 6 4.

That is probably some conflict with all those programs you have run yourself.

Anything else ?
  • 0





  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP