Solve : Re: Atapi.sys infected - Trojan Horse Packed.Protector.C? – InterviewSolution

InterviewSolution

1.	Solve : Re: Atapi.sys infected - Trojan Horse Packed.Protector.C?
Answer» HI, I have the same problem, or had. I used ComboFix, as is written up. I had that TROJAN and the same dile was infected and also I had svchost problem. I will post a log file here, and thenk you in advance for assistence: ComboFix 09-12-10.01 - goga 12/11/2009 12:56:21.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.498 [GMT 1:00] Running from: c:\documents and settings\goga\Desktop\ComboFix.exe AV: AntiVir Desktop On-access scanning enabled (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\goga\Start Menu\Programs\Startup\siszyd32.exe c:\windows\system32\av_md.exe c:\windows\system32\config\systemprofile\av_md.exe c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd D:\la.txt ----- BITS: Possible infected sites ----- hxxp://www.rsiwarrior.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SKYNET -------\Service_SKYNET ((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 ))))))))))))))))))))))))))))))) . 2009-12-11 07:53 . 2009-12-11 08:04--------d-----w-c:\windows\LastGood 2009-12-11 07:39 . 2004-08-03 21:3120992----a-w-c:\windows\system32\drivers\RTL8139.sys 2009-12-11 07:34 . 2001-08-23 15:0024661----a-w-c:\windows\system32\spxcoins.dll 2009-12-11 07:34 . 2001-08-23 15:0013312----a-w-c:\windows\system32\irclass.dll 2009-12-10 21:07 . 2009-12-10 21:07--------d-----w-c:\documents and settings\goga\Local Settings\Application Data\PlentyofTorrents 2009-12-10 21:07 . 2009-12-10 21:07--------d-----w-c:\program files\Conduit 2009-12-10 21:07 . 2009-12-10 21:07--------d-----w-c:\documents and settings\goga\Local Settings\Application Data\Conduit 2009-12-10 20:58 . 2009-12-10 20:58--------d-----w-C:\Nikoletina 2009-12-10 19:40 . 2009-12-10 19:40--------d-----w-c:\documents and settings\goga\Application Data\Uniblue 2009-12-10 19:00 . 2009-12-10 19:27--------d-----w-c:\documents and settings\goga\Application Data\Lavasoft 2009-12-10 18:42 . 2009-12-10 23:52--------d-----w-c:\windows\LastGood.Tmp 2009-12-10 16:30 . 2009-12-10 18:53--------d-----w-c:\program files\Enigma Software Group 2009-12-09 22:54 . 2009-12-09 22:56--------d-----w-C:\Nights.In.Rodanthe.2008.DVDRiP.XViD 2009-12-07 23:38 . 2009-03-30 08:3396104----a-w-c:\windows\system32\drivers\avipbb.sys 2009-12-07 23:38 . 2009-02-13 10:2922360----a-w-c:\windows\system32\drivers\avgntmgr.sys 2009-12-07 23:38 . 2009-02-13 10:1745416----a-w-c:\windows\system32\drivers\avgntdd.sys 2009-12-07 23:38 . 2009-12-07 23:38--------d-----w-c:\program files\Avira 2009-12-07 23:38 . 2009-12-07 23:38--------d-----w-c:\documents and settings\All Users\Application Data\Avira 2009-12-06 21:13 . 2009-12-06 21:13--------d--h--w-c:\windows\PIF 2009-12-03 17:59 . 2004-08-03 22:56221184----a-w-c:\windows\system32\wmpns.dll 2009-11-28 14:40 . 2009-11-28 14:40152576----a-w-c:\documents and settings\goga\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-28 14:39 . 2009-11-28 14:3979488----a-w-c:\documents and settings\goga\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-27 21:30 . 2009-11-27 21:30--------d-----w-c:\documents and settings\goga\Application Data\Acoustica 2009-11-27 21:09 . 2009-11-27 21:09--------d-----w-c:\documents and settings\goga\Local Settings\Application Data\HELP 2009-11-27 18:16 . 2009-11-27 18:16--------d-----w-c:\documents and settings\goga\Application Data\Corel 2009-11-27 18:00 . 2009-11-27 18:00--------d-----w-c:\windows\Corel 2009-11-26 23:06 . 2009-11-26 23:29--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP 2009-11-25 00:11 . 2009-11-25 00:11--------d-----w-C:\PROBA 2009-11-22 00:29 . 2009-11-22 00:2914911----a-w-C:\Calculator.zip 2009-11-22 00:29 . 2009-11-22 00:29--------d-----w-C:\Calculator 2009-11-20 12:45 . 2009-12-04 19:39--------d-----w-c:\documents and settings\goga\Application Data\DC++ 2009-11-20 12:45 . 2009-11-20 12:45--------d-----w-c:\documents and settings\goga\Local Settings\Application Data\DC++ 2009-11-20 12:34 . 2009-11-20 12:34--------d-----w-c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2009-11-19 19:34 . 2009-11-23 18:34--------d-----w-C:\java 2009-11-19 18:59 . 2009-11-19 18:59--------d-----w-c:\documents and settings\goga\workspace 2009-11-16 08:49 . 2009-11-23 18:33--------d-----w-C:\Kalkulator kopija 1 2009-11-14 14:16 . 2009-11-14 14:20--------d-----w-c:\documents and settings\goga\Application Data\ZoomBrowser EX 2009-11-14 14:11 . 2009-11-14 14:16--------d-----w-c:\documents and settings\goga\Application Data\CameraWindowDC 2009-11-14 14:11 . 2009-11-14 14:11--------d-----w-c:\documents and settings\goga\Application Data\CANON INC 2009-11-14 14:11 . 2001-08-17 21:365632----a-w-c:\windows\system32\ptpusb.dll 2009-11-14 14:11 . 2004-08-03 23:56159232----a-w-c:\windows\system32\ptpusd.dll 2009-11-14 14:11 . 2004-08-03 21:5815104----a-w-c:\windows\system32\drivers\usbscan.sys 2009-11-14 13:46 . 2009-11-14 13:47--------d-----w-c:\program files\Canon 2009-11-14 13:46 . 2009-11-14 13:46--------d-----w-c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-11-14 13:40 . 2009-11-14 13:40--------d-----w-c:\program files\Common Files\Canon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-11 12:27 . 2009-10-24 17:30--------d-----w-c:\documents and settings\goga\Application Data\uTorrent 2009-12-11 07:50 . 2009-10-21 13:5122780----a-w-c:\windows\system32\emptyregdb.dat 2009-12-10 19:23 . 2009-12-10 19:2316----a-w-c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat 2009-12-10 11:58 . 2009-12-10 11:5816----a-w-c:\documents and settings\NetworkService\Application Data\fvgqad.dat 2009-12-10 11:58 . 2009-12-10 11:584----a-w-c:\documents and settings\goga\Application Data\avdrn.dat 2009-12-09 22:23 . 2009-10-30 22:43--------d-----w-c:\documents and settings\goga\Application Data\Skype 2009-12-09 20:44 . 2009-10-30 23:04--------d-----w-c:\documents and settings\goga\Application Data\skypePM 2009-12-08 13:39 . 2009-10-21 19:0356816----a-w-c:\windows\system32\drivers\avgntflt.sys 2009-12-07 23:39 . 2009-10-21 19:5530639----a-w-c:\documents and settings\goga\Application Data\usrstats.dat 2009-12-07 23:36 . 2009-12-07 23:360---ha-w-c:\documents and settings\All Users\Application Data\BIT7.tmp 2009-11-28 14:45 . 2009-10-30 13:58--------d-----w-c:\program files\Java 2009-11-27 19:19 . 2009-10-21 19:5342168----a-w-c:\documents and settings\goga\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-27 18:02 . 2009-10-21 14:15--------d--h--w-c:\program files\InstallShield Installation Information 2009-11-27 17:37 . 2009-10-21 14:15--------d-----w-c:\program files\Common Files\InstallShield 2009-11-25 18:03 . 2009-10-21 14:37--------d-----w-c:\program files\Common Files\Adobe 2009-11-20 21:46 . 2009-11-03 18:35--------d-----w-c:\documents and settings\All Users\Application Data\Apple Computer 2009-11-19 10:52 . 2009-10-21 19:31--------d-----w-c:\documents and settings\goga\Application Data\Yahoo! 2009-11-13 13:01 . 2009-10-22 18:51--------d-----w-c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-05 10:17 . 2009-10-21 15:12--------d-----w-c:\documents and settings\goga\Application Data\AdobeUM 2009-11-03 18:42 . 2009-11-03 18:39--------d-----w-c:\documents and settings\goga\Application Data\Media Player Classic 2009-11-02 23:01 . 2009-11-02 23:01--------d-----w-c:\program files\DVBViewerTE 2009-11-02 21:54 . 2009-11-02 21:54--------d-----w-c:\documents and settings\goga\Application Data\DivX 2009-11-01 14:30 . 2009-10-21 19:41--------d-----w-c:\documents and settings\goga\Application Data\Ahead 2009-10-31 16:28 . 2009-10-31 16:28--------d-----w-c:\program files\Common Files\Apple 2009-10-31 16:27 . 2009-10-31 16:27--------d-----w-c:\program files\Apple Software Update 2009-10-31 16:27 . 2009-10-31 16:27--------d-----w-c:\documents and settings\All Users\Application Data\Apple 2009-10-30 23:04 . 2009-10-30 23:0456---ha-w-c:\windows\system32\ezsidmv.dat 2009-10-30 22:43 . 2009-10-30 22:42--------d-----w-c:\program files\Skype 2009-10-30 22:43 . 2009-10-30 22:42--------d-----w-c:\documents and settings\All Users\Application Data\Skype 2009-10-30 22:42 . 2009-10-30 22:42--------d-----w-c:\program files\Common Files\Skype 2009-10-30 13:58 . 2009-10-30 13:58152576----a-w-c:\documents and settings\goga\Application Data\Sun\Java\jre1.6.0_16\lzma.dll 2009-10-27 23:30 . 2009-10-27 23:30--------d-----w-c:\program files\Hewlett-Packard 2009-10-24 23:31 . 2009-10-21 19:06--------d-----w-c:\documents and settings\goga\Application Data\BSplayer Pro 2009-10-22 23:49 . 2009-10-21 19:19--------d-----w-c:\documents and settings\goga\Application Data\Winamp 2009-10-22 19:26 . 2009-10-22 19:26--------d-----w-c:\documents and settings\goga\Application Data\ACD Systems 2009-10-22 19:24 . 2009-10-22 19:10--------d-----w-c:\program files\Microsoft SQL Server 2009-10-22 19:19 . 2009-10-21 16:49--------d-----w-c:\program files\Microsoft.NET 2009-10-22 16:32 . 2009-10-22 16:32--------d-----w-c:\documents and settings\goga\Application Data\Teleca 2009-10-21 19:57 . 2009-10-21 19:56--------d-----w-c:\program files\Common Files\Teleca Shared 2009-10-21 19:57 . 2009-10-21 19:57--------d-----w-c:\program files\Sony Ericsson 2009-10-21 19:56 . 2009-10-21 19:56--------d-----w-c:\documents and settings\goga\Application Data\Sony Ericsson 2009-10-21 19:56 . 2009-10-21 19:54--------d-----w-c:\documents and settings\All Users\Application Data\Teleca 2009-10-21 19:56 . 2009-10-21 19:54--------d-----w-c:\documents and settings\All Users\Application Data\Sony Ericsson 2009-10-21 19:56 . 2009-10-21 19:56--------d-----w-c:\program files\Common Files\Sony Ericsson Shared 2009-10-21 19:41 . 2009-10-21 19:39--------d-----w-c:\program files\Common Files\Ahead 2009-10-21 19:33 . 2009-10-21 19:33--------d-----w-c:\documents and settings\All Users\Application Data\ACD Systems 2009-10-21 19:33 . 2009-10-21 19:09--------d-----w-c:\program files\ACD Systems 2009-10-21 19:31 . 2009-10-21 19:29--------d-----w-c:\program files\Yahoo! 2009-10-21 19:31 . 2009-10-21 19:29--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo! 2009-10-21 19:31 . 2009-10-21 19:31--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-10-21 16:49 . 2009-10-21 16:49--------d-----w-c:\program files\Microsoft ActiveSync 2009-10-21 16:33 . 2009-10-21 16:33--------d-----w-c:\documents and settings\All Users\Application Data\McAfee 2009-10-21 16:06 . 2009-10-21 16:06--------d-----w-c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-10-21 15:31 . 2009-10-21 15:31--------d-----w-c:\documents and settings\All Users\Application Data\CMUV 2009-10-21 15:07 . 2009-10-21 15:07--------d-----w-c:\documents and settings\All Users\Application Data\Technisat 2009-10-21 15:06 . 2009-10-21 15:06--------d-----w-c:\program files\MainConcept 2009-10-21 14:55 . 2009-10-21 13:5586327----a-w-c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-10-21 14:47 . 2009-10-21 14:33--------d-----w-c:\program files\ProgDVB 2009-10-21 14:21 . 2009-10-21 14:210----a-w-c:\windows\nsreg.dat 2009-10-21 14:15 . 2009-10-21 14:15--------d-----w-c:\program files\Intel 2009-10-21 13:57 . 2009-10-21 13:57--------d-----w-c:\program files\microsoft frontpage 2009-10-11 03:17 . 2009-10-30 13:59411368----a-w-c:\windows\system32\deploytk.dll 2009-09-25 16:42 . 2009-11-02 21:51120056----a-w-c:\windows\system32\pxcpyi64.exe 2009-09-25 16:42 . 2009-11-02 21:51118520----a-w-c:\windows\system32\pxinsi64.exe 2009-09-24 18:16 . 2009-10-21 19:29607472----a-w-c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208] "uTorrent"="d:\programi\uTorrent\uTorrent.exe" [2009-12-09 289584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="d:\programi\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Server4PC.lnk - d:\programi\TechniSat DVB\bin\Server4PC.exe [2009-11-3 338448] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RSI Warrior.lnk] backup=c:\windows\pss\RSI Warrior.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] 2004-08-03 22:56110592----a-w-c:\windows\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] 2009-11-10 14:395244216----a-w-d:\programi\YAHOOM~1\MESSEN~1\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 14:40155648----a-w-c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-10 22:08417792----a-w-d:\programi\K-Lite Codec Pack\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] 2007-05-28 08:14528384----a-r-d:\programi\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent] 2009-12-09 16:19289584----a-w-d:\programi\uTorrent\uTorrent.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Programi\\Yahoo messenger\\Messenger\\YahooMessenger.exe"= "d:\\Programi\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/8/2009 12:38 AM 108289] . ------- Supplementary Scan ------- . uStart Page = IE: E&xport to Microsoft Excel - d:\programi\MICROS~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\goga\Application Data\Mozilla\Firefox\Profiles\gz6ssm5a.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - component: d:\programi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - component: d:\programi\Mozilla Blocked Russian URL\components\KavLinkFilter.dll FF - plugin: c:\documents and settings\goga\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll FF - plugin: d:\programi\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: d:\programi\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: d:\programi\Reader\browser\nppdf32.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - trued:\programi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{6a54b25b-4736-4fbd-bdb5-ce12dfc25e37} - c:\program files\PlentyofTorrents\tbPlen.dll BHO-{6a54b25b-4736-4fbd-bdb5-ce12dfc25e37} - c:\program files\PlentyofTorrents\tbPlen.dll Toolbar-{6a54b25b-4736-4fbd-bdb5-ce12dfc25e37} - c:\program files\PlentyofTorrents\tbPlen.dll WebBrowser-{6A54B25B-4736-4FBD-BDB5-CE12DFC25E37} - c:\program files\PlentyofTorrents\tbPlen.dll AddRemove-PlentyofTorrents Toolbar - c:\progra~1\PLENTY~1\UNWISE.EXE ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-11 13:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\imapi.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE . ************************************************************************ . COMPLETION time: 2009-12-11 13:31:52 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-11 12:31 Pre-Run: 1,662,324,736 bytes free Post-Run: 2,440,630,272 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - FF20F7077F51FCF155F7A5A5D1E21025 dzi. Please don't hijack another person's thread. Start one of your own. Go to the first thread in this forum and follow the instructions. Someone will help you with your particular problem. Moved to NEW topic.

Discussion

No Comment Found

Related InterviewSolutions