No desktop icon after removing Windows Recovery malware

Inactive
By peterj
May 4, 2011
Topic Status:
Not open for further replies.
  1. Hi,

    The IT guy at work removed the windows recovery malware off my work machine but I still cant see any icons on the desktop or the start menu. I'm not 100% sure of what he did, but I think it removed it manually. He wants to do a re-format but I was hoping to aviod this. I have tried to use the unhide.exe from bleepingcomputer and still no luck.

    Any help would be great. The logs are below.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6502

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/05/2011 9:27:17 PM
    mbam-log-2011-05-04 (21-27-17).txt

    Scan type: Quick scan
    Objects scanned: 208643
    Time elapsed: 9 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15572 - http://www.gmer.net
    Rootkit scan 2011-05-04 21:51:53
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 FUJITSU_ rev.0084
    Running: ju5mobv9.exe; Driver: C:\DOCUME~1\peter\LOCALS~1\Temp\uweirfob.sys


    ---- System - GMER 1.0.15 ----

    SSDT 897B5348 ZwAlertResumeThread
    SSDT 8979A350 ZwAlertThread
    SSDT 898760E8 ZwAllocateVirtualMemory
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA284CFC0]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9E83818]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA284DA56]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xB9E837D0]
    SSDT 897D24F8 ZwCreateMutant
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9E77A20]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xBA2CCDB6]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xBA2CBE12]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xA285127C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xA28512AE]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9E782A8]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9E83910]
    SSDT 8957A8D8 ZwFreeVirtualMemory
    SSDT 89483898 ZwImpersonateAnonymousToken
    SSDT 89813BA0 ZwImpersonateThread
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xA2851410]
    SSDT 89881388 ZwMapViewOfSection
    SSDT 897B8C90 ZwOpenEvent
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA284DB2C]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9E83794]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xA284D104]
    SSDT 896C10A8 ZwOpenProcessToken
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xA284D2F6]
    SSDT 8986BD30 ZwOpenThreadToken
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA284D428]
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9E782C8]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA2851386]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA28512F0]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xA2851322]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xA2851354]
    SSDT 896AA098 ZwResumeThread
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA284CF66]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xBA2CBE86]
    SSDT 89859A38 ZwSetInformationProcess
    SSDT 89887AE8 ZwSetInformationThread
    SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9E830B0]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xBA2CCC92]
    SSDT 89837AD8 ZwSuspendProcess
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA284CF02]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xBA2CBD98]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA284CE9E]
    SSDT 89390980 ZwUnmapViewOfSection
    SSDT 898C1B20 ZwWriteVirtualMemory

    INT 0x62 ? 8A9E2BF8
    INT 0x63 ? 8982FBF8
    INT 0x73 ? 8982FBF8
    INT 0x74 ? 8982FBF8
    INT 0x84 ? 8982FBF8
    INT 0x94 ? 8982FBF8
    INT 0xA4 ? 8A9E3BF8
    INT 0xA4 ? 8982FBF8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C28 805044C4 4 Bytes CALL 4AD9CC29
    PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 8062265D 7 Bytes JMP BA68EFC8
    ? sphj.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload B91BF8AC 5 Bytes JMP 8982F1D8

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414130 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A60001
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A00022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A90022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 0043EA30 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A80001
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 71AE001E
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 719E0022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A20022

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] sphj.sys

    ---- Devices - GMER 1.0.15 ----

    Device 8A9DF1F8
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device 86508500
    Device 895DF950
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 8982E1F8
    Device \Driver\usbuhci \Device\USBPDO-1 8982E1F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9E41F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A9E41F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A9E41F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A9E41F8
    Device \Driver\usbehci \Device\USBPDO-2 897981F8
    Device \Driver\usbehci \Device\USBPDO-3 897981F8
    Device \Driver\usbuhci \Device\USBPDO-4 8982E1F8
    Device \Driver\usbuhci \Device\USBPDO-5 8982E1F8
    Device \Driver\usbuhci \Device\USBPDO-6 8982E1F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8AA3A1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{3CBD72F7-7738-480F-AE11-68E4801110EE} 865F6500
    Device \Driver\Cdrom \Device\CdRom0 8954DF00
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8AA3A1F8
    Device \FileSystem\Rdbss \Device\FsWrap 89843330
    Device \Driver\iaStor \Device\Ide\iaStor0 [B9D53D30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 89844188
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89844188
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9D53D30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\Cdrom \Device\CdRom1 8954DF00
    Device \Driver\Ftdisk \Device\HarddiskVolume3 8AA3A1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{CDCCBDF4-FF11-45A5-B356-BB14700F3A16} 865F6500
    Device \Driver\NetBT \Device\NetBt_Wins_Export 865F6500
    Device \Driver\NetBT \Device\NetbiosSmb 865F6500
    Device \Driver\USBSTOR \Device\000000d3 864CD4A0
    Device \FileSystem\Srv \Device\LanmanServer 85CE76B0
    Device \Driver\USBSTOR \Device\000000d4 864CD4A0
    Device \Driver\usbuhci \Device\USBFDO-0 8982E1F8
    Device \Driver\usbuhci \Device\USBFDO-1 8982E1F8
    Device \Driver\usbehci \Device\USBFDO-2 897981F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 866A8500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864C7878
    Device \Driver\usbuhci \Device\USBFDO-3 8982E1F8
    Device 866A8500
    Device 864C7878
    Device \FileSystem\Npfs \Device\NamedPipe 895F2AF8
    Device \Driver\usbuhci \Device\USBFDO-4 8982E1F8
    Device \Driver\Ftdisk \Device\FtControl 8AA3A1F8
    Device \Driver\usbuhci \Device\USBFDO-5 8982E1F8
    Device \FileSystem\Msfs \Device\Mailslot 8952E930
    Device \Driver\usbehci \Device\USBFDO-6 897981F8
    Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 895388A8
    Device \Driver\d347prt \Device\Scsi\d347prt1 895388A8

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 89661D00
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 89661D00
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 89661D00
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 89661D00
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 89661D00
    Device \FileSystem\Cdfs \Cdfs 8657A500
    Device \FileSystem\Cdfs \Cdfs 89644CA8
    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

    ---- Modules - GMER 1.0.15 ----

    Module _________ B9CFE000-B9D16000 (98304 bytes)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xE3 0x91 0x67 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xBC 0x41 0xBF ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xE3 0x91 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xBC 0x41 0xBF ...

    ---- EOF - GMER 1.0.15 ----
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! A clean Mbam scan and a questionable GMER scan don't give me enough to go on.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Note: If this is a system that is used for work, with any specialized software on it, I may send you back to your IT person. Sometimes, reformats are suggested for the simple reason the the person doesn't know how to troubleshoot. I don't know if this relates to you or not> but>
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.