Help
This topic is locked
We still need a GMER run so try the following:
Go to Start>Run and type in msconfig. When the box opens for msconfig check the radio button that says Diagnostic Startup and click OK then restart your computer. Try running GMER from there.
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Machine is extremely slow with high CPU and PF Usage Could you please help to remove any virus/trojan/spyware/malware
#31
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 08 November 2009 - 11:46 AM
If I have helped you then please consider donating so I can continue the fight against malware 
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
Back to top
#32
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 08 November 2009 - 06:10 PM
Here is the GMER Log in Diagnostic Start up Mode:
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-09 04:24:46
Windows 5.1.2600 Service Pack 3
Running: w4w2yh07.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxloapow.sys
---- System - GMER 1.0.15 ----
SSDT 864D5710 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwDeleteKey [0x9C8EF190]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwDeleteValueKey [0x9C8EF0C0]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwLoadKey [0x9C8EF210]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwReplaceKey [0x9C8EF380]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwRestoreKey [0x9C8EF4C0]
SSDT \SystemRoot\System32\drivers\dsload.sys (Desktop Sharing Grabber Loader/Oracle Corp.) ZwSetSystemInformation [0xA74357DD]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwSetValueKey [0x9C8EEFE0]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [9C8DF450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [9C8DF450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [9C8DF450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-09 04:24:46
Windows 5.1.2600 Service Pack 3
Running: w4w2yh07.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxloapow.sys
---- System - GMER 1.0.15 ----
SSDT 864D5710 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwDeleteKey [0x9C8EF190]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwDeleteValueKey [0x9C8EF0C0]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwLoadKey [0x9C8EF210]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwReplaceKey [0x9C8EF380]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwRestoreKey [0x9C8EF4C0]
SSDT \SystemRoot\System32\drivers\dsload.sys (Desktop Sharing Grabber Loader/Oracle Corp.) ZwSetSystemInformation [0xA74357DD]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC) ZwSetValueKey [0x9C8EEFE0]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [9C8DF450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [9C8DF450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [9C8DF450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [9C8DF2D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [9C8DF560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [9C8DF6A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
#33
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 09 November 2009 - 10:15 AM
I need to know if you are adverse to uninstalling some of your security programs and running a program that we need to use?
If you aren't then we need to start with Zone Alarm. Uninstall it the run mbr.exe which you will find on your machine at the following location: C:\WINDOWS\MBR.exe Run the tool by doubleclicking on it. It will produce a log which I will need in your next reply.
If you aren't then we need to start with Zone Alarm. Uninstall it the run mbr.exe which you will find on your machine at the following location: C:\WINDOWS\MBR.exe Run the tool by doubleclicking on it. It will produce a log which I will need in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#34
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 09 November 2009 - 11:59 PM
Hi thewall,
I don't have a problem to unistall something if it helps. I don't think zone alarm is something that came as preconfigured with this laptop. So I am ready to uninstall it.
When I double click on C:\WINDOWS\MBR.exe some command promt windows pops up and vanished. I found MBR.log gets generated in same folder.
Here is the content of the log:
*********************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
***********************************
I don't have a problem to unistall something if it helps. I don't think zone alarm is something that came as preconfigured with this laptop. So I am ready to uninstall it.
When I double click on C:\WINDOWS\MBR.exe some command promt windows pops up and vanished. I found MBR.log gets generated in same folder.
Here is the content of the log:
*********************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
***********************************
#35
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 10 November 2009 - 12:11 AM
You did good. If you want to you can now reinstall Zone Alarm and then move on to uninstalling Symantec and doing the same thing. I believe you can see what we are doing is a process of elimination trying to narrow some things down. If Symantec gives you any problems which it has been known to do let me know and I have some things that can be of assistance.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#36
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 10 November 2009 - 02:10 AM
Hi thewall,
There are some concerns in uninstalling Symantec as that comes preconfigured.
The reasons are
1. I don't have any Media through which I can reinstall it.
2. If I fail to reinstall Symantec, I would not only loose Antivirus but also VPN connectivity with IBM network as that checks if Symantec is properly installed before granting connection permission. As I am in tour, if I loose VPN, I would be completely at a loss and won't have any other option left than to reformat the machine and load IBM base image again that would come with Symantec. Now unfortunately I don't have latest databackup of machine as well to got for reformat. In case of reformat also this thread would loose its significance as that is something I want to avoid.
So the risks involved in uninstalling Symantec is high. I need your suggession at this point before taking a call.
1. How critical it is to uninstall Symantec for you to proceed in debug now?
2. Would it be possible for you to continue debug bypassing this?
3. If it's absolutely not possible to go ahead without uninstalling Symantec, then I can only do that at end of my tour that is sometimes middle of December after taking data back ups. In that case can we put this thread in sleep for a month? Else we have to start afresh again.
Otherwise if you can continue debugging this issue keeping uninstalling Symantec pending for sometime, we can carry on this thread.
Please suggest what is your opinion regarding this.
There are some concerns in uninstalling Symantec as that comes preconfigured.
The reasons are
1. I don't have any Media through which I can reinstall it.
2. If I fail to reinstall Symantec, I would not only loose Antivirus but also VPN connectivity with IBM network as that checks if Symantec is properly installed before granting connection permission. As I am in tour, if I loose VPN, I would be completely at a loss and won't have any other option left than to reformat the machine and load IBM base image again that would come with Symantec. Now unfortunately I don't have latest databackup of machine as well to got for reformat. In case of reformat also this thread would loose its significance as that is something I want to avoid.
So the risks involved in uninstalling Symantec is high. I need your suggession at this point before taking a call.
1. How critical it is to uninstall Symantec for you to proceed in debug now?
2. Would it be possible for you to continue debug bypassing this?
3. If it's absolutely not possible to go ahead without uninstalling Symantec, then I can only do that at end of my tour that is sometimes middle of December after taking data back ups. In that case can we put this thread in sleep for a month? Else we have to start afresh again.
Otherwise if you can continue debugging this issue keeping uninstalling Symantec pending for sometime, we can carry on this thread.
Please suggest what is your opinion regarding this.
#37
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 10 November 2009 - 11:19 AM
I understand, we are going to try something else.
Delete the version of GMER you have and download and run another one from below.
We need to scan for Rootkits with GMER
Delete the version of GMER you have and download and run another one from below.
We need to scan for Rootkits with GMER
- Please download GMER from the following location, and save it to your desktop:
- Close any and all open programs, as this process may crash your computer.
- Double click
or 
on your desktop. - Allow the gmer.sys driver to load if asked.
- You may see this window. If you do, click No.
- Click on
and wait for the scan to finish. - If you see a rootkit warning window, click OK.
- Push
and save the logfile to your desktop. - Copy and Paste the contents of that file in your next post.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#38
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 10 November 2009 - 01:07 PM
The logfile generated by newly downloaded GMER is pasted below:
**********************************************************************
GMER 1.0.15.15219 - http://www.gmer.net
Rootkit scan 2009-11-10 23:26:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxloapow.sys
---- System - GMER 1.0.15 ----
SSDT 86245D70 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9E750350]
SSDT 864863D8 ZwQueryValueKey
SSDT 862A5A98 ZwResumeThread
SSDT \SystemRoot\System32\drivers\dsload.sys (Desktop Sharing Grabber Loader/Oracle Corp.) ZwSetSystemInformation [0xA13907DD]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9E750580]
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
**********************************************************
**********************************************************************
GMER 1.0.15.15219 - http://www.gmer.net
Rootkit scan 2009-11-10 23:26:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxloapow.sys
---- System - GMER 1.0.15 ----
SSDT 86245D70 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9E750350]
SSDT 864863D8 ZwQueryValueKey
SSDT 862A5A98 ZwResumeThread
SSDT \SystemRoot\System32\drivers\dsload.sys (Desktop Sharing Grabber Loader/Oracle Corp.) ZwSetSystemInformation [0xA13907DD]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9E750580]
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2656] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [9A0372D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [9A037450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [9A0376A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [9A037560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
**********************************************************
#39
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 10 November 2009 - 06:52 PM
There is a little bit of hold up until I can get back with the next thing to do. I have someone else who has been looking at this and they are tied up right now. Just as soon as I can get with them I'll be back.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#40
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 11 November 2009 - 12:47 AM
I need for you to check the following:
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:file C:\WINDOWS\System32\drivers\dsload.sys
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#41
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 11 November 2009 - 04:11 AM
Here is the logfile of systemlook:
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:09 on 11/11/2009 by ibm (Administrator - Elevation successful)
========== file ==========
C:\WINDOWS\System32\drivers\dsload.sys - File found and opened.
MD5: 705C97D75906D865CD5C2F42265AC93E
Created at 04:36 on 18/06/2008
Modified at 02:41 on 30/01/2006
Size: 10910 bytes
Attributes: --a---
FileDescription: Desktop Sharing Grabber Loader
FileVersion: 4.06.377
ProductVersion: 4.06
OriginalFilename: dsload.sys
InternalName: dsload
ProductName: Desktop Sharing Run-Time
CompanyName: Oracle Corp.
LegalCopyright: Copyright © 2001 Oracle Corp.
-=End Of File=-
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:09 on 11/11/2009 by ibm (Administrator - Elevation successful)
========== file ==========
C:\WINDOWS\System32\drivers\dsload.sys - File found and opened.
MD5: 705C97D75906D865CD5C2F42265AC93E
Created at 04:36 on 18/06/2008
Modified at 02:41 on 30/01/2006
Size: 10910 bytes
Attributes: --a---
FileDescription: Desktop Sharing Grabber Loader
FileVersion: 4.06.377
ProductVersion: 4.06
OriginalFilename: dsload.sys
InternalName: dsload
ProductName: Desktop Sharing Run-Time
CompanyName: Oracle Corp.
LegalCopyright: Copyright © 2001 Oracle Corp.
-=End Of File=-
#42
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 11 November 2009 - 08:49 AM
Run this file through Jotti for me:
If Jotti gives you a reply like what is in the quote below click on button below the notice to "Scan Again".
Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\System32\drivers\dsload.sys
Click Submit.
Please post the results of this scan to this thread.
If Jotti gives you a reply like what is in the quote below click on button below the notice to "Scan Again".
Quote
This file has been scanned before. The results for this previous scan are listed below.
Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\System32\drivers\dsload.sys
Click Submit.
Please post the results of this scan to this thread.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#43
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 11 November 2009 - 09:59 AM
Here is the log:
Jotti's malware scan
Filename: dsload.sys
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Wed 11 Nov 2009 15:53:30 (CET) Permalink
Additional info
File size: 10910 bytes
Filetype: PE32 executable for MS Windows (DLL) (native) Intel 80386 32-bit
MD5: 705c97d75906d865cd5c2f42265ac93e
SHA1: 33162c030fa7d17fe910ad9100722cc1a0f848fc
Jotti's malware scan
Filename: dsload.sys
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Wed 11 Nov 2009 15:53:30 (CET) Permalink
Additional info
File size: 10910 bytes
Filetype: PE32 executable for MS Windows (DLL) (native) Intel 80386 32-bit
MD5: 705c97d75906d865cd5c2f42265ac93e
SHA1: 33162c030fa7d17fe910ad9100722cc1a0f848fc
#44
- Forum Addict
-
- Group: Malware Response Team
- Posts: 6,414
- Joined: 19-June 07
- Gender:Male
- Location:Florida
Posted 11 November 2009 - 01:47 PM
Sorry if this seems long and drawn out but there were some items showing in your logs that we need to check out more closely. Hopefully after this we can move on along.
Please visit the following link and find the file you checked out before which I put below by browsing to it. Also copy and paste the link to this topic and just make a note that thewall requested the upload. Let me know when you finish.
http://www.bleepingcomputer.com/submit-mal....php?channel=28
C:\WINDOWS\System32\drivers\dsload.sys
Please visit the following link and find the file you checked out before which I put below by browsing to it. Also copy and paste the link to this topic and just make a note that thewall requested the upload. Let me know when you finish.
http://www.bleepingcomputer.com/submit-mal....php?channel=28
C:\WINDOWS\System32\drivers\dsload.sys
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
All donations go directly to the helper
Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you
#45
- Member
-
- Group: Members
- Posts: 29
- Joined: 15-October 09
Posted 12 November 2009 - 10:55 AM
thewall,
file is submitted and please accept my deepest thanks for helping me out for so long. I never loose patience and would ready to continue until you reach a logical conclusion.
file is submitted and please accept my deepest thanks for helping me out for so long. I never loose patience and would ready to continue until you reach a logical conclusion.
This post has been edited by thewall: 12 November 2009 - 11:11 AM
