Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS.z Rootkit + Packed.Monder + Google re-direct


  • This topic is locked This topic is locked
36 replies to this topic

#1 bmoc

bmoc

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 23 September 2009 - 10:06 PM

A little over a week ago, I starting having a Google re-direct problem in IE. Using all the tools out there, I have found (but can't fix) the problem.

Kaspersky online scan detects Packed.win32.TDSS.z. AVG 8.5 finds both IE and explorer.exe to be infected with Packed.Monder. Malwarebytes detects Rootkit.TDSS and believes it fixes it, but it's not fixed.

My DDS log is below. Attach.txt from DDS is attached. RootRepeal gets stuck on initialization, so no log to post.

Any help is greatly appreciated.

------

DDS (Ver_09-07-30.01) - NTFSx86
Run by at 22:15:55.57 on Wed 09/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.363 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [POINTER] c:\program files\microsoft hardware\mouse\point32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229560335875
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - hxxp://ftp.us.dell.com/fixes/PROFILER.CAB
DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.7634953704
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brendan\applic~1\mozilla\firefox\profiles\knq2sniq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-26 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-26 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-11-13 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-11-13 394952]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-26 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 297752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 FHOLZBPL;FHOLZBPL;\??\c:\windows\system32\fholzbpl.okg --> c:\windows\system32\fholzbpl.okg [?]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2004-5-1 114016]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2004-5-1 565248]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2003-7-24 131776]
S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys [2002-4-16 39680]
S3 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\tivobeacon.exe --> c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [?]

=============== Created Last 30 ================

2009-09-23 22:12 359,932 a------- c:\temp\dds.scr
2009-09-23 19:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-09-23 19:32 60,118,704 a------- c:\temp\kav2010_9.0.0.463EN.exe
2009-09-23 14:16 <DIR> --d----- c:\temp\td_sskiller
2009-09-23 14:12 97,290 a------- c:\temp\td_sskiller.zip
2009-09-23 13:48 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-23 13:48 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-23 13:37 714,528 a------- c:\temp\JavaSetup6u16.exe
2009-09-21 23:57 <DIR> --d----- c:\temp\gmer
2009-09-21 23:55 280,419 a------- c:\temp\gmer.zip
2009-09-21 13:19 278,927,592 a------- c:\temp\WindowsXP-KB835935-SP2-ENU.exe
2009-09-21 13:00 <DIR> --d----- c:\program files\pebuilder3110a
2009-09-21 12:57 3,306,678 a------- c:\temp\pebuilder3110a.exe
2009-09-20 23:49 229,888 a------- c:\windows\PEV.exe
2009-09-20 23:49 161,792 a------- c:\windows\SWREG.exe
2009-09-20 23:49 98,816 a------- c:\windows\sed.exe
2009-09-20 22:49 <DIR> --d----- c:\program files\Trend Micro
2009-09-20 21:18 3,316,998 a----r-- c:\temp\ComboFix.exe
2009-09-20 19:44 <DIR> --d----- c:\program files\CCleaner
2009-09-20 19:42 3,293,992 a------- c:\temp\ccsetup223.exe
2009-09-20 19:34 <DIR> --d----- c:\temp\JavaRa
2009-09-20 19:28 71,798 a------- c:\temp\JavaRa.zip
2009-09-20 18:52 <DIR> --d----- c:\temp\RootRepeal
2009-09-20 18:49 464,491 a------- c:\temp\RootRepeal.zip
2009-09-19 16:41 <DIR> a-dshr-- C:\cmdcons
2009-09-19 15:15 <DIR> --d----- c:\docume~1\brendan\applic~1\Malwarebytes
2009-09-19 15:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 15:14 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-19 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 15:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-19 15:00 4,045,528 a------- c:\temp\mbam-setup.exe
2009-09-19 14:58 50,688 a------- c:\temp\ATF-Cleaner.exe
2009-09-18 23:43 <DIR> --d----- c:\temp\Hijack files
2009-09-18 23:24 812,344 a------- c:\temp\HJTInstall.exe
2009-09-17 21:59 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-23 19:58 198,584,352 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-23 19:58 2,328,020 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-08-26 18:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-26 18:42 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 19:03 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-18 12:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 09:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-06-26 12:18 474,112 a------- c:\windows\system32\dllcache\shlwapi.dll
2009-06-26 12:18 1,054,208 -------- c:\windows\system32\dllcache\danim.dll
2009-06-26 12:18 1,023,488 -------- c:\windows\system32\dllcache\browseui.dll
2009-06-26 12:18 151,040 -------- c:\windows\system32\dllcache\cdfview.dll

============= FINISH: 22:20:51.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 24 September 2009 - 04:01 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 24 September 2009 - 10:50 PM

I appreciate the quick reply!

As requested, here is the ComboFix log. Thanks for your help.

-----

ComboFix 09-09-23.02 - Brendan 09/24/2009 22:55.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.572 [GMT -4:00]
Running from: c:\documents and settings\Brendan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-25 02:38 . 2009-09-25 02:38 3318656 ----a-w- c:\temp\ComboFix.exe
2009-09-24 02:12 . 2009-09-24 02:12 359932 ----a-w- c:\temp\dds.scr
2009-09-23 23:33 . 2009-09-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-23 23:32 . 2009-09-23 23:32 60118704 ----a-w- c:\temp\kav2010_9.0.0.463EN.exe
2009-09-23 18:16 . 2009-09-23 18:18 -------- d-----w- c:\temp\td_sskiller
2009-09-23 18:12 . 2009-09-23 18:12 97290 ----a-w- c:\temp\td_sskiller.zip
2009-09-23 17:50 . 2009-09-23 17:50 -------- d-----w- c:\windows\Sun
2009-09-23 17:48 . 2009-09-23 17:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-23 17:47 . 2009-09-23 17:47 -------- d-----w- c:\program files\Java
2009-09-23 17:37 . 2009-09-23 17:37 714528 ----a-w- c:\temp\JavaSetup6u16.exe
2009-09-22 03:57 . 2009-09-22 03:57 -------- d-----w- c:\temp\gmer
2009-09-22 03:55 . 2009-09-22 03:55 280419 ----a-w- c:\temp\gmer.zip
2009-09-21 17:19 . 2009-09-21 17:22 278927592 ----a-w- c:\temp\WindowsXP-KB835935-SP2-ENU.exe
2009-09-21 17:00 . 2009-09-21 23:56 -------- d-----w- c:\program files\pebuilder3110a
2009-09-21 16:57 . 2009-09-21 16:58 3306678 ----a-w- c:\temp\pebuilder3110a.exe
2009-09-21 02:49 . 2009-09-21 02:49 -------- d-----w- c:\program files\Trend Micro
2009-09-20 23:44 . 2009-09-20 23:44 -------- d-----w- c:\program files\CCleaner
2009-09-20 23:42 . 2009-09-20 23:42 3293992 ----a-w- c:\temp\ccsetup223.exe
2009-09-20 23:34 . 2009-09-20 23:35 -------- d-----w- c:\temp\JavaRa
2009-09-20 23:28 . 2009-09-20 23:28 71798 ----a-w- c:\temp\JavaRa.zip
2009-09-20 22:52 . 2009-09-20 22:52 -------- d-----w- c:\temp\RootRepeal
2009-09-20 22:49 . 2009-09-20 22:49 464491 ----a-w- c:\temp\RootRepeal.zip
2009-09-19 19:15 . 2009-09-19 19:15 -------- d-----w- c:\documents and settings\Brendan\Application Data\Malwarebytes
2009-09-19 19:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 19:14 . 2009-09-19 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 19:14 . 2009-09-19 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 19:14 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 19:00 . 2009-09-19 19:01 4045528 ----a-w- c:\temp\mbam-setup.exe
2009-09-19 18:58 . 2009-09-19 18:58 50688 ----a-w- c:\temp\ATF-Cleaner.exe
2009-09-19 03:43 . 2009-09-19 05:07 -------- d-----w- c:\temp\Hijack files
2009-09-19 03:24 . 2009-09-19 03:24 812344 ----a-w- c:\temp\HJTInstall.exe
2009-09-18 01:59 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 02:29 . 2008-11-13 12:15 2328020 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-25 02:29 . 2008-11-13 12:15 198584352 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-24 11:20 . 2004-07-17 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-19 05:40 . 2004-06-29 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-09-19 02:33 . 2008-12-17 02:26 -------- d-----w- c:\documents and settings\Brendan\Application Data\Azureus
2009-09-18 00:52 . 2004-06-29 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 00:06 . 2002-11-13 15:02 68288 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 22:42 . 2008-09-27 02:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 22:42 . 2008-09-27 02:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 22:42 . 2008-09-27 02:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 21:45 . 2009-08-22 21:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-10 01:56 . 2009-08-10 01:56 -------- d-----w- c:\program files\DVDFab 6
2009-08-05 09:11 . 2005-02-26 11:25 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 11:56 . 2008-12-17 02:25 -------- d-----w- c:\program files\Vuze
2009-07-17 18:55 . 2002-11-19 02:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-09-22 23:46 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2006-06-23 15:33 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-09-02 16:36 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-18 13:00 17408 ----a-w- c:\windows\system32\corpol.dll
2008-07-22 20:22 . 2006-06-26 18:20 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-22 20:22 . 2006-06-26 18:20 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-22 20:22 . 2007-09-11 16:36 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-22 20:22 . 2007-09-11 16:37 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-22 20:22 . 2006-06-26 18:20 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 176128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-30 282624]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-26 2007832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-23 149280]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 22:42 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/26/2008 10:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/26/2008 10:06 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/26/2008 10:06 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/4/2009 9:33 PM 297752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
S2 FHOLZBPL;FHOLZBPL;\??\c:\windows\System32\fholzbpl.okg --> c:\windows\System32\fholzbpl.okg [?]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [5/1/2004 10:39 AM 114016]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [5/1/2004 10:39 AM 565248]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\SYSTEM32\DRIVERS\STVqx3.SYS [7/24/2003 7:34 PM 131776]
S3 suscom;Susteen Serial port driver;c:\windows\SYSTEM32\DRIVERS\suscom.sys [4/16/2002 10:17 AM 39680]
S3 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe --> c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brendan\Application Data\Mozilla\Firefox\Profiles\knq2sniq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 23:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???0???X???????????0???P???? ?w? ?w)??p????????(???w????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FHOLZBPL]
"ImagePath"="\??\c:\windows\System32\fholzbpl.okg"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1260927497-1163395192-3403473811-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1096)
c:\windows\system32\WININET.dll
tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\IdePort1\bxdsixtb\bxdsixtb\tdlwsp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Dell\Dell File Manager\CTDFM.DLL
c:\program files\Dell\Dell File Manager\DFMHK.dll
c:\program files\Dell\Dell File Manager\CTDFMRES.DLL
.
Completion time: 2009-09-25 23:34
ComboFix-quarantined-files.txt 2009-09-25 03:34

Pre-Run: 6,865,276,928 bytes free
Post-Run: 7,111,147,520 bytes free

179

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 25 September 2009 - 07:25 AM

Are you still being redirected now?


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 25 September 2009 - 05:08 PM

Yes, I'm still having the problem, both before and after the Malwarebytes scan.

In case it's useful to know, the re-direct often fails. The initial part of the resulting URL is hxxp://z43523673.cn/, followed by hundreds of characters.

I updated Malwarebytes. I ran a Full Scan, then allowed it to remove the infections. I rebooted the computer as requested.

After rebooting, I still have the Google re-direct problem, and a quick scan in Malwarebytes shows the same problem.

Here is the Malwarebytes log (Full Scan). The partial Quick Scan log is at the bottom.

Thanks for helping me with this puzzle.

-----

Full Scan log

Malwarebytes' Anti-Malware 1.41
Database version: 2859
Windows 5.1.2600 Service Pack 2

9/25/2009 5:41:42 PM
mbam-log-2009-09-25 (17-41-41).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|)
Objects scanned: 311909
Time elapsed: 2 hour(s), 25 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort1\cccimuec\cccimuec\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort1\cccimuec\cccimuec\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

-----

Quick Scan log

Malwarebytes' Anti-Malware 1.41
Database version: 2859
Windows 5.1.2600 Service Pack 2

9/25/2009 5:57:36 PM
mbam-log-2009-09-25 (17-57-03).txt

Scan type: Quick Scan
Objects scanned: 6458
Time elapsed: 1 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort1\tuwpseqe\tuwpseqe\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort1\tuwpseqe\tuwpseqe\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 26 September 2009 - 12:25 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 26 September 2009 - 09:26 PM

RootRepeal will not work.

After I run it, it says "Initializing, please wait" for a long time. Then I get a blue screen crash. The error on the blue screen is IRQL_NOT_LESS_OR_EQUAL, then the physical memory gets dumped.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 27 September 2009 - 12:28 PM

Let's try this instead.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 27 September 2009 - 09:00 PM

GMER log, as requested.


-----

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-27 21:57:50
Windows 5.1.2600 Service Pack 2
Running: inn1u9yg.exe; Driver: C:\DOCUME~1\Brendan\LOCALS~1\Temp\kfdiapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF3ED8040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF3ED4930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF3EDFA80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF3ED8510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF3EDE870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF3EDEAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF3EE1FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF3ED8600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF3ED4F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF3EE06E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF3EE0440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF3EDE580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF3EE08B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF3ED4D70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF3EDE350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF3EDE150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF3EE1250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF3EE0CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF3ED7C00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF3EE1080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF3ED8220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF3ED5120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF3EE0140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF3EDECD0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [10, 85, ED, F3, 70, E8, ED, ...]
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1336] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2992] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F3EDCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F3EDD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F3EDD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EDCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EDCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F3EDCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F3EDD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F3EDD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F3EDCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F3EDD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F3EDD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F3EDCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3EDD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3EDD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3EDCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F3EEA330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F3EDD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F3EDD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EDCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F3EDCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3EDCCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EDCE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3EDD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F3EDD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F3ED5670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F3ED55C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F3ED5770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F3ED52D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort1\cxgoilvp\cxgoilvp\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [432] 0x10000000
Library \\?\globalroot\Device\Ide\IdePort1\cxgoilvp\cxgoilvp\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2992] 0x10000000

---- EOF - GMER 1.0.15 ----

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 28 September 2009 - 07:27 AM

You've got a very new and quite nasty rootkit infection here.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    iastor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 28 September 2009 - 11:58 AM

SystemLook log, as requested. Thanks for sticking with me on this.

-----


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:51 on 28/09/2009 by Brendan (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
No files found.

-=End Of File=-

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 28 September 2009 - 06:21 PM

This one is a real stinker.

Open notepad and then copy the text below into it.
Go to File > save as and name the file check.bat, change the Save as type to all files and save it to your desktop.

Pev -filelook %windir%\intelide.sys or %windir%\PCIIDEX.SYS or %windir%\pciide.sys >filelook.txt
start filelook.txt
del %0

Double-click on check.bat and post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 28 September 2009 - 09:51 PM

Here is the log from check.bat, as requested.

-----

---- C:\WINDOWS\$NtServicePackUninstall$\intelide.sys ----
Company: Microsoft Corporation
File Description: Intel PCI IDE Driver
File Version: 5.1.2600.1106 (xpsp1.020828-1920)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: intelide.sys
File Size: 4736
Created Time: 2006-09-02 18:59:32
Modified Time: 2002-08-29 08:27:48
Accessed Time: 2009-09-29 02:42:51
MD5: 3049227DA71A4A68515DCDCE3030EACD
SHA1: 71CEA67EE9E7B9547BE4CC01E5E864CD00FA9D23
SHA224: 7B8CFE373B9EE294B5A6B49767E8D8F72461392958CB1C67E64444DF
SHA256: 191A0256B14662EC7EDA0D4F65C87106B48C97F039D7212BDCD2C848D9F2DD61
SHA384: 0790350BDCF48881A80455E87493CCA046B44358D76A9783654F70847A659B068DAC0C0029148BAE4CAE1B742716C493
SHA512: 1FCEB519470DF17AF17259CE668F30CF3CDF455C9EC8AACAA25036D8EF558198BFE326B56DFC46D05D6566F0E9F601BBDA6A848741352579D73D7F7FD26CAFC6
---- C:\WINDOWS\$NtServicePackUninstall$\pciidex.sys ----
Company: Microsoft Corporation
File Description: PCI IDE Bus Driver Extension
File Version: 5.1.2600.1106 (xpsp1.020828-1920)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciidex.sys
File Size: 23680
Created Time: 2006-09-02 18:59:31
Modified Time: 2002-08-29 08:27:48
Accessed Time: 2009-09-29 02:42:51
MD5: 146D37A214304BD3432CFD3360FF067F
SHA1: 025917A97BC4BA317DD285A8F5A574277B4A29D8
SHA224: DAF22816BC04F3E76B9920F6768D547C06DE3BD58ACFBA24703A4DFB
SHA256: E5F41143F354D37FB4DB8B7AF781720EECC241A9B9844D188E6070CE05E28711
SHA384: 32EF9C4FD65BB42CF44CCF0FB80BCA0F524085B512DF1048180F87A6A95105672D035DAD4CA67DCCD6123FFE9746E8F5
SHA512: FE4003503110E1E26543ED4254E46B99B53243D4D188F3DCE1411707AD77D44A52B24AFEE93365EB6066FC3A0BC3F69C9FE0DDDD71411BB18B3276C12C1DE3C8
---- C:\WINDOWS\ServicePackFiles\i386\intelide.sys ----
Company: Microsoft Corporation
File Description: Intel PCI IDE Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: intelide.sys
File Size: 5504
Created Time: 2002-11-19 02:51:21
Modified Time: 2004-08-04 05:59:41
Accessed Time: 2009-09-29 02:43:12
MD5: 2D722B2B54AB55B2FA475EB58D7B2AAD
SHA1: 1B11BAB0A161EDED14444E653724204ABBD52CF4
SHA224: CBC5C618318E5136199F10A81D3B681A54A52373028C641879609440
SHA256: 1D4BB8F3ABA0EE51EE9F398E383621882189ABCA63D7F0D8A16581AFD1A85553
SHA384: 376AAFA48CB444E6317442DDBA98AEEC032BAF1A6B10B2F9B49DE543A713EB421DE86C81D243B0634DD9DBBCD90BD4D2
SHA512: 639445C468D046374264760B07B7288730A99008EB7C767898B18A8F7E01C405DB5352BD0CA2762B93D805996AC6A9C93E3317DD0D0DE1AB34A2B5112434E971
---- C:\WINDOWS\ServicePackFiles\i386\pciidex.sys ----
Company: Microsoft Corporation
File Description: PCI IDE Bus Driver Extension
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciidex.sys
File Size: 25088
Created Time: 2002-11-19 02:55:55
Modified Time: 2004-08-04 05:59:41
Accessed Time: 2009-09-29 02:43:12
MD5: 520B91AB011456B940D9B05FC91108FF
SHA1: 3F7E938CF8E02698448F7BBCB6CB024C46970584
SHA224: 41B27F38AE80EC7B76E692B080B67D096EBEB6B551FCF4E8D3DDE85E
SHA256: 292FFFAE45E081BEBA2BA782944BE207EEDF8842A281145656BB37CBF08784CC
SHA384: 27D11F6BAE5CEF2F1205E1600AF0A185A4F004DEB9797132F515A7E7008155FD1FA711A532859B15C7517CE99C83383D
SHA512: B06DC18375C8D183130A702B4F00AE9978B551D7686B9B37E0D8C57B19C5143AD7F38BD06D3E29C9783EC9830ECA264056CEF61CF558EEF311AE167DBD92A359
---- C:\WINDOWS\SYSTEM32\DLLCACHE\pciide.sys ----
Company: Microsoft Corporation
File Description: Generic PCI IDE Bus Driver
File Version: 5.1.2600.0 (XPClient.010817-1148)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciide.sys
File Size: 3328
Created Time: 2002-11-13 14:50:21
Modified Time: 2001-08-17 19:51:52
Accessed Time: 2009-09-29 02:43:14
MD5: CCF5F451BB1A5A2A522A76E670000FF0
SHA1: DD1A94969B0B66FF72E39107E297BFFE23781CBD
SHA224: 4DFF354E772B40DD3D843F890E7B371D85CD14984EA6D7E76215429D
SHA256: D63F7E5A39653EC9CCE94B7D84B2D3EBD4F54533BD65701020198724042C9257
SHA384: 4D284C11501BB5EB5ACF9E2925DEEF336B6870DA19E31FBDBB6D48E3876A3890F9EA1E8C69C3E78D29F03943ED9ED9C9
SHA512: E124FA9B9BC0686258659496C36CAA3C6CEC67778EE179368E2A6C1C68332715F097D9B936BB97CACEAC132EC8071EE7EC60CDAA121538DC65139A465E2FA8C8
---- C:\WINDOWS\SYSTEM32\DRIVERS\intelide.sys ----
Company: Microsoft Corporation
File Description: Intel PCI IDE Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: intelide.sys
File Size: 5504
Created Time: 2001-08-17 19:51:48
Modified Time: 2004-08-04 05:59:41
Accessed Time: 2009-09-29 02:43:14
MD5: 2D722B2B54AB55B2FA475EB58D7B2AAD
SHA1: 1B11BAB0A161EDED14444E653724204ABBD52CF4
SHA224: CBC5C618318E5136199F10A81D3B681A54A52373028C641879609440
SHA256: 1D4BB8F3ABA0EE51EE9F398E383621882189ABCA63D7F0D8A16581AFD1A85553
SHA384: 376AAFA48CB444E6317442DDBA98AEEC032BAF1A6B10B2F9B49DE543A713EB421DE86C81D243B0634DD9DBBCD90BD4D2
SHA512: 639445C468D046374264760B07B7288730A99008EB7C767898B18A8F7E01C405DB5352BD0CA2762B93D805996AC6A9C93E3317DD0D0DE1AB34A2B5112434E971
---- C:\WINDOWS\SYSTEM32\DRIVERS\pciide.sys ----
Company: Microsoft Corporation
File Description: Generic PCI IDE Bus Driver
File Version: 5.1.2600.0 (XPClient.010817-1148)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciide.sys
File Size: 3328
Created Time: 2002-11-13 14:50:21
Modified Time: 2001-08-17 19:51:52
Accessed Time: 2009-09-29 02:43:14
MD5: CCF5F451BB1A5A2A522A76E670000FF0
SHA1: DD1A94969B0B66FF72E39107E297BFFE23781CBD
SHA224: 4DFF354E772B40DD3D843F890E7B371D85CD14984EA6D7E76215429D
SHA256: D63F7E5A39653EC9CCE94B7D84B2D3EBD4F54533BD65701020198724042C9257
SHA384: 4D284C11501BB5EB5ACF9E2925DEEF336B6870DA19E31FBDBB6D48E3876A3890F9EA1E8C69C3E78D29F03943ED9ED9C9
SHA512: E124FA9B9BC0686258659496C36CAA3C6CEC67778EE179368E2A6C1C68332715F097D9B936BB97CACEAC132EC8071EE7EC60CDAA121538DC65139A465E2FA8C8
---- C:\WINDOWS\SYSTEM32\DRIVERS\pciidex.sys ----
Company: Microsoft Corporation
File Description: PCI IDE Bus Driver Extension
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciidex.sys
File Size: 25088
Created Time: 2002-11-13 14:50:21
Modified Time: 2004-08-04 05:59:41
Accessed Time: 2009-09-29 02:43:14
MD5: 520B91AB011456B940D9B05FC91108FF
SHA1: 3F7E938CF8E02698448F7BBCB6CB024C46970584
SHA224: 41B27F38AE80EC7B76E692B080B67D096EBEB6B551FCF4E8D3DDE85E
SHA256: 292FFFAE45E081BEBA2BA782944BE207EEDF8842A281145656BB37CBF08784CC
SHA384: 27D11F6BAE5CEF2F1205E1600AF0A185A4F004DEB9797132F515A7E7008155FD1FA711A532859B15C7517CE99C83383D
SHA512: B06DC18375C8D183130A702B4F00AE9978B551D7686B9B37E0D8C57B19C5143AD7F38BD06D3E29C9783EC9830ECA264056CEF61CF558EEF311AE167DBD92A359
---- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\pciide.sys ----
Company: Microsoft Corporation
File Description: Generic PCI IDE Bus Driver
File Version: 5.1.2600.0 (XPClient.010817-1148)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciide.sys
File Size: 3328
Created Time: 2002-11-13 14:50:21
Modified Time: 2001-08-17 19:51:52
Accessed Time: 2009-09-29 02:43:15
MD5: CCF5F451BB1A5A2A522A76E670000FF0
SHA1: DD1A94969B0B66FF72E39107E297BFFE23781CBD
SHA224: 4DFF354E772B40DD3D843F890E7B371D85CD14984EA6D7E76215429D
SHA256: D63F7E5A39653EC9CCE94B7D84B2D3EBD4F54533BD65701020198724042C9257
SHA384: 4D284C11501BB5EB5ACF9E2925DEEF336B6870DA19E31FBDBB6D48E3876A3890F9EA1E8C69C3E78D29F03943ED9ED9C9
SHA512: E124FA9B9BC0686258659496C36CAA3C6CEC67778EE179368E2A6C1C68332715F097D9B936BB97CACEAC132EC8071EE7EC60CDAA121538DC65139A465E2FA8C8
---- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\pciidex.sys ----
Company: Microsoft Corporation
File Description: PCI IDE Bus Driver Extension
File Version: 5.1.2600.0 (XPClient.010817-1148)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: pciidex.sys
File Size: 23680
Created Time: 2002-11-13 14:50:21
Modified Time: 2001-08-17 19:51:50
Accessed Time: 2009-09-29 02:43:15
MD5: 9EA1E5058F8BC648B4D14425189D85A4
SHA1: 5D533C12DBB791A05798AC936B3284B490EE930A
SHA224: 7DDDCC8B2BA02B17C526EDBD1B0BA25F83DFBDEAD9780FF16C2908CC
SHA256: 3AAF7DCAA3CF0A2814A82B777BF80F64E4A62C8EDE89CB3B135FC1BB3C6344D6
SHA384: 9E0A30A0E24E51E749DF89CA304026E2AB9D01D2693E2C81A4E7CF9E6788E7B58769B37EB6ED1E1BF8C1A61B159AA029
SHA512: C01826F1BE1F4C6FC329DC9FB1626D18B88A8FAFB99EC95DF861E6FF5BF45C2DF1D13665EF208643E44522FC65C55BCC292092E3EEB6A64609BC065C02655163

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 29 September 2009 - 07:42 AM

Let me just share some info with you as we proceed through this. You have a brand new variant of the TDSS rootkit infection. This one is really dug in deep and as of right now the process for removing it is still being developed. Have faith that there are many security experts working behind the scenes on this infection that you(and others) have. Right now we are trying to gather as much info as we can to determine how it's hooked into your system. Once we understand that then we can develop a removal process. That being said, this may take some time. You may want to consider backing up any personal files that you don't want to lose in case a format becomes the best solution. And also I would advise that you minimize the use of this computer as much as possible and keep it disconnected from the Internet as much as possible.

I'd like to gather some more information.
Download and run sysinspector
http://www.eset.com/download/sysinspector.php
Once it opens go file (top right) generate > suitable for sending
When its finished go to File->Save log.
It will save a compressed file (zip).
Please attach that file to your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 bmoc

bmoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 29 September 2009 - 09:30 AM

Thanks for the info. Now I don't feel so bad I couldn't resolve this on my own. (I did computer help desk work a long, long time ago.)

Does anybody know if there is more to this infection than a search engine re-direct? (It's more than a Google re-direct for me - I found out last night it re-directs me when using Bing also.) If that's all it is, it's just an inconvenience. If there's a keylogger, or I'm now part of a botnet, that's another story.

Thanks for your help. I know others are grateful as well. I've received PMs from others with similar infections. They're watching what we do and tracking our progress.

I'll run sysinspector and post the log tonight.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users