Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of infection on a Vista SP2 box. Fresh install only weeks ago


  • This topic is locked This topic is locked
2 replies to this topic

#1 alexmac9

alexmac9

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 09 October 2009 - 08:14 AM

*UPDATE*
SuperAntiSpyware scan turned up "Trojan.Dropper/Gen"
***UPDATE***
The trojan was a false positive

Hi there
Last time I got infected I didn't go about getting help in the right way
I've used vista for over a year now, so I'd like to think I know when something is not right.
However I can't be sure - so whatever the outcome hopefully I'll be able to expand my knowledge to prevent this happening again and spare you all analyzing my system!
see update ^ if someone could explain to me where this turns up in the logs and how I might have got infected I would appreciate the information

Here is my DDS log followed by RootRepeal log:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Alex at 14:05:26.05 on 09/10/2009
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vistaāā€˛¢ Ultimate 6.0.6002.2.1252.44.1033.18.2038.1009 [GMT 1:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Windows\Explorer.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Opera\opera.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Users\Alex\AppData\Local\Opera\Opera\temporary_downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\alex\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-9 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-9 297752]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-24 47640]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-6-11 40576]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-9-10 9472]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-9-16 205312]
S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-6-4 806272]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-8-28 17408]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-7-31 25216]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-9-10 362944]

=============== Created Last 30 ================

2009-10-09 13:54 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-10-09 13:44 229,888 a------- c:\windows\PEV.exe
2009-10-09 13:44 161,792 a------- c:\windows\SWREG.exe
2009-10-09 13:44 98,816 a------- c:\windows\sed.exe
2009-10-09 13:14 <DIR> --d----- C:\$AVG8.VAULT$
2009-10-09 12:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-10-09 12:46 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-09 12:46 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-10-09 12:46 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-10-09 12:46 <DIR> --d----- c:\programdata\avg8
2009-10-09 12:46 <DIR> --d----- c:\progra~2\avg8
2009-10-09 11:56 <DIR> --d----- c:\program files\FileASSASSIN
2009-10-09 01:35 808,440 a------- c:\windows\system32\CDDBUI.dll
2009-10-09 01:35 796,152 a------- c:\windows\system32\CDDBControl.dll
2009-10-09 01:35 <DIR> --d----- c:\users\alex\appdata\roaming\SundryTools
2009-10-09 01:35 608,448 a------- c:\windows\system32\COMCTL32.OCX
2009-10-09 01:35 212,240 a------- c:\windows\system32\RICHTX32.OCX
2009-10-09 01:35 67,376 a------- c:\windows\system32\SYSINFO.OCX
2009-10-09 01:35 59,392 a------- c:\windows\system32\wbemdisp.tlb
2009-10-09 01:35 <DIR> --d----- c:\program files\SundryTools
2009-10-09 01:34 258,190 a------- c:\windows\system32\eia-setup.jpg
2009-10-08 01:58 735,744 a------- c:\windows\SYSSAVER1.SCR
2009-10-08 01:58 <DIR> --d----- c:\program files\SysSaver1
2009-10-07 21:13 <DIR> --d----- c:\users\alex\appdata\roaming\Torrent Episode Downloader
2009-10-07 21:13 <DIR> --d----- c:\program files\Torrent Episode Downloader
2009-10-07 21:10 <DIR> --d----- c:\program files\uTorrent
2009-10-07 21:10 <DIR> --d----- c:\users\alex\appdata\roaming\uTorrent
2009-10-05 06:53 <DIR> --d----- c:\programdata\WindowsSearch
2009-10-04 23:58 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-10-04 23:58 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-04 23:57 <DIR> --d----- c:\program files\iPod
2009-10-04 23:57 <DIR> --d----- c:\program files\iTunes
2009-10-04 18:18 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-04 17:16 <DIR> --d----- c:\program files\Microsoft Security Essentials
2009-09-29 13:34 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-28 14:10 <DIR> --d----- C:\Downloads
2009-09-28 14:09 <DIR> --d----- c:\program files\Orbitdownloader
2009-09-28 00:30 <DIR> --d----- C:\AirPhones
2009-09-27 12:23 <DIR> --d----- c:\programdata\Sky
2009-09-27 12:23 <DIR> --d----- c:\program files\Sky
2009-09-27 12:23 <DIR> --d----- c:\program files\Kontiki
2009-09-27 12:23 <DIR> --d----- c:\progra~2\Sky
2009-09-25 15:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-25 15:26 <DIR> --d----- c:\program files\Advanced Port Scanner
2009-09-25 15:21 <DIR> --d----- c:\programdata\Norton
2009-09-25 15:21 <DIR> --d----- c:\progra~2\Norton
2009-09-25 15:21 <DIR> --d----- c:\programdata\Symantec
2009-09-25 15:21 <DIR> --d----- c:\progra~2\Symantec
2009-09-25 15:21 <DIR> --d----- c:\programdata\NortonInstaller
2009-09-25 15:21 <DIR> --d----- c:\progra~2\NortonInstaller
2009-09-24 20:40 93,107,496 a------- c:\users\alex\iTunesSetup.exe
2009-09-24 18:24 <DIR> --d----- c:\windows\PCHEALTH
2009-09-24 18:21 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-09-24 12:05 <DIR> --d----- c:\programdata\LogMeIn
2009-09-24 12:05 <DIR> --d----- c:\progra~2\LogMeIn
2009-09-24 12:04 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-24 12:04 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-24 12:04 47,640 a------- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-09-24 12:04 87,352 a------- c:\windows\system32\LMIinit.dll.000.bak
2009-09-24 12:04 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-24 12:04 1,024 a------- C:\.rnd
2009-09-24 12:04 <DIR> --d----- c:\program files\LogMeIn
2009-09-24 11:57 <DIR> --d----- c:\program files\LogMeIn Ignition
2009-09-22 14:44 <DIR> --d----- c:\program files\Sling Media
2009-09-20 15:32 <DIR> --d----- c:\program files\OpenVPN
2009-09-20 15:19 <DIR> --d----- c:\program files\UltraVPN
2009-09-17 18:37 223,232 a------- c:\windows\system32\mswsock (2).dll
2009-09-17 18:27 <DIR> --d----- c:\program files\Trend Micro
2009-09-17 18:03 <DIR> --d----- c:\program files\Technitium
2009-09-17 18:03 140,096 -----r-- c:\windows\system32\COMDLG32.OCX
2009-09-17 18:03 1,071,088 ---s-r-- c:\windows\system32\MSCOMCTL.OCX
2009-09-17 17:34 <DIR> --d----- c:\program files\Jugaari
2009-09-17 13:05 <DIR> --d----- c:\program files\BitLocker
2009-09-17 13:04 711 a------- c:\windows\system32\CPSOKBTasks.xml
2009-09-17 13:04 1,171,848 a------- c:\windows\system32\SecureKeyBackupCPL.dll
2009-09-16 21:40 205,312 a------- c:\windows\system32\drivers\RTL8187.sys
2009-09-16 21:39 <DIR> --d----- c:\program files\REALTEK RTL8187 Wireless LAN Driver
2009-09-16 19:37 87 a---hr-- c:\windows\ctfile.rfc
2009-09-16 19:37 148,480 a------- c:\windows\system32\APOMngr.DLL
2009-09-16 19:37 73,728 a------- c:\windows\system32\CmdRtr.DLL
2009-09-13 01:51 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-13 01:51 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-12 21:39 289,178 a------- C:\iTunes Library.itl
2009-09-12 21:39 12,288 a------- C:\iTunes Library Extras.itdb
2009-09-12 21:38 <DIR> --d----- C:\Album Artwork
2009-09-12 18:27 <DIR> --d----- c:\users\alex\appdata\roaming\IObit
2009-09-12 18:27 <DIR> --d----- c:\program files\IObit
2009-09-12 18:27 <DIR> --d----- c:\programdata\RegCure
2009-09-12 18:27 <DIR> --d----- c:\progra~2\RegCure
2009-09-12 14:43 <DIR> --d----- c:\program files\Cain
2009-09-12 13:51 <DIR> --d----- c:\program files\SopCast
2009-09-11 16:54 <DIR> --d----- c:\programdata\id Software
2009-09-11 16:54 <DIR> --d----- c:\progra~2\id Software
2009-09-11 16:00 <DIR> --d----- c:\program files\VideoLAN
2009-09-11 15:56 <DIR> --d----- c:\program files\FLAC
2009-09-11 14:40 189,784 a------- c:\windows\system32\PnkBstrB.xtr
2009-09-11 14:27 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-11 13:55 139,152 a------- c:\users\alex\appdata\roaming\PnkBstrK.sys
2009-09-11 13:50 2,373,712 a------- c:\windows\system32\pbsvc.exe
2009-09-11 01:15 <DIR> --d----- c:\windows\Panther
2009-09-11 01:03 720,896 a------- c:\windows\iun6002.exe
2009-09-11 01:03 <DIR> --d----- c:\program files\Look@LAN
2009-09-11 01:01 <DIR> --d----- c:\program files\EA Games
2009-09-10 20:19 362,944 a------- c:\windows\system32\drivers\WPN111.sys
2009-09-10 20:19 149,392 a------- c:\windows\system32\drivers\ar5523.bin
2009-09-10 19:43 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf
2009-09-10 19:42 <DIR> --d----- c:\program files\PdaNet for iPhone
2009-09-10 19:19 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-09-10 18:24 <DIR> --d----- c:\program files\AVG
2009-09-10 18:23 2,048 a------- c:\windows\system32\tzres.dll
2009-09-10 18:20 233,888 a------- c:\windows\system32\DreamScene.dll
2009-09-10 18:19 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-09-10 18:15 920,088 a------- c:\windows\system32\igxpun.exe
2009-09-10 18:15 <DIR> --d----- c:\windows\system32\x64
2009-09-10 18:15 319,456 a------- c:\windows\system32\difxapi.dll
2009-09-10 18:04 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-10 18:04 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-10 18:04 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-10 18:00 <DIR> --d----- c:\program files\Sophos
2009-09-10 17:59 828,416 a------- c:\windows\system32\wininet.dll
2009-09-10 17:59 78,336 a------- c:\windows\system32\ieencode.dll
2009-09-10 17:54 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-09-10 17:54 499,712 a------- c:\windows\system32\kerberos.dll
2009-09-10 17:54 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-09-10 17:54 270,848 a------- c:\windows\system32\schannel.dll
2009-09-10 17:54 218,624 a------- c:\windows\system32\msv1_0.dll
2009-09-10 17:54 175,104 a------- c:\windows\system32\wdigest.dll
2009-09-10 17:54 72,704 a------- c:\windows\system32\secur32.dll
2009-09-10 17:54 9,728 a------- c:\windows\system32\lsass.exe
2009-09-10 17:54 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-10 17:52 71,680 a------- c:\windows\system32\atl.dll
2009-09-10 17:52 160,256 a------- c:\windows\system32\wkssvc.dll
2009-09-10 17:51 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-09-10 17:51 7,680 a------- c:\windows\system32\spwmp.dll
2009-09-10 17:51 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-09-10 17:51 4,096 a------- c:\windows\system32\msdxm.ocx
2009-09-10 17:51 4,096 a------- c:\windows\system32\dxmasf.dll
2009-09-10 17:51 43,520 a------- c:\windows\system32\msdxm.tlb
2009-09-10 17:51 18,432 a------- c:\windows\system32\amcompat.tlb
2009-09-10 17:50 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-09-10 17:18 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-09-10 17:18 <DIR> --d----- c:\program files\Zone Labs
2009-09-10 17:17 350,192 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-09-10 17:17 293,528 a------- c:\windows\system32\drivers\vsdatant.sys
2009-09-10 17:17 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-09-10 17:17 <DIR> --d----- c:\programdata\CheckPoint
2009-09-10 17:17 <DIR> --d----- c:\progra~2\CheckPoint
2009-09-10 17:10 <DIR> --d----- c:\windows\system32\vi-VN
2009-09-10 17:10 <DIR> --d----- c:\windows\system32\eu-ES
2009-09-10 17:10 <DIR> --d----- c:\windows\system32\ca-ES
2009-09-10 17:07 <DIR> --d----- c:\windows\system32\SPReview
2009-09-10 17:00 <DIR> --d----- c:\users\alex\appdata\roaming\NewsLeecher
2009-09-10 16:59 <DIR> --d----- c:\program files\NewsLeecher
2009-09-10 16:58 <DIR> --d----- c:\windows\Downloaded Installations
2009-09-10 16:56 <DIR> --d----- c:\program files\Combined Community Codec Pack
2009-09-10 16:56 9,472 a------- c:\windows\system32\drivers\pnetmdm.sys
2009-09-10 16:54 928,768 a------- c:\windows\system32\scavenge.dll
2009-09-10 16:54 57,856 a------- c:\windows\system32\compcln.exe
2009-09-10 16:48 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 16:48 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 16:47 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-10 16:47 <DIR> --d----- C:\a2a8448536d1e25905aefa
2009-09-10 16:47 <DIR> --d----- c:\program files\Bonjour
2009-09-10 16:47 <DIR> --d----- c:\programdata\Apple Computer
2009-09-10 16:45 <DIR> --d----- c:\programdata\Apple
2009-09-10 16:45 <DIR> --d----- c:\windows\Internet Logs
2009-09-10 16:43 <DIR> --dsh--- c:\windows\Installer
2009-09-10 16:35 <DIR> --d----- c:\program files\WinSCP
2009-09-10 16:35 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-09-10 16:35 83,456 a------- c:\windows\system32\wudriver.dll
2009-09-10 16:35 162,064 a------- c:\windows\system32\wuwebv.dll
2009-09-10 16:35 31,232 a------- c:\windows\system32\wuapp.exe
2009-09-10 16:28 <DIR> --d----- c:\users\Alex
2009-09-10 16:28 171,136 a--shr-- C:\grldr
2009-09-10 12:27 1,732 a------- C:\tvtpktfilter.dat
2009-09-10 12:27 <DIR> --d--r-- C:\RRbackups
2009-09-10 12:25 <DIR> --d----- C:\Books
2009-09-10 12:11 <DIR> --d----- C:\SWSHARE
2009-09-10 12:08 <DIR> --d----- C:\Intel
2009-09-10 11:51 57 a------- C:\syslevel.lgl
2009-09-10 11:51 <DIR> --d----- C:\DRIVERS

==================== Find3M ====================

2009-09-28 00:32 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-28 00:32 51,200 a------- c:\windows\inf\infpub.dat
2009-09-28 00:32 86,016 a------- c:\windows\inf\infstor.dat
2009-09-10 17:10 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-29 03:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-29 03:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-29 03:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-29 03:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-29 01:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 01:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 19:42 1,417,504 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-08-28 19:42 17,408 a------- c:\windows\system32\drivers\netaapl.sys
2009-08-14 17:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 14:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 14:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 14:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 14:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 14:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 14:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-07-11 20:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 20:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 20:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 20:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 18:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2008-01-21 03:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:05:50.91 ===============

RootRepeal - I started the scan and it turned up with lots of nameless files located in the system volume information - locked to windows api
Then, it hung and I restarted, now I just get error messages and can't perform a full scan...
So here is a bit-part scan, also I have included a screenshot of the aforementioned sys vol info files

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/09 14:51
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\Users\Alex\AppData\Local\Temp\catchme.sys
Address: 0xA6789000 Size: 31744 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\Windows\system32\Drivers\PROCEXP90.SYS
Address: 0xA67A7000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA67CD000 Size: 49152 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1292 Status: Locked to the Windows API!

SSDT
-------------------
#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c219880

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c2194e0

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c216828

#: 064 Function Name: NtCreateKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22cd9c

#: 071 Function Name: NtCreatePort
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c219c36

#: 072 Function Name: NtCreateProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22aaf8

#: 073 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22ad12

#: 075 Function Name: NtCreateSection
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22e780

#: 115 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c219cde

#: 122 Function Name: NtDeleteFile
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c216d0a

#: 123 Function Name: NtDeleteKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22d698

#: 126 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22d414

#: 129 Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22a4f8

#: 166 Function Name: NtLoadKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22dbc6

#: 167 Function Name: NtLoadKey2
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22dc3e

#: 168 Function Name: NtLoadKeyEx
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22dd2e

#: 186 Function Name: NtOpenFile
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c216ba2

#: 194 Function Name: NtOpenProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22bf18

#: 267 Function Name: NtRenameKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22e370

#: 268 Function Name: NtReplaceKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22dda6

#: 276 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c21916a

#: 280 Function Name: NtRestoreKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22e1b0

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c219680

#: 301 Function Name: NtSetInformationFile
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c216ef8

#: 324 Function Name: NtSetValueKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22d11a

#: 332 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22b486

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22b362

#: 383 Function Name: NtCreateUserProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c22af30

Stealth Objects
-------------------
Object: Hidden Module [Name: MsMpRes.dll]
Process: msseces.exe (PID: 880) Address: 0x6c590000 Size: 507904

Hidden Services
-------------------
Service Name: rootrepeal
Image Path: C:\Windows\system32\drivers\rootrepeal.sys

Shadow SSDT
-------------------
#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c218618

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c2186a6

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c218748

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c2176f0

#: 525 Function Name: NtUserSendInput
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8c21895e

==EOF==

Attached Files

  • Attached File  EEN.jpg   77.12KB   3 downloads

Edited by alexmac9, 09 October 2009 - 11:59 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:56 AM

Posted 24 October 2009 - 05:36 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:56 AM

Posted 28 October 2009 - 06:31 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users