Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Malware "IWS"


  • This topic is locked This topic is locked
4 replies to this topic

#1 JoeDiver

JoeDiver

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 08 December 2009 - 02:07 AM

Have a computer that has been infected with Malware "IWS".
Have followed all instructions, running:

- Malwarebytes Anti-Malware
- RootRepeal
- D.D.S

Malwarebytes Anti-Malware initially found 4 Malwares and they were deleted.
next scan found 0 malware files.

But there are still some "IWS" files, located in a temp folder, that can't be deleted.


DDS (Ver_09-12-01.01) - NTFSx86
Run by BE at 7:39:12,99 on 2009-12-08
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.46.1053.18.894.207 [GMT 1:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\windows\SMINST\scheduler.exe
C:\windows\RtHDVCpl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Malwarebytes' Anti-Malware\myscan.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\BE\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.poseidon.se/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=74&bd=smb&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=74&bd=smb&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\be\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [EFI Job Monitor] c:\windows\temp\jobmonitor\JobMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xportera till Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: alecta.se\extern.stn
Trusted Zone: collectum.se\ik
Trusted Zone: danskebank.se
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://business.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-5-6 179712]

=============== Created Last 30 ================

2009-12-08 05:31:39 0 d-----w- c:\users\be\appdata\roaming\Malwarebytes
2009-12-08 05:30:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 05:29:57 0 d-----w- c:\programdata\Malwarebytes
2009-12-08 05:29:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 05:29:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 04:42:05 16409960 ----a-w- c:\users\be\spybotsd162.exe
2009-12-07 14:15:03 0 d-----w- c:\programdata\WindowsSearch
2009-12-07 12:30:07 194 ----a-w- c:\windows\system32\srcr.dat
2009-12-07 11:25:55 0 d-----w- c:\programdata\Kaspersky SDK
2009-12-07 11:25:42 0 d-----w- c:\users\be\appdata\roaming\MailFrontier
2009-12-07 11:17:17 0 d-----w- c:\users\be\appdata\roaming\CheckPoint
2009-12-07 11:16:55 0 d-----w- c:\program files\CheckPoint
2009-12-07 11:16:43 72584 ----a-w- c:\windows\zllsputility.exe
2009-12-07 11:16:37 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-12-07 11:16:29 22528 ----a-w- c:\windows\system32\netiougc.exe
2009-12-07 11:16:29 170496 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-12-07 11:15:30 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-12-07 11:15:10 446152 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-12-07 11:15:10 423031 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-12-07 11:15:10 0 d-----w- c:\windows\system32\ZoneLabs
2009-12-07 11:15:09 0 d-----w- c:\program files\Zone Labs
2009-12-07 11:14:41 0 d-----w- c:\programdata\CheckPoint
2009-12-07 11:14:39 0 d-----w- c:\windows\Internet Logs
2009-11-27 07:20:26 0 d-----w- c:\programdata\McAfee
2009-11-26 08:28:50 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-25 07:20:14 0 d-----w- c:\programdata\McAfee Security Scan
2009-11-25 07:20:14 0 d-----w- c:\program files\McAfee Security Scan
2009-11-11 09:11:24 0 d-----w- c:\users\be\Kundresk. Pay-Ex

==================== Find3M ====================

2009-12-08 05:00:37 647732 ----a-w- c:\windows\system32\perfh01D.dat
2009-12-08 05:00:37 138260 ----a-w- c:\windows\system32\perfc01D.dat
2009-12-07 11:15:23 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-07 11:15:22 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-07 11:15:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-09-19 06:11:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-06 14:35:23 174 --sha-w- c:\program files\desktop.ini
2006-11-21 05:00:25 35978 ----a-w- c:\windows\inf\perflib\041d\perfd.dat
2006-11-21 05:00:25 35978 ----a-w- c:\windows\inf\perflib\041d\perfc.dat
2006-11-21 05:00:25 290490 ----a-w- c:\windows\inf\perflib\041d\perfi.dat
2006-11-21 05:00:25 290490 ----a-w- c:\windows\inf\perflib\041d\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-08 12:06:27 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-08 12:06:27 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-08 12:06:27 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-05-06 09:48:19 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 7:41:14,33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 PM

Posted 20 December 2009 - 05:29 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue, please follow the instructions below please...
--
If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 JoeDiver

JoeDiver
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 21 December 2009 - 04:48 AM

I've run a couple of differet add-/malware revola program and installed a new anti virus soft ware (Zone Alert) on the machine.
No additional "strange behaviour" has been noticed since.


DDS (Ver_09-12-01.01) - NTFSx86
Run by BE at 10:19:47,11 on 2009-12-21
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Business 6.0.6001.1.1252.46.1053.18.894.73 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\windows\SMINST\scheduler.exe
C:\windows\RtHDVCpl.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Personal\bin\Personal.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WinBas\WinBas.exe
c:\WinBas\Push.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\BE\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.poseidon.se/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=74&bd=smb&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xportera till Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: alecta.se\extern.stn
Trusted Zone: collectum.se\ik
Trusted Zone: danskebank.se
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://business.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-5-6 179712]

=============== Created Last 30 ================

2009-12-10 08:21:46 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-10 08:01:23 98816 ----a-w- c:\windows\sed.exe
2009-12-10 08:01:23 77312 ----a-w- c:\windows\MBR.exe
2009-12-10 08:01:23 261632 ----a-w- c:\windows\PEV.exe
2009-12-10 08:01:23 161792 ----a-w- c:\windows\SWREG.exe
2009-12-08 09:54:45 0 d-----w- c:\programdata\SQL Anywhere 10
2009-12-08 09:48:03 2134016 ----a-w- c:\windows\system32\cdintf251.dll
2009-12-08 09:46:06 0 d-----w- c:\users\be\appdata\roaming\IObit
2009-12-08 09:46:06 0 d-----w- c:\program files\IObit
2009-12-08 09:46:01 0 d-----w- c:\program files\common files\Business Objects
2009-12-08 09:46:00 0 d-----w- c:\program files\common files\Rasterex Shared
2009-12-08 09:46:00 0 d-----w- C:\MonWin
2009-12-08 09:43:52 0 d-----w- c:\users\be\sybase
2009-12-08 09:43:51 0 d-----w- c:\programdata\Sybase Central 5.0.0
2009-12-08 09:43:13 0 d-----w- c:\program files\SQL Anywhere 10
2009-12-08 05:31:39 0 d-----w- c:\users\be\appdata\roaming\Malwarebytes
2009-12-08 05:30:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 05:29:57 0 d-----w- c:\programdata\Malwarebytes
2009-12-08 05:29:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 05:29:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 04:42:05 16409960 ----a-w- c:\users\be\spybotsd162.exe
2009-12-07 14:15:03 0 d-----w- c:\programdata\WindowsSearch
2009-12-07 11:25:55 0 d-----w- c:\programdata\Kaspersky SDK
2009-12-07 11:25:42 0 d-----w- c:\users\be\appdata\roaming\MailFrontier
2009-12-07 11:17:17 0 d-----w- c:\users\be\appdata\roaming\CheckPoint
2009-12-07 11:16:55 0 d-----w- c:\program files\CheckPoint
2009-12-07 11:16:43 72584 ----a-w- c:\windows\zllsputility.exe
2009-12-07 11:16:37 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-12-07 11:16:29 22528 ----a-w- c:\windows\system32\netiougc.exe
2009-12-07 11:16:29 170496 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-12-07 11:15:30 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-12-07 11:15:10 446152 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-12-07 11:15:10 423031 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-12-07 11:15:10 0 d-----w- c:\windows\system32\ZoneLabs
2009-12-07 11:15:09 0 d-----w- c:\program files\Zone Labs
2009-12-07 11:14:41 0 d-----w- c:\programdata\CheckPoint
2009-12-07 11:14:39 0 d-----w- c:\windows\Internet Logs
2009-11-27 07:20:26 0 d-----w- c:\programdata\McAfee
2009-11-26 08:28:50 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-25 07:20:14 0 d-----w- c:\programdata\McAfee Security Scan
2009-11-25 07:20:14 0 d-----w- c:\program files\McAfee Security Scan

==================== Find3M ====================

2009-12-21 07:18:03 647732 ----a-w- c:\windows\system32\perfh01D.dat
2009-12-21 07:18:03 138260 ----a-w- c:\windows\system32\perfc01D.dat
2009-12-07 11:15:23 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-07 11:15:22 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-07 11:15:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-09-19 06:11:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-06 14:35:23 174 --sha-w- c:\program files\desktop.ini
2006-11-21 05:00:25 35978 ----a-w- c:\windows\inf\perflib\041d\perfd.dat
2006-11-21 05:00:25 35978 ----a-w- c:\windows\inf\perflib\041d\perfc.dat
2006-11-21 05:00:25 290490 ----a-w- c:\windows\inf\perflib\041d\perfi.dat
2006-11-21 05:00:25 290490 ----a-w- c:\windows\inf\perflib\041d\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-08 12:06:27 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-08 12:06:27 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-08 12:06:27 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-05-06 09:48:19 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 10:22:18,68 ===============

Attached Files


Edited by JoeDiver, 21 December 2009 - 04:50 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 PM

Posted 21 December 2009 - 12:01 PM

Have you ran Combofix before yourself?

--
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 PM

Posted 26 December 2009 - 09:36 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users