Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Google Hijacker Trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 Dave MiamiBeach

Dave MiamiBeach

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 25 December 2009 - 04:34 PM

Whatever I picked up is nasty. It redirects google searches to useless shopping pages. It prevents Combofix, it blocks windows update. It is not picked up by Zonealarm, Malwarebytes, Spybots. Now and then a page for a bogus virus scanner appears. It is really generic - has no name - and is unlike stuff I've seen on this site.

Sure could use some help

DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 15:01:03.92 on Fri 12/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1354 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\2007-2009 downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio 10\uvPL.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppMgrGui] c:\program files\appstream\windowsclient\bin\exeForService.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HPLJ Config] c:\program files\hewlett-packard\hp laserjet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 3030 PCL 6" -n 1 -l 1033
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://sef.mlxchange.com/Control/Specfile.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} - hxxp://smartdownload.riverdeep.net/launcher.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://sef.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1245291113062
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://sef.mlxchange.com/Control/MLXClientUtils.cab
DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://sef.mlxchange.com/Control/LiteGrid.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://sef.mlxchange.com/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://sef.mlxchange.com/Control/AspCustomCtrls.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: ASWLNDLL - ASWLNDLL.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\ce60gsq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-11 128016]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-12 64288]
R1 APPSTREAM;APPSTREAM;c:\windows\system32\drivers\AppStream.sys [2007-5-13 115284]
R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\tsircmir.sys [2005-4-13 2816]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 486280]
R2 AppMgrService;AWE 5.1.0 Application Manager;c:\program files\appstream\windowsclient\bin\AppMgrService.exe [2006-9-27 1990656]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 PDFILTER;PDFILTER;c:\progra~1\dekart\privat~1\PDFILTER.SYS [2006-8-24 15232]
R2 PDRJNDL;PDRJNDL;c:\progra~1\dekart\privat~1\PDRJNDL.SYS [2006-8-24 18688]
R2 PRVDISK;PRVDISK;c:\progra~1\dekart\privat~1\PRVDISK.SYS [2006-8-24 17152]
R2 REGHOOK;REGHOOK;c:\windows\system32\drivers\RegHook.sys [2006-9-27 54879]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-1 1247600]
R2 TSIREGMO;tsiregmo;c:\windows\system32\drivers\tsiregmo.sys [2005-4-13 5824]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [2005-4-13 42560]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.SYS [2005-4-13 5120]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 VSPD;VSPD;c:\windows\system32\drivers\VSPD.sys [2006-9-27 31321]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\TSIKBF5.sys [2005-4-13 9728]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2005-4-13 5632]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.SYS [2005-4-13 9216]
S2 DVR2INS;ADS Instant DVD 2.0;c:\windows\system32\drivers\dvr2ins.sys [2005-3-2 34792]
S2 MtxVideo;Matrox WDM capture/crossbar driver;c:\windows\system32\drivers\mtxvideo.sys [2004-11-16 103296]

=============== Created Last 30 ================

2009-12-12 17:21:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-11 03:32:18 0 d-----w- C:\Video Capture
2009-12-06 15:23:36 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-06 15:23:36 467200 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-06 04:42:55 0 d-----w- c:\windows\system32\drivers\backup files google trojan
2009-11-28 04:43:41 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-28 04:43:41 1409 ----a-w- c:\windows\QTFont.for
2009-11-26 06:53:04 80424 ----a-r- c:\windows\system32\drivers\SI3132_2.sys
2009-11-26 06:49:20 0 d-sha-r- C:\cmdcons
2009-11-26 06:46:23 98816 ----a-w- c:\windows\sed.exe
2009-11-26 06:46:23 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 06:46:23 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 06:46:23 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2009-12-25 19:56:08 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-19 08:39:55 4360 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-31 14:04:01 116392 ----a-w- c:\docume~1\david\applic~1\GDIPFONTCACHEV1.DAT
2009-10-17 06:39:40 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 06:39:32 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2005-06-29 13:14:37 56 --sh--r- c:\windows\system32\10514C8D54.sys
2007-01-25 02:15:08 11690 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:04:29.21 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/25 15:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xA778F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA5F1000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ed600

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e6d50

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\REGHOOK.SYS" at address 0xa8f1b4b3

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ede10

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad304d00

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad305120

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30f210

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2edf80

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e7c30

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30c750

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\REGHOOK.SYS" at address 0xa8f1b8df

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad303e40

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\REGHOOK.SYS" at address 0xa8f1b9cf

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e08e0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30d050

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30d280

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30f5c0

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e7720

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad307420

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad306ff0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad309470

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\REGHOOK.SYS" at address 0xa8f1b7bb

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30e400

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30da10

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ed150

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30e0a0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ed8e0

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e8050

#: 227 Function Name: NtSetInformationObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad309340

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad30e8b0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e0010

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\REGHOOK.SYS" at address 0xa8f1b668

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad305cf0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad305a20

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e0d30

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ebd50

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ebeb0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ec000

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e17e0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e96e0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2ec440

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e1ed0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad2e1560

==EOF==

Attached Files

  • Attached File  DDS.txt   12.42KB   0 downloads


BC AdBot (Login to Remove)

 


#2 Dave MiamiBeach

Dave MiamiBeach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 28 December 2009 - 04:21 PM

Using Firefox, Windows XP on a Dell 8400 desktop, I am getting re-directed to useless web sites like searchfindsite.com or savecompare.com. Not always but randomly.

I have uploaded new copy of malwarebytes - renamed, updated and run scan without problem - it shows no infection.

Zonealarm shows nothing. Spybot Search and Destroy shows nothing. Combofix hangs up. Windows MRT shows clean now but 10 days ago it showed that it partially cleaned win32.Alureon.F

Unable to run windows update - it is blocked. Tried to run from Microsoft website and that was unsuccessful. I have latest version of JAVA and
all the older versions removed.

Running root repeal I get c:\hiberfil.sys locked to windows API! I don't know what that means.

Previously I had a problem with iastor.sys, cbidf2k.sys and atapi.sys but Combofix cleaned those. I also had an win32.Adware.Ezula /C but adaware cleaned that. Now, this seems to be new problem.

This thing has been driving me crazy. Please help.

Thanks

Attached root repeal log and DDS.txt

Attached Files


Edited by Orange Blossom, 28 December 2009 - 08:59 PM.
Merged topics. ~ OB


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 05 January 2010 - 07:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#4 Dave MiamiBeach

Dave MiamiBeach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 07 January 2010 - 09:02 AM

Thanks. The infection got worse and I ended up with blue screen. I did a partial windows re-install (no reformatting of drive) and now seem to have a clean machine and kept all my files. But thanks anyway. Hopefully you guys can find a fix for whatever it was.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 07 January 2010 - 12:57 PM

There already are fixes for this (it's a variant of the TDSS rootkit called TDL3) though they don't always clean it all out.

Thanks for your response, I will now close the topic.

---------------------------------------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users