Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Maybe? Logs included please help


  • This topic is locked This topic is locked
2 replies to this topic

#1 revolution2718

revolution2718

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 28 December 2009 - 07:20 PM

Got some messages about some windows security stuff. Tried to avoid and get rid of but did not work. Whenever computer is booted normally it locks up after a minute. Am able to boot into safe mode to do this stuff. Cannot launch malewarebytes/spybot or any otehr antivirus software.

Here is the DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Tom Nieradka at 19:06:14.09 on Mon 12/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1517 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Tom Nieradka\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program

files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\tom nieradka\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RGSC] c:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [settdebugx.exe] c:\docume~1\tomnie~1\locals~1\temp\settdebugx.exe
uRun: [Malware Defense] "c:\program files\malware defense\mdefense.exe" -noscan
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\LCDMon.exe"
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
StartupFolder: c:\docume~1\tomnie~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\tom nieradka\application

data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows

live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249075049578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tomnie~1\applic~1\mozilla\firefox\profiles\fxtswinc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - plugin: c:\documents and settings\tom nieradka\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\tom nieradka\application

data\mozilla\firefox\profiles\fxtswinc.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\tom nieradka\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-7 486280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-5-7 22784]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-8 128016]
S2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-5-7 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-5-7 234888]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2009-11-12 126976]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2009-11-12 122368]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [2009-5-9 17408]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs

shared\service\CTAELicensing.exe [2009-5-9 79360]
S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-5-9 434304]
S3 ksaudfl;ksaudfl;c:\windows\system32\drivers\ksaudfl.sys [2009-5-9 1684736]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2009-5-7 245760]

=============== Created Last 30 ================

2009-12-28 22:42:37 662 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-28 22:41:35 124 ----a-w- c:\windows\system32\srcr.dat
2009-12-17 19:46:21 29024 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-30 19:33:46 41872 ----a-w- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2009-12-28 23:51:39 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-12-28 23:38:38 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-12-28 22:35:09 78296 ----a-w- c:\windows\system32\nvModes.dat
2009-12-28 15:37:17 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-27 06:28:21 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-27 05:10:37 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 16:45:04 33792 ----a-w- c:\windows\system32\identprv.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-17 06:39:40 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 06:39:32 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-04-30 22:28:44 74 -csh--r- c:\windows\CT4CET.bin

============= FINISH: 19:07:54.51 ===============






And the RootRepeal Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/28 19:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7AE4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTbpjcjmomev.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTbpjcjmomev.sys
Address: 0xB7DA3000 Size: 114688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6804000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Internet Logs\BACKUP.RDB
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\system32\H8SRTaqgrjsubyo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTdhbocqtmtf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTulhyldpqjh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTvlptjcfmky.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTac4d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTbpjcjmomev.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\H8SRT103f.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF1570.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF47C5.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF47CB.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF481F.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF4824.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF484D.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DF4853.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\tom nieradka\local settings\temp\~df603e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DFA79.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\tom nieradka\local settings\temp\~dfbadc.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DFBE23.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\~DFC92F.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\plugtmp\plugin-config.prodXml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temp\plugtmp\plugin-crossdomain.xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\107670832_40x40[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\88796331_saving-madagascar[2].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\context=slide[2].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\query3[3].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\Yw7176_60x45[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\__utm[2].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\log[2].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\lr[2].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\log[3].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\log[4].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\8LMJPZR5\__utm[3].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\Ihatethemall_671790_40x40[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\1_120x90[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\search[3].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\=Vanguard%20Weekly%20Special;topic=Current%20Earth;topic=environment;topic=Global%20Warming;topic=Africa;topic=RTVanguard;;tile=11;sz=1x11;ord=63705429[1].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\tracking[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\query3[4].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\ac[7].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\log[2].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\log[3].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\lr[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\L5ZEVA5I\SHAWN_RITTIMAN_996015_40x40[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\%20Special;topic=Current%20Earth;topic=environment;topic=Global%20Warming;topic=Africa;topic=RTVanguard;wmode=transparent;tile=1;sz=728x90;ord=63705429[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\tracking[3].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\s67364690438844[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\s67520635905675[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\search[2].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\ac[4].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\quant[1].swf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\query3[2].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\query3[3].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\log[2].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\lr[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\lr[2].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\crossdomainCAS1CD0O.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\PG0OP6W0\PD23675[1].flv
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\pixel[1].swf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\crossdomain[4].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\log[2].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\lr[3].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\lr[4].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\20Special;topic=Current%20Earth;topic=environment;topic=Global%20Warming;topic=Africa;topic=RTVanguard;wmode=transparent;tile=3;sz=300x250;ord=63705429[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\=Vanguard%20Weekly%20Special;topic=Current%20Earth;topic=environment;topic=Global%20Warming;topic=Africa;topic=RTVanguard;;tile=13;sz=1x13;ord=63705429[2].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\query3[1].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\tracking[3].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\tracking[4].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Temporary Internet Files\Content.IE5\QI2IEPLG\miawhwn_129142_40x40[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Application Data\Mozilla\Firefox\Profiles\fxtswinc.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Application Data\Macromedia\Flash Player\#SharedObjects\YKRGWPGM\i2.current.com\com.quantserve.sol
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3EF9C860-F40F-11DE-8637-0023AE23DF12}.dat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{69B20AFE-F40F-11DE-8637-0023AE23DF12}.dat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9534F57E-F40F-11DE-8637-0023AE23DF12}.dat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9534F57D-F40F-11DE-8637-0023AE23DF12}.dat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxtswinc.default\Cache\9F8203D1d01
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxtswinc.default\Cache\F681FF8Cd01
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxtswinc.default\Cache\1678F7BBd01
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Tom Nieradka\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxtswinc.default\Cache\99C8FB55d01
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTdhbocqtmtf.dll]
Process: svchost.exe (PID: 896) Address: 0x008a0000 Size: 73728

Object: Hidden Module [Name: H8SRTaqgrjsubyo.dll]
Process: svchost.exe (PID: 896) Address: 0x10000000 Size: 77824

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTbpjcjmomev.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c13d50

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c13eb0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c14000

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c097e0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c116e0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c14440

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c09ed0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c09560

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:19 AM

Posted 07 January 2010 - 06:37 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:19 AM

Posted 11 January 2010 - 09:21 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users