Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing rootkit and trojans


  • This topic is locked This topic is locked
2 replies to this topic

#1 dadneedshelp

dadneedshelp

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 06 August 2010 - 11:26 AM

Need specialist to ensure my backups aren't infected. I did a restore and some cans are showing evidence of rootkits.

Need help to take a look at the logs to ensure I am clean.

Thanks for the help!

Should I upload the logs - what's next??

Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Neo at 11:20:48.12 on Fri 08/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://w3.ibm.com/
mDefault_Page_URL = hxxp://w3.ibm.com
uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NetSP - restore settings on power failure] "c:\program files\at&t network client\NetSP.exe" -show
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup
mRun: [Tpam.exe] "c:\program files\ibm\personal communications\tpam.exe"
mRun: [SODCPreLoad] c:\notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20080827-1548\preload.exe c:\notes\data\workspace\.sodc\
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TpShocks] TpShocks.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [ISSI Service] "c:\sdwork\issimsvc.exe"
mRun: [5733-IC1/eserver/hardware] "c:\program files\ibm\information\eclipse\IC_start.bat"
mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q
mRun: [Isamtray] "c:\program files\c4ebreg\isamtray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{b3004fe6-dad0-4288-94c5-806eebbbc7b1}\Icon6560581611.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {F002E5B7-C09E-4A41-958B-856DD3EA2AC8} = 68.28.178.91 68.28.186.91
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: pcsinst - pcsinst.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: c:\windows\system32\guard32.dll c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
LSA: Notification Packages = scecli PGPpwflt
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 255.255.255.255 broadcasthost
Hosts: 216.34.181.45 s # slashdot.org
Hosts: 64.233.187.104 g # google.com
Hosts: 9.56.248.25 pokgsa.ibm.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\b7c5e6j6.default\
FF - prefs.js: browser.startup.homepage - hxxp://w3.ibm.com/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava11.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava12.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava13.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava14.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava32.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPJPI150.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\NPOJI610.dll
FF - plugin: c:\program files\ibm\java50\jre\bin\npwebscl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\extensions\ibm-cck@firefox-extensions.ibm.com\platform\winnt_x86-msvc\plugins\npaddtonab.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-08-06 09:42:07 0 d-----w- c:\docume~1\admini~1\applic~1\smkits
2010-08-05 13:52:34 3441 ---ha-w- C:\JPVirusCheck.bat
2010-08-05 10:48:52 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-08-05 10:48:52 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-08-05 10:47:57 0 d-----w- c:\program files\Kaspersky Lab
2010-08-05 10:47:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-08-05 10:37:20 0 ----a-w- c:\documents and settings\administrator\settings.dat
2010-08-05 01:24:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-08-05 01:22:46 21312 ----a-w- c:\windows\choice.exe
2010-08-05 01:21:52 0 d-----w- C:\ie-spyad
2010-08-04 23:57:33 32 ----a-w- c:\windows\system32\disableShares.bat
2010-08-04 23:53:39 0 d-----w- c:\documents and settings\administrator\DoctorWeb
2010-08-04 23:30:21 307 ----a-w- c:\windows\system32\host.bat
2010-08-04 15:15:07 0 d-----w- c:\docume~1\admini~1\applic~1\Wireshark
2010-08-04 13:41:48 73 ----a-w- c:\windows\system32\-1
2010-08-04 13:13:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-04 12:12:06 0 d--h--w- C:\VritualRoot
2010-08-04 11:59:12 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-08-04 10:31:27 2 --shatr- c:\windows\winstart.bat
2010-08-04 10:31:06 0 d-----w- c:\program files\UnHackMe
2010-08-04 09:27:16 0 d-----w- c:\program files\COMODO
2010-08-04 09:25:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-08-01 19:40:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-07-28 15:03:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-28 12:59:01 98816 ----a-w- c:\windows\sed.exe
2010-07-28 12:59:01 161792 ----a-w- c:\windows\SWREG.exe
2010-07-27 10:36:54 0 d-----w- c:\program files\CCleaner
2010-07-26 10:09:37 77312 ----a-w- c:\windows\MBR.exe
2010-07-26 10:09:37 256512 ----a-w- c:\windows\PEV.exe
2010-07-25 22:35:56 13911917 ----a-w- c:\windows\system32\HO
2010-07-25 21:20:21 714752 ----a-w- c:\windows\system32\a9911.tmp
2010-07-25 21:20:21 54624 ----a-w- c:\windows\system32\c7b10.sys
2010-07-25 21:19:37 2335270 ----a-w- c:\windows\system32\353F.mht
2010-07-25 21:07:36 0 d-----w- c:\docume~1\admini~1\applic~1\Secunia CSI
2010-07-25 19:58:22 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-25 19:20:53 0 d-----w- c:\program files\Trend Micro
2010-07-25 14:45:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-07-25 14:45:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-24 14:44:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-24 13:20:53 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-07-24 13:14:34 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-07-24 13:06:14 0 d-----w- c:\windows\ie8updates
2010-07-24 13:05:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-07-24 13:05:20 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-07-24 13:03:19 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-24 13:03:19 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-24 13:03:19 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-24 13:03:18 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-24 13:03:18 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-24 13:03:17 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-24 13:03:16 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-24 13:00:56 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-24 12:42:29 0 d-----w- c:\program files\Yahoo!
2010-07-24 12:09:00 0 ----a-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-07-24 12:08:56 0 ----a-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-07-24 12:08:47 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-24 12:08:17 248448 ----a-w- c:\windows\system32\PROUnstl.exe
2010-07-23 18:08:09 0 d--h--w- c:\program files\InstallJammer Registry
2010-07-23 18:05:07 40960 ----a-w- c:\windows\system32\SMEventLog.dll
2010-07-23 18:04:32 0 d-----w- c:\program files\IBM_DS
2010-07-23 18:01:59 0 d--h--w- c:\program files\Zero G Registry
2010-07-23 18:01:56 0 d--h--w- c:\documents and settings\administrator\InstallAnywhere
2010-07-23 14:22:11 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-07-23 14:22:11 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-23 14:22:02 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-23 14:22:02 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-23 11:27:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-23 10:39:30 0 d-----w- c:\program files\Safer Networking
2010-07-22 22:32:46 0 d-----w- c:\docume~1\admini~1\applic~1\WinPatrol
2010-07-22 22:32:42 0 d-----w- c:\program files\BillP Studios
2010-07-22 02:02:54 766 ------w- c:\windows\system32\uninst.ico
2010-07-22 02:02:51 0 d-----w- C:\NotesSQL
2010-07-22 02:02:47 0 d-----w- C:\lotus
2010-07-21 16:27:50 0 d-----w- c:\documents and settings\administrator\Bluetooth Software
2010-07-21 15:37:31 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-21 15:37:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-21 11:45:39 0 d-----w- c:\windows\pss
2010-07-21 10:18:42 3350 --sha-r- c:\documents and settings\administrator\ntuser.pol
2010-07-19 19:47:32 0 d-----w- c:\documents and settings\administrator\SecurityScans
2010-07-19 15:20:28 0 d-----w- c:\program files\common files\HP
2010-07-19 15:14:51 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-07-19 15:13:55 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-07-19 15:13:55 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2010-07-19 15:13:55 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-07-19 15:13:55 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-07-19 15:13:55 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-07-19 15:13:55 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-07-19 15:13:06 0 d-----w- c:\program files\HP
2010-07-19 15:08:01 68900 ----a-w- c:\windows\hpoins05.dat
2010-07-19 15:08:01 19696 ------w- c:\windows\hpomdl05.dat
2010-07-19 15:07:58 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-07-19 15:07:58 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-07-19 15:07:58 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-07-19 15:07:42 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-07-19 15:07:41 708608 ----a-w- c:\windows\system32\hpotiop.dll
2010-07-19 15:07:41 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-07-19 15:07:41 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-19 15:07:27 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-07-19 15:07:25 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-07-19 15:07:25 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-07-19 12:56:54 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-07-19 12:56:54 0 d-----w- c:\program files\Belarc
2010-07-19 12:54:02 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-08-05 12:47:29 14976 ----a-w- c:\windows\system32\drivers\SBKUPNT.SYS
2010-08-05 12:46:28 4442 ----a-w- c:\windows\system32\drivers\TPPWRIF.SYS
2010-08-05 12:44:46 4608 ----a-w- c:\windows\system32\drivers\TSMAPIP.SYS
2010-06-25 17:07:24 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-06-25 17:07:18 100880 ----a-w- c:\windows\system32\Packet.dll
2010-06-01 18:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2010-05-23 15:26:19 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
2010-05-19 10:59:31 114308 ----a-w- c:\windows\system32\PGPlspRollback.reg
2010-05-19 09:55:00 249856 ------w- c:\windows\Setup1.exe
2010-05-19 09:54:58 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-19 09:12:51 16384 ------w- c:\windows\PWMBTHLP.EXE
2010-05-19 09:11:21 974848 ----a-w- c:\windows\system32\btrez.dll
2010-05-19 09:11:18 106557 ----a-w- c:\windows\system32\btw_ci.dll

============= FINISH: 11:32:36.48 ===============

Been getting warnings like :

Security Warning!
current site ad.doubleclick.net
c:\windows\system32\xpsp3res.dll

when going to google or just plain sites I always visit.

Also, not sure why firefox or explorer opens 10-20 connections when visiting 1 website like google.com
I'm under the impression that it first tries to get a connection and once it knows were connected the rest get dropped.

I guess the main thing is to just check netstat and ensure we just have 1 connection.
TCPVIEW sometimes shows tons of firefox connections when just going to google. Want to ensure I don't have any redirects.
Also, my firewall shows connections to tons of websites I never visit and I am the only 1 that uses this laptop.

ROOT Repeal :

could not read boot sector try adjusting disk acces ERROR when trying to get hidden services.

Here's the logs - looks like most if from current protection:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/08/06 12:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 3h0oc098.sys
Image Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3h0oc098.sys
Address: 0xA6EF8000 Size: 197760 File Visible: No Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7494000 Size: 153344 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xA85C6000 Size: 851968 File Visible: No Signed: -
Status: -

Name: dwprot.sys
Image Path: C:\WINDOWS\system32\drivers\dwprot.sys
Address: 0xA6F54000 Size: 115456 File Visible: No Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74BA000 Size: 125056 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA608000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PROCEXP141.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
Address: 0xA7281000 Size: 9600 File Visible: No Signed: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF79DB000 Size: 4128 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6E98000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5358c

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53e0c

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54922

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54e94

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f540ee

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52436

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54d6c

#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53192

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54c28

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5334e

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54fc6

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f56c08

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53aaa

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54cca

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f565fa

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f529fa

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52d88

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54576

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f575ca

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52eca

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52f74

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54382

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5668c

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52412

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52424

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f8ded4

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f56cbc

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f530c0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54f36

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53e8e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f525dc

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f54e04

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53792

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xa6f65fe0

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f55068

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f536b6

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5301e

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52c46

#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f56fd4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52896

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f56922

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52b0e

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f522b0

#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f553f2

#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f552b8

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5639a

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f59e2c

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f574ac

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f52248

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5465c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53cc8

#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f55c4a

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f56786

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f57114

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5271e

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f8de6e

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f571f8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f57320

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xa6f65f0e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f5390a

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f53860

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f56e8a

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f539ea

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: rundll32.exe (PID: 1160) Address: 0xe2e062f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x855cb738 Size: 1322

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x85a7ada0 Size: 486

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x849f4220 Size: 3553

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x85566440 Size: 3009

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x854a7070 Size: 1627

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84c1c910 Size: 292

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84c1f758 Size: 975

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f9312a

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f93854

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f9325e

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f9370e

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f9339e

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f934d2

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f648ba

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f92faa

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f921fc

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f64c72

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8f64aa8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f92c7a

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f9360c

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f929e8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f92b2a

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xa6f66b10

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f91f34

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xa6f66a84

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xa6f65a18

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xa6f65946

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f92dca

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f9288e

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f92ec0

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f920a4

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f93892

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8f93abc

==EOF==

Merged 4 posts. ~ OB

Edited by Orange Blossom, 06 August 2010 - 12:51 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:36 AM

Posted 14 August 2010 - 07:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:36 AM

Posted 18 August 2010 - 06:27 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users