Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access popular security related websites


  • This topic is locked This topic is locked
3 replies to this topic

#1 fuzzja

fuzzja

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 16 September 2010 - 10:28 AM

Hi all,

I use Windows XP SP3, Nod32 AV (Avira currently and ZoneAlarm firewall.

Few days ago I noticed some suspicions stuff going on, firewall popup about "services.exe" asking for internet connection to some russian IP adress, which it did never before, and when after every time I boot and start my browser (Opera, but same problem with IE) on first try it gives me following error "Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item." on second time it opens fine.

I was about to run my AV NOD32, but failed to find it on taskbar. I checked Task Manager and .exe file of it was still active, however I was unable to upen UI and run scan.

At that point I knew something was wrong as I had similar experience with viruses in past. I tried to access eset.com to reinstall antivirus, however site did not work. Same for other popular antivirus sites. ( on my other Win7 install both sites opened fine). So I asked friend to send me Avira install, which worked, I installed it and run system scan, it found out some TR/AGENT.HR.301 trojan, but obviously it didn't help.

I then installed Ad-Aware, run full scan, however it started to crash in the end, but it managed to find 6 or s .exe files in temp directories, and removed them, but it also didn't help. Spybot S&D did not help either.

Also loading time of taskbar increased hugely, I see deskop, may move icons, but taskbar keeps loading for like 4 minutes after boot.

While running GMER I experienced huge slowdown problems at middle of scan and crashes when it finished, which as taskbar showed were related to lsass.exe and winlogon.exe running at 50% CPU power.

I am at lost what to do, please help. (for some reason Choose... button on UPLOAD window is not working so I will post attach.txt and ark.txt below DDS.txt)

-------------------------------------------------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by fuzzr at 1:43:27.81 on Thu 09/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3070.2451 [GMT 3:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Documents and Settings\fuzzr\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/custom?domains=entretieneteds.to.md&q=&sitesearch=&client=pub-3439752189615153
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\f4282d43.exe,c:\windows\system32\2db9df62.exe,c:\windows\system32\fee5e928.exe,c:\windows\system32\nywbdp.exe,
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0E1230F8-EA50-42A9-983C-D22ABC2EED3C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincolor.lnk - c:\program files\pro imaging powertoys\microsoft color control panel applet for windows xp\WinColor.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: StartMenuLogoff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: StartMenuLogoff = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Закачать ВСЕ при помощи Download Master
IE: Закачать при помощи Download Master
IE: {8DAE90AD-4583-4977-9DD4-4360F7A45C74}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mktqmuet.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 213.163.70.142 www.crossfire.nu
Hosts: 66.98.148.65 auto.search.msn.es
Hosts: 194.237.240.138 www.crossfire.nu

============= SERVICES / DRIVERS ===============

R0 25701302;25701302 Boot Guard Driver;c:\windows\system32\drivers\25701302.sys [2009-12-11 37392]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-2-28 39472]
R1 25701301;25701301;c:\windows\system32\drivers\25701301.sys [2009-12-11 128016]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-15 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-6-28 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-15 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-15 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-15 60936]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-6 1684736]
S3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\drivers\hidusbf.sys [2010-9-4 4544]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2009-7-8 3567]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;i:\games\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-2 25832]
S4 gupdate1c988174b063776;Google Update Service (gupdate1c988174b063776);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-09-15 22:39:28 0 d-----w- c:\program files\common files\205b29fc
2010-09-15 22:31:56 20 ----a-w- c:\documents and settings\fuzzr\defogger_reenable
2010-09-15 13:36:40 0 d-----w- c:\docume~1\fuzzr\applic~1\Avira
2010-09-15 13:29:18 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-15 13:29:17 0 d-----w- c:\program files\Avira
2010-09-15 13:29:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-09-15 11:29:09 49664 ----a-w- c:\windows\system32\2c725ff0.exe
2010-09-15 11:15:48 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-15 11:15:46 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-09-15 11:15:42 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2010-09-15 11:11:47 143360 ----a-w- c:\windows\system32\nywbdp.exe
2010-09-15 00:11:30 0 ----a-w- c:\windows\system32\tmp.tmp
2010-09-05 13:45:39 0 d-----w- c:\docume~1\fuzzr\applic~1\Vultures
2010-09-04 13:16:08 4544 ----a-w- c:\windows\system32\drivers\hidusbf.sys
2010-09-03 15:13:53 0 d-----w- c:\program files\Sony
2010-08-31 15:06:03 0 d-----w- c:\docume~1\fuzzr\applic~1\IrfanView

==================== Find3M ====================

2010-09-15 22:31:05 20587 ----a-w- c:\program files\common files\jqyrg4inedzz13m
2010-09-15 11:12:00 45 ----a-w- c:\program files\common files\205b2a20rdp.txt
2010-09-14 22:28:20 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-09-14 22:27:47 233960 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-07 22:35:35 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 21:25:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 17:45:17 293376 ----a-w- c:\windows\system32\winsrv.dll
2008-08-29 14:35:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 1:43:48.68 ===============


Attach.txt
---------------------------------------------------------------------------------



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/7/2005 18:24:05
System Uptime: 9/16/2010 1:38:39 (0 hours ago)

Motherboard: http://www.abit.com.tw/ | | IP35-E (Intel P35+ICH9/R)
Processor: Intel Pentium III Xeon processor | Socket 775 | 3600/400mhz

==== Disk Partitions =========================


==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Torrent
1-Click YouTube Downloader 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Aion (North America)
Album Art Downloader XUI 0.25
Arcanum Ultima
ARMA 2 Operation Arrowhead Uninstall
ArmA 2 Uninstall
ArmA II Launcher
Aspell English Dictionary-0.50-2
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
Baldur's Gate
Baldur's Gate™ II - Throne of Bhaal ™
Call of Duty 2
Call of Duty 2 Patch 1.3
Call of Duty 4 - Modern Warfare™
Call of Duty 4 - Modern Warfare™ 1.4 Patch
Call of Duty 4 - Modern Warfare™ 1.5 Multiplayer Patch
Call of Duty 4 - Modern Warfare™ 1.5 Patch
Call of Duty 4 - Modern Warfare™ 1.6 Patch
Call of Duty 4 - Modern Warfare™ 1.7 Patch
CCleaner
CDBurnerXP
CDisplayEx 1.4
Combined Community Codec Pack 2009-09-09
Counter-Strike 1.6
Diablo II
Divine Divinity
Dragon Age: Origins
Eschalon Book 2 1.01
Exact Audio Copy 0.95b3
FileZilla Client 3.3.4.1
Final Fantasy VII
FlashMenu
FLV Player 2.0, build 23
foobar2000 v1.0.3
Foxit Reader
Free M4a to MP3 Converter 6.0
FtpDropper 1.0.0 beta 3
GNU Aspell 0.50-3
Google Earth
Google Update
Gross - training program v4.6
Hamachi 1.0.1.5
Heroes of Newerth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
Huffyuv AVI lossless video codec (Remove Only)
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 18
Java™ 6 Update 3
Magic Bullet Editors Vegas
Marvell Miniport Driver
MeGUI (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft AppLocale
Microsoft Color Control Panel Applet for Windows XP
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Tool Web Package:diskpart.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows Application Compatibility Database
mIRC
Morrowind
Moviemakers pack
Mp3tag v2.42
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MultiFileRenamer 1.0.17.126
Mumble and Murmur
MyDefrag v4.3.1
NCsoft Launcher
NehrimUninstaller
NNScript
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Oblivion
Octoshape add-in for Adobe Flash Player
Octoshape Streaming Services
OpenAL
OpenOffice.org 3.2
OpenSSL 0.9.8g Light
Opera 10.62
Paragon Partition Manager 9.0 Professional
PokerStrategy.com Equilator
PunkBuster Services
Quake Live Internet Explorer Plugin
Quake Live Mozilla Plugin
Realtek High Definition Audio Driver
Recuva
Return to Castle Wolfenstein
Risen
Rockstar Games Social Club
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player 6.4 (KB925398)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Skype™ 4.2
Software Update for Web Folders
Spotify
Spybot - Search & Destroy
Stellarium 0.10.2
Tag - IGF Professional 2008
Tag&Rename 3.5 beta 5
TES Construction Set
The Witcher Enhanced Edition
Trickster Online
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
VC 9.0 Runtime
Vegas Pro 9.0
Ventinizor 1.3
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.2
Vuze
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wolfenstein - Enemy Territory
X-ray Anti-Cheat
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall
ZoneAlarm

==== End Of File ===========================


ark.txt
---------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-16 17:56:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\fuzzr\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB4295FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB4292C80]
SSDT B87FDB86 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB4296580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB42AA900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB42AAB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB42AEB10]
SSDT B87FDB7C ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB4296670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB4293210]
SSDT B87FDB8B ZwDeleteKey
SSDT B87FDB95 ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB42AA280]
SSDT B87FDB9A ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB42ADF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB4293070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB42AC180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB42ABF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB42AE6F0]
SSDT B87FDBA4 ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB4295BE0]
SSDT B87FDB9F ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB4296190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB4293440]
SSDT B87FDB90 ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB42AB200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB42AB080]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C9C 80504538 12 Bytes [80, 65, 29, B4, 00, A9, 2A, ...]
? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BB7380, 0x566465, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB33BB300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\ithsgt.sys section is writeable [0xB337E300, 0x21770, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB84A8300, 0x1BEE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[552] kernel32.dll!CreateFileW 7C810800 8 Bytes JMP C8000025
.text C:\WINDOWS\system32\services.exe[552] kernel32.dll!GetFileAttributesExW 7C811195 8 Bytes JMP CB000025
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!CryptEncrypt 77DEE360 8 Bytes JMP CE000025
.text C:\WINDOWS\system32\services.exe[552] USER32.dll!GetWindowTextA 7E43216B 8 Bytes JMP D1000025
.text C:\WINDOWS\system32\services.exe[552] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP FD000025
.text C:\WINDOWS\system32\services.exe[552] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 05000025
.text C:\WINDOWS\system32\services.exe[552] WS2_32.dll!send 71AB4C27 8 Bytes JMP D4000025
.text C:\WINDOWS\system32\services.exe[552] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 02000025
.text C:\WINDOWS\system32\services.exe[552] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP E2000025
.text C:\WINDOWS\system32\services.exe[552] WININET.dll!InternetWriteFile 3D9A60F6 8 Bytes JMP FA000025
.text C:\WINDOWS\Explorer.EXE[1428] kernel32.dll!GetFileAttributesW 7C80B7EC 8 Bytes JMP FF000025
.text C:\WINDOWS\Explorer.EXE[1428] kernel32.dll!CreateFileW 7C810800 8 Bytes JMP 2D000025
.text C:\WINDOWS\Explorer.EXE[1428] kernel32.dll!GetFileAttributesExW 7C811195 8 Bytes JMP C8000025
.text C:\WINDOWS\Explorer.EXE[1428] ADVAPI32.dll!CryptEncrypt 77DEE360 8 Bytes JMP CC000025
.text C:\WINDOWS\Explorer.EXE[1428] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP F1000025
.text C:\WINDOWS\Explorer.EXE[1428] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP EB000025
.text C:\WINDOWS\Explorer.EXE[1428] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP EE000025
.text C:\WINDOWS\Explorer.EXE[1428] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP E8000025
.text C:\WINDOWS\Explorer.EXE[1428] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP F4000025
.text C:\WINDOWS\Explorer.EXE[1428] USER32.dll!GetWindowTextA 7E43216B 8 Bytes JMP CF000025
.text C:\WINDOWS\Explorer.EXE[1428] WININET.dll!InternetWriteFile 3D9A60F6 8 Bytes JMP D8000025
.text C:\WINDOWS\Explorer.EXE[1428] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP DB000025
.text C:\WINDOWS\Explorer.EXE[1428] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP E1000025
.text C:\WINDOWS\Explorer.EXE[1428] WS2_32.dll!send 71AB4C27 8 Bytes JMP D2000025
.text C:\WINDOWS\Explorer.EXE[1428] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP DE000025
.text C:\WINDOWS\Explorer.EXE[1428] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP D5000025

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8C 0xE0 0x1F 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4F 0x24 0x3B 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0x32 0x54 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE2 0x25 0x59 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4E 0xDB 0x8A 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x13 0x57 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x1F 0xFA 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xE3 0x7B 0xD2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x35 0xC7 0xC6 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8C 0xE0 0x1F 0xA4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4F 0x24 0x3B 0xE0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0x32 0x54 0x79 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE2 0x25 0x59 0x23 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4E 0xDB 0x8A 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x13 0x57 0xE3 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- EOF - GMER 1.0.15 ----

Edited by fuzzja, 16 September 2010 - 10:31 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:52 AM

Posted 23 September 2010 - 11:49 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:52 AM

Posted 27 September 2010 - 02:35 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:52 AM

Posted 30 September 2010 - 05:33 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users