Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with redirecter rootkit?


  • This topic is locked This topic is locked
1 reply to this topic

#1 The Surb

The Surb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 03 March 2011 - 04:06 PM

Hi, I think I have a rootkit infection. None of my spyware programs are picking it up, but it keeps redirecting my browser and messing up my antivirus program

Any help would be much appreciated.

Thank you!


DDS (Ver_10-12-12.02) - NTFSx86
Run by ME at 12:33:16.78 on Thu 03/03/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.459 [GMT -7:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Cobian Backup 10\cbService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ME\Desktop\dds.scr
C:\Program Files\Java\jre6\bin\jqsnotify.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
uSearch Page =
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: bmnet.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290272690265
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\jn97x2zy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2645238&SearchSource=13
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\me\application data\mozilla\firefox\profiles\jn97x2zy.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\me\application data\mozilla\firefox\profiles\jn97x2zy.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\me\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Fetch Text URL: {5B700FEA-FF2A-4746-BB2D-9D26A8EB056D} - %profile%\extensions\{5B700FEA-FF2A-4746-BB2D-9D26A8EB056D}
FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-10-25 294608]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-3 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-3-3 532224]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-3 267944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-25 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-20 40384]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-3 61960]
R2 CobianBackup10;Cobian Backup 10;c:\program files\cobian backup 10\cbService.exe [2011-3-3 1125376]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-2-15 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-2-15 488952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-3 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-5-6 145408]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-3-3 67584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-11 1684736]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\49d.tmp --> c:\windows\system32\49D.tmp [?]
S3 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-3-11 237568]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-3-11 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-8-20 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-8-20 142976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-03-03 19:19:01 -------- d-----w- c:\docume~1\me\applic~1\CheckPoint
2011-03-03 19:17:40 -------- d-----w- c:\docume~1\me\locals~1\applic~1\Conduit
2011-03-03 19:17:39 -------- d-----w- c:\program files\Conduit
2011-03-03 19:17:39 -------- d-----w- c:\docume~1\me\locals~1\applic~1\ZoneAlarm_Security
2011-03-03 19:17:37 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-03-03 19:16:48 -------- d-----w- c:\program files\CheckPoint
2011-03-03 19:16:02 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-03-03 19:16:01 -------- d-----w- c:\windows\system32\ZoneLabs
2011-03-03 19:15:55 -------- d-----w- c:\program files\Zone Labs
2011-03-03 19:15:27 -------- d-----w- c:\windows\Internet Logs
2011-03-03 17:57:24 -------- d-----w- C:\Backup
2011-03-03 16:54:45 -------- d-----w- c:\program files\CCleaner
2011-03-03 16:24:08 -------- d-----w- c:\docume~1\me\locals~1\applic~1\PCHealth
2011-03-03 16:16:11 -------- d-----w- c:\windows\system32\NtmsData
2011-03-03 16:14:34 -------- d-----w- c:\docume~1\me\applic~1\Avira
2011-03-03 16:11:13 61960 ------w- c:\windows\system32\drivers\avgntflt.sys
2011-03-03 16:10:07 -------- d-----w- c:\program files\Avira
2011-03-03 16:10:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-03-03 15:21:59 -------- d-----w- c:\program files\Cobian Backup 10
2011-03-02 15:24:53 25856 -c----w- c:\windows\system32\dllcache\usbprint.sys
2011-03-02 15:24:53 25856 ------w- c:\windows\system32\drivers\usbprint.sys
2011-03-02 15:10:33 14592 -c----w- c:\windows\system32\dllcache\kbdhid.sys
2011-03-02 15:10:33 14592 ------w- c:\windows\system32\drivers\kbdhid.sys
2011-03-01 20:08:04 -------- d-----w- C:\AntiRootkit
2011-03-01 19:58:09 -------- d-----w- C:\RootkitBuster
2011-03-01 19:57:41 190032 ------w- c:\windows\system32\drivers\tmcomm.sys
2011-03-01 19:57:41 -------- d-----w- c:\documents and settings\me\log
2011-03-01 15:35:27 -------- d-----w- C:\spoolerlogs
2011-03-01 12:41:59 11776 ------w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-03-01 12:41:37 -------- d-----w- c:\program files\common files\xing shared
2011-03-01 12:41:24 150712 ------w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-03-01 12:41:14 100864 ------w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-03-01 08:50:24 5943120 ------w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{c86b366d-d922-4b76-a9a7-7f81550ed653}\mpengine.dll
2011-02-14 19:20:02 -------- d-----w- C:\New Folder (3)
2011-02-14 18:41:50 -------- d-----w- c:\program files\TrueSwitchEC
2011-02-14 11:18:23 -------- d-----w- C:\Research in Motion
2011-02-14 11:18:23 -------- d-----w- c:\program files\AT&T
2011-02-13 15:03:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\AT&T
2011-02-13 08:44:02 -------- d-----w- c:\docume~1\me\applic~1\Bytemobile
2011-02-13 08:43:56 -------- d-----w- c:\docume~1\me\applic~1\DBUpdater
2011-02-13 08:43:53 27072 ------w- c:\windows\system32\drivers\PCASp50.sys
2011-02-13 08:43:52 -------- d-----w- c:\docume~1\me\applic~1\AT&T
2011-02-13 08:43:40 26760 ------w- c:\windows\system32\drivers\swmsflt.sys
2011-02-13 08:31:23 26496 ------r- c:\windows\system32\drivers\RimSerial.sys
2011-02-13 08:31:06 -------- d-----w- c:\program files\common files\Motorola Shared
2011-02-13 08:30:44 -------- d-----w- c:\program files\common files\Research in Motion
2011-02-13 08:29:01 -------- d-----w- c:\program files\Option
2011-02-13 08:26:54 -------- d-----w- c:\program files\Sierra Wireless Inc
2011-02-13 08:26:54 -------- d-----w- c:\docume~1\me\applic~1\Sierra Wireless
2011-02-09 04:54:25 -------- d-----w- c:\docume~1\me\applic~1\pokerth
2011-02-09 04:52:23 -------- d-----w- c:\program files\PokerTH
2011-02-08 03:05:14 -------- d-----w- c:\program files\Everest Poker
2011-02-08 03:04:48 1187032 ------w- C:\setup.exe
2011-02-08 03:00:28 -------- d-----w- c:\program files\PokerStars
2011-02-08 02:48:24 -------- d-----w- c:\docume~1\me\applic~1\SpinTop
2011-02-02 18:39:17 -------- d-----w- c:\program files\Sophos

==================== Find3M ====================

2011-03-01 12:41:05 499712 ------w- c:\windows\system32\msvcp71.dll
2011-03-01 12:41:05 348160 ------w- c:\windows\system32\msvcr71.dll
2011-02-03 00:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-13 08:47:35 38848 ------w- c:\windows\avastSS.scr

============= FINISH: 12:41:57.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:17 PM

Posted 06 March 2011 - 11:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users