Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit ZeroAccess


  • This topic is locked This topic is locked
27 replies to this topic

#1 DeltaGSM

DeltaGSM

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 10 June 2011 - 08:19 AM

I have same problem as member in this post
http://www.bleepingcomputer.com/forums/topic402589.html

I have ran combofix which said
Posted Image

Any help you can give would be much apprciated
combofix log attached

kind regards

ComboFix 11-06-09.06 - user 10/06/2011 11:09:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1720 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-07 14:15 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-06-07 14:15 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-06-07 14:13 . 2001-08-17 11:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2011-06-07 14:12 . 2001-08-17 13:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2011-06-07 14:11 . 2001-07-21 13:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2011-06-07 14:10 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-06-07 14:09 . 2001-08-17 21:36 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-06-07 14:08 . 2001-08-17 11:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-06-07 14:07 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2011-06-07 14:06 . 2001-08-17 12:28 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2011-06-07 14:05 . 2001-08-17 12:28 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2011-06-07 14:04 . 2001-08-17 12:50 17152 -c--a-w- c:\windows\system32\dllcache\cyclad-z.sys
2011-06-07 14:03 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-06-07 14:02 . 2001-08-17 11:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-06-01 16:14 . 2011-06-01 16:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-06-01 16:14 . 2011-06-01 16:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-05-26 14:28 . 2011-05-26 15:27 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2011-05-26 14:26 . 2011-05-26 14:26 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Apple
2011-05-26 14:26 . 2011-05-26 14:26 -------- d-----w- c:\program files\Apple Software Update
2011-05-26 14:25 . 2011-02-18 15:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-26 14:25 . 2011-02-18 15:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-26 14:25 . 2011-05-26 14:25 -------- d-----w- c:\program files\Bonjour
2011-05-26 14:25 . 2011-05-26 14:27 -------- d-----w- c:\program files\Common Files\Apple
2011-05-26 14:25 . 2011-05-26 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-05-26 14:24 . 2011-05-26 14:28 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Apple Computer
2011-05-25 15:03 . 2011-06-09 21:09 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2011-05-22 15:17 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-22 15:17 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-22 14:49 . 2011-05-22 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2011-05-21 14:46 . 2011-06-06 19:26 -------- d-----w- c:\program files\FlashFXP 4
2011-05-20 13:31 . 2011-05-20 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaAccount
2011-05-20 13:24 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-05-20 13:24 . 2011-05-20 13:24 -------- d-----w- c:\program files\PC Connectivity Solution
2011-05-20 13:23 . 2010-12-02 14:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-05-20 13:23 . 2010-12-02 14:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-05-20 13:23 . 2010-12-02 14:13 23168 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-05-20 13:23 . 2010-12-02 14:13 18304 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2011-05-19 23:54 . 2011-06-07 15:32 -------- d-----w- c:\documents and settings\user\Application Data\MailFrontier
2011-05-19 23:50 . 2010-08-29 01:53 72704 ----a-w- c:\windows\zllsputility.exe
2011-05-19 23:50 . 2009-10-12 17:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2011-05-19 23:49 . 2010-08-29 01:53 69120 ----a-w- c:\windows\system32\zlcomm.dll
2011-05-19 23:49 . 2010-08-29 01:53 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2011-05-19 23:49 . 2011-05-21 11:41 -------- d-----w- c:\windows\system32\ZoneLabs
2011-05-19 23:49 . 2010-08-29 01:53 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-05-19 23:49 . 2011-05-19 23:49 -------- d-----w- c:\program files\Zone Labs
2011-05-19 23:43 . 2011-06-10 09:58 -------- d-----w- c:\windows\Internet Logs
2011-05-19 23:30 . 2011-05-19 23:30 -------- d-----w- c:\documents and settings\user\Application Data\CheckPoint
2011-05-19 23:22 . 2011-05-19 23:43 -------- d-----w- c:\program files\CheckPoint
2011-05-19 23:18 . 2011-06-07 18:16 -------- d-----w- c:\program files\SIW
2011-05-19 15:45 . 2011-05-19 15:45 -------- d-----w- c:\program files\Common Files\Java
2011-05-19 10:53 . 2011-05-19 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-18 19:07 . 2008-12-17 12:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-05-18 19:07 . 2008-06-15 08:13 6144 ----a-w- c:\windows\system32\ff_acm.acm
2011-05-18 19:07 . 2008-06-14 21:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-05-18 19:07 . 2008-06-14 21:01 258352 ----a-w- c:\windows\system32\unicows.dll
2011-05-17 09:19 . 2011-05-17 09:19 -------- d-----w- c:\program files\Common Files\XoftSpySE
2011-05-16 19:47 . 2011-05-16 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-05-16 19:47 . 2011-05-16 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2011-05-16 19:47 . 2011-05-17 09:28 -------- d-----w- c:\program files\XoftSpySE6
2011-05-16 18:21 . 2009-02-10 20:03 712704 ----a-w- c:\windows\system32\hposwia_d02c.dll
2011-05-16 18:21 . 2009-02-10 20:03 589824 ----a-w- c:\windows\system32\hpost_d02c.dll
2011-05-16 18:21 . 2009-02-10 20:03 315392 ----a-w- c:\windows\system32\hposc_d02a.dll
2011-05-16 18:21 . 2008-10-28 10:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-16 18:20 . 2009-08-10 14:07 89600 ----a-w- c:\windows\system32\drivers\GemCCID.sys
2011-05-16 18:20 . 2011-05-29 13:04 -------- d-----w- C:\ErdUndoCache
2011-05-16 18:20 . 2006-11-10 08:25 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-05-16 11:53 . 2011-05-16 11:53 -------- d-----w- c:\program files\Common Files\ParetoLogic
2011-05-15 20:19 . 2011-06-09 21:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 15:41 . 2011-05-15 15:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2011-05-15 15:35 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-05-15 15:35 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-05-15 15:34 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-05-15 15:34 . 2009-04-16 13:08 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2011-05-15 15:34 . 2009-04-15 21:53 452408 ----a-r- c:\windows\system32\hpzids01.dll
2011-05-15 15:32 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-05-15 15:32 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-05-13 22:25 . 2011-05-13 22:26 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google
2011-05-12 17:57 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-05-11 20:00 . 2011-05-11 20:00 -------- d-----w- c:\windows\system32\Lang
2011-05-11 20:00 . 2009-03-13 10:01 997912 ----a-w- c:\windows\system32\igxpun.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2011-02-13 18:36 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2011-02-13 18:35 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 04:07 . 2010-11-02 02:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 01:40 . 2010-11-02 02:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 12:14 . 2011-04-01 12:11 13816 ----a-w- c:\windows\system32\unikey.sys
2011-04-29 12:12 . 2011-03-25 09:15 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-09_21.44.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-10 10:08 . 2011-06-10 10:08 16384 c:\windows\Temp\Perflib_Perfdata_3b8.dat
+ 2011-06-10 07:02 . 2011-06-10 07:02 34362 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0019.dat
+ 2011-06-10 07:02 . 2011-06-10 07:02 73652 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0016.dat
- 2011-06-09 19:02 . 2011-06-09 19:02 73652 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0016.dat
+ 2011-06-10 07:02 . 2011-06-10 07:02 89933 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat
+ 2011-06-10 07:02 . 2011-06-10 07:02 76815 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0020.dat
+ 2011-06-02 23:00 . 2011-06-10 07:02 34810 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0019.dat
+ 2011-05-20 00:05 . 2011-06-10 07:02 73653 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0016.dat
+ 2011-05-20 00:05 . 2011-06-10 07:02 89933 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat
+ 2011-05-20 00:05 . 2011-06-10 07:02 76844 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0020.dat
+ 2011-06-02 23:00 . 2011-06-10 07:02 34810 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0019.dat
+ 2011-05-20 00:07 . 2011-06-10 07:02 73653 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0016.dat
+ 2011-05-19 23:50 . 2011-06-10 07:02 89933 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat
+ 2011-05-20 00:05 . 2011-06-10 07:02 76844 c:\windows\system32\ZoneLabs\avsys\bases\apu0020.dat
- 2010-11-03 10:24 . 2011-06-09 14:21 4212 c:\windows\system32\zllictbl.dat
+ 2010-11-03 10:24 . 2011-06-09 22:09 4212 c:\windows\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk]
backup=c:\windows\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-05-14 08:45 33624064 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 00:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-03-13 10:01 142360 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 12:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"fsssvc"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\DreamBoxEdit\\DreamBoxEdit.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/02/2011 19:36 366640]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [12/01/2011 15:40 68928]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/02/2011 19:35 22712]
S3 cpuz134;cpuz134;\??\c:\docume~1\user\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\user\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 ECSIoDriver_1_1_0_0;ECSIoDriver_1_1_0_0;\??\c:\program files\ECS Motherboard Utility\eDLU\ECSIoDriver.sys --> c:\program files\ECS Motherboard Utility\eDLU\ECSIoDriver.sys [?]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [16/05/2011 19:20 89600]
S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [22/12/2010 16:46 28160]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [16/11/2010 22:36 30329]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [09/05/2011 22:52 1358720]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [29/09/2010 19:43 582424]
S3 ZTE_usbport;ZTE CMCC COM;c:\windows\system32\drivers\ZTE_usbport.sys [05/03/2009 00:58 96128]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [01/04/2011 12:38 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [01/04/2011 12:38 105856]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-448539723-839522115-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-13 22:25]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-448539723-839522115-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-13 22:25]
.
2011-06-09 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-09-29 21:58]
.
2011-06-10 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2010-09-29 21:58]
.
2011-06-08 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2010-09-29 18:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 129.186.205.77:3128
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\IObit\Advanced SystemCare 3\SPICtrl.dll
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
DPF: {0920DBB1-D098-4ACE-9DDD-7A6F18A9ED66} - hxxps://britishgastopup.paypoint.com/HomeVend.cab
DPF: {283B7DE7-A1ED-4D27-AA59-C6E7427544D2} - hxxps://bg.itronenergypoint.net/IHVConnect/KeyBoxControl.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\3kj63c21.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=F7m9n1hO&q=
FF - prefs.js: network.proxy.http - 193.136.124.228
FF - prefs.js: network.proxy.http_port - 3124
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=F7m9n1hO&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 11:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-06-10 11:17:35
ComboFix-quarantined-files.txt 2011-06-10 10:17
ComboFix2.txt 2011-06-09 21:46
.
Pre-Run: 15,302,983,680 bytes free
Post-Run: 15,291,723,776 bytes free
.
- - End Of File - - 4A09F458216168063411C6BC5211B930

Attached Files


Edited by Noviciate, 10 June 2011 - 02:30 PM.
Added CF log from attachment.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 10 June 2011 - 02:54 PM

Good evening. :)

Please download Rootkit Unhooker from here and save it to your Desktop - you will need to unzip it before you continue.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


  • Disable your anti-virus real-time protection as it may interefere with the scanner.
  • Open the RKUnhookerLE folder and double click RKUnhookerLE.EXE to begin.
  • Click the Report Tab at the top right and then the Scan button at the bottom.
  • Ensure that Drivers, Stealth, Files and Code Hooks are checked and the rest aren't and then click OK.
  • Put the kettle on while you wait for the first part of the scan to complete.
  • When prompted to Select Disks for Scan ensure that only C:\ is checked and then click OK.
  • Open the biscuits while you wait for the second part of the scan to complete.
  • Once complete, click File > Report and save the file somewhere handy - the Desktop is as good a place as any.
  • Click Close to... well...close the scanner and confirm it in the next Window.
Let me have the contents of the log that you saved in your next reply.

So long, and thanks for all the fish.

 

 


#3 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 10 June 2011 - 03:19 PM

Thank you for your reply
As requested please find attached the report from RKUnhookerLE.EXE
Kind Regards :thumbup2:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB9BAB000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6279168 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBA2E0000 kl1.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xBF2E9000 C:\WINDOWS\System32\igxpdx32.DLL 3837952 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF059000 C:\WINDOWS\System32\igxpdv32.DLL 2686976 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA962E000 C:\WINDOWS\System32\vsdatant.sys 524288 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xA9549000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9A0E000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA9706000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9792000 C:\WINDOWS\system32\DRIVERS\klif.sys 311296 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wxp_x86])
0xA8DFB000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 217088 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB9ADF000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF7436000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA95B9000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9B6F000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA96DE000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA96AE000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9B4B000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9ABC000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA95E4000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF747A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF741C000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF7463000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9B20000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA93F2000 C:\WINDOWS\system32\DRIVERS\WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xA929C000 C:\WINDOWS\System32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB9B37000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9B97000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA975F000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9B0F000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7697000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7567000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7637000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF76A7000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7687000 C:\WINDOWS\system32\DRIVERS\l251x86.sys 53248 bytes (Atheros Communications, Inc., Atheros Fast Ethernet Controller ndis miniport driver)
0xF76B7000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76D7000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA238000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76C7000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7587000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76F7000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA8F04000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7537000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7677000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF76E7000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7527000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7547000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7757000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF776F000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7807000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF777F000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77CF000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7767000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF780F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF781F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77AF000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF778F000 C:\WINDOWS\System32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF77BF000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7717000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77C7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA97E6000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xBA2A8000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA93CE000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7937000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA97F6000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF793F000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA2B0000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7943000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA250000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA2A4000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF79A3000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF799F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79A7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79B5000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79AB000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7995000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF799B000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A94000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7A6F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A6E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb::$DATA
!-->[Hidden] C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb::$DATA
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D988, Type: Inline - RelativeJump 0x804E4988-->804E49F9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D9D4, Type: Inline - RelativeJump 0x804E49D4-->804E4989 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D9F4, Type: Inline - RelativeJump 0x804E49F4-->804E49A5 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA20, Type: Inline - RelativeJump 0x804E4A20-->804E49D1 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA8C, Type: Inline - RelativeJump 0x804E4A8C-->804E4AA2 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA98, Type: Inline - RelativeJump 0x804E4A98-->804E4A48 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DAAC, Type: Inline - RelativeJump 0x804E4AAC-->804E4A61 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DAB8, Type: Inline - RelativeCall 0x804E4AB8-->ECA966A4 [unknown_code_page]
ntoskrnl.exe+0x0000DAC4, Type: Inline - RelativeJump 0x804E4AC4-->804E4A75 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DB50, Type: Inline - RelativeJump 0x804E4B50-->804E4B01 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DB6C, Type: Inline - RelativeJump 0x804E4B6C-->804E4B1D [ntoskrnl.exe]
ntoskrnl.exe+0x0000DBA0, Type: Inline - RelativeJump 0x804E4BA0-->804E4B51 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DBD0, Type: Inline - RelativeJump 0x804E4BD0-->804E4B89 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DC00, Type: Inline - RelativeJump 0x804E4C00-->804E4C26 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DC24, Type: Inline - RelativeJump 0x804E4C24-->804E4C46 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DCC4, Type: Inline - RelativeJump 0x804E4CC4-->804E4D17 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DCFC, Type: Inline - RelativeJump 0x804E4CFC-->804E4CAD [ntoskrnl.exe]
ntoskrnl.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump 0x804F45B3-->A97A69D4 [klif.sys]
ntoskrnl.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump 0x804EAFCE-->A97A6DAE [klif.sys]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xA9745428-->A9658B56 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xA9745454-->A9658364 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xA9745460-->A965850E [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF754CB4C-->A9658B56 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF754CB1C-->A9656ABE [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF754CB3C-->A9658364 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF754CB28-->A965850E [vsdatant.sys]
[1396]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[1396]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[3328]plugin-container.exe-->user32.dll-->GetWindowInfo, Type: Inline - RelativeJump 0x7E42C49C-->104C7187 [xul.dll]
[3328]plugin-container.exe-->user32.dll-->SetWindowLongA, Type: Inline - RelativeJump 0x7E42C29D-->10698DD9 [xul.dll]
[3328]plugin-container.exe-->user32.dll-->SetWindowLongW, Type: Inline - RelativeJump 0x7E42C2BB-->10698D6B [xul.dll]
[3328]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E46531E-->104C7781 [xul.dll]
[3764]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->00401410 [firefox.exe]

Attached Files


Edited by Noviciate, 10 June 2011 - 03:42 PM.
Added log fom attachment.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 10 June 2011 - 03:52 PM

Go here and click the Download EXE button at the top and save the file to your Desktop - the file is randomly named to try to sidestep the actions of certain malicious files.
Double click the file to begin:
  • If you get a pop-up regarding rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right and OK any pop-up that you may see regarding rootkit activity.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save... button and again save the log with any name to a handy location.
Post the contents of the log into your next reply. The Preview option on the forum may show the whole log being posted, but they sometimes get cut down when the actual post is made, so please check the post once it is completed.

So long, and thanks for all the fish.

 

 


#5 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 10 June 2011 - 04:41 PM

Thankyou for your reply as requested the log file is posted below
Kind Regards

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-10 22:40:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-5 ST340014AS rev.3.00
Running: o1bcwmms.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fxtcypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA97B1542]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwClose [0xA97B1DBA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA96532EC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateEvent [0xA97B2DCC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA964C8CC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA966E0E6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateMutant [0xA97B2CA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xA97B1148]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA9653ABE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA9667F82]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA96683AA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA967283C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSemaphore [0xA97B2EFE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA97B4784]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateThread [0xA97B1A58]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA9653C1C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xA97B4176]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA964D78E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA966FB8E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA966F484]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xA97B2524]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA9666D66]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateKey [0xA97B0E80]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA97B0F2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwFsControlFile [0xA97B2330]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwLoadDriver [0xA97B4208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA9670558]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA9670796]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xA9672BF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xA97B1076]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenEvent [0xA97B2E6E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA964D280]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenKey [0xA97B0592]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenMutant [0xA97B2D3C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xA966A49A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSection [0xA97B47AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSemaphore [0xA97B2FA0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xA966A088]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryKey [0xA97B0FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xA97B0BFC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQuerySection [0xA97B4B50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryValueKey [0xA97B084C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueueApcThread [0xA97B449E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA967161E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA9670F12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyPort [0xA97B332A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xA97B31F0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA9652E84]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA967207E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwResumeThread [0xA97B5028]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSaveKey [0xA97B01FE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA96535B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetContextThread [0xA97B1C76]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA964DB98]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetInformationToken [0xA97B386C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA9671BA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetSystemInformation [0xA97B4C90]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA966EBA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendProcess [0xA97B4D74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendThread [0xA97B4E9C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA96690A6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xA9668DD6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwTerminateThread [0xA97B180E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xA97B4A06]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xA97B1998]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 10 June 2011 - 04:52 PM

Please download maxhandle.exe by noahdfear from here and save it to your Desktop.

  • Double click the file to run it and a new window will open.
  • If Max++ isn't present then the window will tell you this.
  • If Max++ is present a log that will be produced should automatically open - a copy of which will be saved as C:\maxhandle.txt.
  • Please post the log in your next reply, if you get one, or let me know if you don't.

* Please note that an active intenet connection is need for the scan to complete as it needs additional tools that it will automatically download.

So long, and thanks for all the fish.

 

 


#7 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 10 June 2011 - 04:58 PM

Hello
After running maxhandle.exe in the window that appeared it said Nothing Found and no log was created

Edited by DeltaGSM, 11 June 2011 - 11:29 AM.


#8 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 11 June 2011 - 11:31 AM

Hello
Im just wondering is there anything else that i need to run?
kind regards :thumbup2:

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 12 June 2011 - 02:10 PM

Good evening. L)

Let's go back one stage - why did you run ComboFix in the first place? Were you seeing signs of an infection?

So long, and thanks for all the fish.

 

 


#10 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 12 June 2011 - 04:42 PM

I ran it combofix because i knew that something wasnt right with my computer
Regards

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 12 June 2011 - 05:21 PM

Can you offer something more conclusive - symptoms of what kind?

So long, and thanks for all the fish.

 

 


#12 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 12 June 2011 - 05:28 PM

My internet speed had slowed down quite alot from what it usally is that is why i ran combofix
Regards

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 13 June 2011 - 01:56 PM

Good evening. :)

Will you go here, follow steps 6 and 7, posting accordingly and then do the following:

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#14 DeltaGSM

DeltaGSM
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 13 June 2011 - 06:59 PM

Hello
Thank you for your reply
After following the instructions and Disabling my CD Emulation Software and running DDS
Then running ESET Online Scanner which found nothing.

The logs from running DDS are attached below
Kind Regards

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by user at 0:53:06 on 2011-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1272 [GMT 1:00]
.
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyServer = 219.137.229.210:3128
uInternet Settings,ProxyOverride = *.local
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\iobit\advanced systemcare 3\SPICtrl.dll
DPF: {0920DBB1-D098-4ACE-9DDD-7A6F18A9ED66} - hxxps://britishgastopup.paypoint.com/HomeVend.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://eic.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {283B7DE7-A1ED-4D27-AA59-C6E7427544D2} - hxxps://bg.itronenergypoint.net/IHVConnect/KeyBoxControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288543386231
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288662169609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{73E9FC42-EDB4-4565-8FCE-42B382441E3E} : DhcpNameServer = 192.168.1.30
TCP: Interfaces\{907861A9-9D6B-411D-9B8C-51FCA4689A0F} : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{FD0684D3-0336-49A5-A1F3-30ECA4296EAC} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\3kj63c21.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=F7m9n1hO&q=
FF - prefs.js: network.proxy.http - 219.137.229.210
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=F7m9n1hO&q=
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-5-20 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-5-20 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-5-20 528128]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-13 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-13 22712]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-1-12 68928]
S3 cpuz134;cpuz134;\??\c:\docume~1\user\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 ECSIoDriver_1_1_0_0;ECSIoDriver_1_1_0_0;\??\c:\program files\ecs motherboard utility\edlu\ecsiodriver.sys --> c:\program files\ecs motherboard utility\edlu\ECSIoDriver.sys [?]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2011-5-16 89600]
S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2010-12-22 28160]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11c7.tmp --> c:\windows\system32\11C7.tmp [?]
S3 Navcar;Navman In-car Navigator USB Driver Service;c:\windows\system32\drivers\Navcar.sys [2010-11-16 30329]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-5-9 1358720]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2010-9-29 582424]
S3 ZTE_usbport;ZTE CMCC COM;c:\windows\system32\drivers\ZTE_usbport.sys [2009-3-5 96128]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2011-4-1 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2011-4-1 105856]
.
=============== Created Last 30 ================
.
2011-06-13 19:53:42 -------- d-----w- c:\program files\ESET
2011-06-13 19:43:13 -------- d-----w- c:\program files\Cobian Backup 10
2011-06-11 11:32:03 -------- d-----w- c:\documents and settings\user\Tracing
2011-06-10 13:12:00 12567 ----a-w- c:\windows\look.bat
2011-06-10 13:11:05 333176 ----a-w- c:\windows\Listdlls.exe
2011-06-10 13:11:03 423288 ----a-w- c:\windows\handle.exe
2011-06-09 21:29:52 -------- d-sha-r- C:\cmdcons
2011-06-07 14:15:00 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-06-07 14:15:00 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-06-07 14:13:59 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2011-06-07 14:12:59 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2011-06-07 14:11:58 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2011-06-07 14:10:58 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-06-07 14:09:59 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-06-07 14:08:59 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-06-07 14:07:59 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2011-06-07 14:06:59 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2011-06-07 14:05:59 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2011-06-07 14:04:59 17152 -c--a-w- c:\windows\system32\dllcache\cyclad-z.sys
2011-06-07 14:03:42 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-06-07 14:02:59 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-05-26 14:26:08 -------- d-----w- c:\documents and settings\user\local settings\application data\Apple
2011-05-26 14:25:52 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-26 14:25:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-26 14:25:24 -------- d-----w- c:\program files\Bonjour
2011-05-26 14:24:25 -------- d-----w- c:\documents and settings\user\local settings\application data\Apple Computer
2011-05-25 15:03:48 -------- d-----w- c:\documents and settings\user\local settings\application data\Temp
2011-05-22 15:17:50 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-22 15:17:50 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-22 14:49:03 -------- d-----w- c:\documents and settings\all users\application data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2011-05-21 14:46:40 -------- d-----w- c:\program files\FlashFXP 4
2011-05-20 13:31:37 -------- d-----w- c:\documents and settings\all users\application data\NokiaAccount
2011-05-20 13:24:27 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-05-20 13:24:17 -------- d-----w- c:\program files\PC Connectivity Solution
2011-05-20 13:23:52 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-05-20 13:23:50 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-05-20 13:23:49 23168 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-05-20 13:23:47 18304 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2011-05-19 23:54:47 -------- d-----w- c:\documents and settings\user\application data\MailFrontier
2011-05-19 23:50:39 72704 ----a-w- c:\windows\zllsputility.exe
2011-05-19 23:50:37 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2011-05-19 23:49:43 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-05-19 23:49:43 -------- d-----w- c:\windows\system32\ZoneLabs
2011-05-19 23:49:40 -------- d-----w- c:\program files\Zone Labs
2011-05-19 23:43:58 -------- d-----w- c:\windows\Internet Logs
2011-05-19 23:30:01 -------- d-----w- c:\documents and settings\user\application data\CheckPoint
2011-05-19 23:22:46 -------- d-----w- c:\program files\CheckPoint
2011-05-19 10:53:06 -------- d-----w- c:\documents and settings\all users\application data\IObit
2011-05-18 19:07:25 6144 ----a-w- c:\windows\system32\ff_acm.acm
2011-05-18 19:07:25 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-05-18 19:07:25 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-05-18 19:07:25 258352 ----a-w- c:\windows\system32\unicows.dll
2011-05-17 09:19:23 -------- d-----w- c:\program files\common files\XoftSpySE
2011-05-16 19:47:37 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2011-05-16 19:47:35 -------- d-----w- c:\documents and settings\all users\application data\XoftSpySE
2011-05-16 19:47:32 -------- d-----w- c:\program files\XoftSpySE6
2011-05-16 18:21:26 712704 ----a-w- c:\windows\system32\hposwia_d02c.dll
2011-05-16 18:21:26 589824 ----a-w- c:\windows\system32\hpost_d02c.dll
2011-05-16 18:21:26 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-16 18:21:26 315392 ----a-w- c:\windows\system32\hposc_d02a.dll
2011-05-16 18:20:50 89600 ----a-w- c:\windows\system32\drivers\GemCCID.sys
2011-05-16 18:20:22 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-05-16 18:20:22 -------- d-----w- C:\ErdUndoCache
2011-05-16 11:53:13 -------- d-----w- c:\program files\common files\ParetoLogic
2011-05-15 20:19:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 15:35:11 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-05-15 15:35:07 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-05-15 15:34:55 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-05-15 15:34:37 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2011-05-15 15:34:36 452408 ----a-r- c:\windows\system32\hpzids01.dll
2011-05-15 15:32:36 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-05-15 15:32:36 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
==================== Find3M ====================
.
2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 04:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 01:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 15:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 12:14:39 13816 ----a-w- c:\windows\system32\unikey.sys
.
============= FINISH: 0:53:35.12 ===============

Attached Files


Edited by Noviciate, 14 June 2011 - 02:00 PM.


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:44 PM

Posted 14 June 2011 - 02:04 PM

Good evening. :)

Have you for any reason set your browsers to use a proxy server - particularly one in China?

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users