Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS Log for Zero Access rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 KaraBean

KaraBean

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 30 September 2011 - 01:06 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Mike at 0:25:25 on 2011-09-30
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\rname this is santis\SUPERAntiSpyware.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [InstaLAN] "c:\program files\centurylink\home network manager\HomeNetworkManager.exe" startup
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [Malwarebytes' Anti-Malware] "c:\program files\kara renamed this am\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5AD6BDD3-0206-49F6-A595-B5373A144D7E} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - c:\program files\rname this is santis\SASWINLO.DLL
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\rname this is santis\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\g6rbmbi4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-09-30 04:06:42 -------- d-----w- C:\Backup
2011-09-30 01:57:38 -------- d-----w- c:\program files\Cobian Backup 8
2011-09-29 13:43:26 -------- d-----w- C:\All Things I want to Save
2011-09-29 06:20:24 -------- d-----w- c:\documents and settings\mike\local settings\application data\Apple
2011-09-29 06:12:30 -------- d-----w- c:\documents and settings\mike\application data\SUPERAntiSpyware.com
2011-09-29 06:11:03 -------- d-----w- c:\program files\Rname This is SAntiS
2011-09-29 03:13:19 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-28 17:52:21 -------- d-----w- c:\documents and settings\mike\application data\Malwarebytes
2011-09-28 17:52:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-28 17:52:02 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-28 17:52:02 -------- d-----w- c:\program files\Kara Renamed This AM
2011-09-28 15:55:12 -------- d-----w- C:\PCShareManagerUpload
2011-09-27 23:51:40 0 ----a-w- c:\windows\system32\drivers\geyekrboiesmpr.sys
2011-09-27 14:41:55 -------- d-----w- C:\KaraMadeThis
2011-09-26 20:33:42 -------- d-----w- c:\documents and settings\mike\local settings\application data\Identities
2011-09-26 17:22:20 -------- d-----w- c:\documents and settings\mike\local settings\application data\Threat Expert
2011-09-26 17:21:34 -------- d-----w- c:\documents and settings\mike\local settings\application data\Yahoo
2011-09-23 13:05:37 -------- d-----w- c:\documents and settings\mike\local settings\application data\uTorrent
2011-09-23 13:05:37 -------- d-----w- c:\documents and settings\mike\application data\uTorrent
2011-09-21 14:29:11 184536 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-09-21 14:22:41 767952 ----a-w- c:\windows\BDTSupport.dll0924.old
2011-09-21 14:22:39 2000848 ----a-w- c:\windows\PCTBDCore.dll0924.old
2011-09-21 14:22:39 149456 ----a-w- c:\windows\SGDetectionTool.dll0924.old
2011-09-21 14:20:17 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-09-21 14:20:16 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-09-21 14:20:00 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-09-21 02:05:02 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2011-09-21 02:05:02 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2011-09-21 02:05:02 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2011-09-21 02:05:00 -------- d-----w- c:\program files\ThreatFire
2011-09-21 01:58:40 -------- d-----w- c:\documents and settings\mike\application data\PCToolsFirewallPlus
2011-09-21 01:57:11 89472 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2011-09-21 01:57:11 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2011-09-21 01:57:11 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2011-09-21 01:57:10 125248 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2011-09-21 01:57:09 -------- d-----w- c:\program files\PC Tools Firewall Plus
2011-09-21 01:31:23 252712 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-09-21 01:31:17 326688 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-09-21 01:31:17 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-09-20 15:34:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-20 14:49:05 -------- d-----w- c:\documents and settings\mike\local settings\application data\Apple Computer
2011-09-20 05:30:28 -------- d-----w- c:\documents and settings\mike\application data\OpenOffice.org
2011-09-20 04:56:45 767952 ----a-w- c:\windows\BDTSupport.dll0939.old
2011-09-20 04:56:44 149456 ----a-w- c:\windows\SGDetectionTool.dll0939.old
2011-09-20 04:56:43 2189264 ----a-w- c:\windows\PCTBDCore.dll0939.old
2011-09-20 04:53:07 -------- d-----w- c:\program files\common files\PC Tools
2011-09-20 04:53:06 -------- d-----w- c:\program files\PC Tools Security
2011-09-20 04:38:34 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-09-19 20:26:46 -------- d-----w- c:\program files\common files\iS3
2011-09-19 20:26:46 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-19 19:52:55 -------- d-----w- c:\documents and settings\mike\application data\Uniblue
2011-09-19 17:23:33 -------- d-----w- c:\windows\pss
2011-09-19 17:10:24 -------- d-----w- c:\documents and settings\mike\local settings\application data\Adobe
2011-09-19 17:03:46 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-19 17:03:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-19 17:03:23 -------- d-----w- c:\documents and settings\mike\local settings\application data\Microsoft Help
2011-09-19 16:52:14 -------- d-----w- c:\documents and settings\mike\Local Settings(3)
2011-09-19 16:52:14 -------- d-----w- c:\documents and settings\mike\Application Data(3)
2011-09-19 16:36:46 -------- d-----w- c:\documents and settings\mike\local settings\application data\Mozilla
2011-09-19 16:30:29 -------- d-----w- c:\documents and settings\mike\local settings\application data\Ahead
2011-09-19 16:30:28 -------- d-----w- c:\documents and settings\mike\local settings\application data\ArcSoft
2011-09-19 16:29:57 -------- d-----w- c:\documents and settings\mike\local settings\application data\Microsoft
2011-09-14 17:38:38 274944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp64X.dll
2011-09-14 17:38:38 117760 ----a-w- c:\windows\system32\hpzll64X.dll
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-07 15:51:11 1409 ----a-w- c:\windows\QTFont.for
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 0:29:51.32 ===============


While DDS was running, the firewall blocked an incoming connection. It advised me to restart, but I let DDS finish first. Then when I came back I ran the Defogger again. After that I tried to right-click the GMER file on my desktop. It was weird. Everytime I right clicked, I'd see an hourglass for a brief second and then it disappeared and no menu came up. I tried using Explorer to get to it, but it froze up when I tried to right click there too. Should I try again?

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:13 PM

Posted 04 October 2011 - 08:22 PM

Please run the following instead:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 KaraBean

KaraBean
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 04 October 2011 - 11:42 PM

Performed all the steps as instructed. When I clicked "Scan" it started to scan and even found something which came up in red. However, before I could even read that, the program just vanished. I couldn't find anything in Task Manager showing it was still running, and no logs have been created on the desktop. :angry:
Is there something else we can try?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:13 PM

Posted 05 October 2011 - 12:55 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:13 PM

Posted 14 October 2011 - 07:35 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users