Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32?


  • This topic is locked This topic is locked
41 replies to this topic

#1 Varnson1

Varnson1

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 21 May 2012 - 06:36 AM

Here is a little history, as well as I recall it, over the past several days.

Last Thursday, PartyPoker stopped running - when I double clicked it, it just hung and I had to kill the task to get rid of it. I searched something like
"partygaming.exe hung" which took me to a website like bleepingcomputer (but something else). Over the next several days...

- I downloaded and ran aswMBR which reported "Module: c:\windows\system32\dla\dladresn.sys "SUSPICIOUS"

- I downloaded and ran combofix

- I downloaded and ran roguekiller. Among other things, RK identified several instances of klif.sys, vsdatant.sys and SASKUTIL.SYS as problems. When I searched
on those terms, it appeared to me that they are symptoms of a win32 virus.

On Saturday, while I was running this stuff, I had forgotten to restart zone alarm and while disabled, a program edited my wireless IP address, changing it to
169.254.153.13. I figured this out because my wife's computer started flashing a message in the lower right that there is an IP address conflict with another
system on the network. After some searching and poking around, I ended up hard coding an IP address I knew would work on my network and was able to get back
on the internet.

Here is some additionnal stuff I wrote in my notes but can't tell you why:

- Cyberlink Power Cinema Resident Program is detected as a key logger
- User profile HIVE Cleanup Service

Other symptoms I've noticed include not being able to send or reply to email from Outlook Express.

What do you make of all this :), Doc? Can you help? I'm looking forward to hearing from you!

Regards,

Steve

dds.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by Steve at 18:04:48 on 2012-05-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1130 [GMT -4:00]
.
AV: ZoneAlarm Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Zonealarm Helper Object: {2a841f7a-a014-4da5-b6d9-8b913dfb7a8c} - c:\program files\check point software technologies ltd\zonealarm\1.5.23.8\bh\zonealarm.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Toolbar: {438fae3e-bdef-44d3-ab8b-0c7c8350df59} - c:\program files\check point software technologies ltd\zonealarm\1.5.23.8\zonealarmTlbr.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [Update Service] c:\progra~1\common~1\teknum~1\update.exe /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\handspring\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\steve\desktop\PartyPoker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: Interfaces\{98949361-7117-4F76-B1B7-20F46FCF1DAA} : NameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\steve\application data\mozilla\firefox\profiles\uow8ogff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ixquick HTTPS
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxps://ixquick.com/
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN03043033994461-1025&toolbarId=base&affiliateId=1603&Lan=en&utid=3021043400000000000000197e5da17f&q={searchTerms}
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\uow8ogff.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(extensions.zonealarm.rvrtMsg, Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.autoRvrt - true
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm_i.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN03043033994461-1025&toolbarId=base&affiliateId=1603&Lan=en&utid=3021043400000000000000197e5da17f
FF - user.js: extensions.zonealarm.hpOld - ixquick.com
FF - user.js: extensions.zonealarm.hpNew - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN03043033994461-1025&toolbarId=base&affiliateId=1603&Lan=en&utid=3021043400000000000000197e5da17f
FF - user.js: extensions.zonealarm_i.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN03043033994461-1025&toolbarId=base&affiliateId=1603&Lan=en&utid=3021043400000000000000197e5da17f&q={searchTerms}
FF - user.js: extensions.zonealarm.dspOld - Ixquick HTTPS
FF - user.js: extensions.zonealarm.dspNew - Search By ZoneAlarm
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN03043033994461-1025&toolbarId=base&affiliateId=1603&Lan=en&utid=3021043400000000000000197e5da17f
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN03043033994461-1025&toolbarId=base&affiliateId=1603&Lan={dfltLng}&utid=3021043400000000000000197e5da17f&q=
FF - user.js: extensions.zonealarm.id - 3021043400000000000000197e5da17f
FF - user.js: extensions.zonealarm.instlDay - 15469
FF - user.js: extensions.zonealarm.vrsn - 1.5.23.8
FF - user.js: extensions.zonealarm.vrsni - 1.5.23.8
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.23.816:24:42
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1603
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN03043033994461-1025
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-5-9 133208]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2012-5-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-5-9 485808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-5-3 526608]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-6-15 7882]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-4 129976]
S3 TfNetMon;TfNetMon; [x]
.
=============== Created Last 30 ================
.
2012-05-20 21:37:09 -------- d-sh--w- c:\documents and settings\steve\PrivacIE
2012-05-20 21:31:39 -------- d-----w- c:\program files\Fix RegCleaner
2012-05-20 19:55:31 -------- d-sh--w- c:\documents and settings\steve\IETldCache
2012-05-20 19:32:45 -------- d-----w- c:\documents and settings\steve\application data\DriverCure
2012-05-20 19:32:44 -------- d-----w- c:\documents and settings\steve\application data\SpeedyPC Software
2012-05-20 19:32:21 -------- d-----w- c:\program files\common files\SpeedyPC Software
2012-05-20 19:32:19 -------- d-----w- c:\documents and settings\all users\application data\SpeedyPC Software
2012-05-20 12:53:07 -------- d-----w- c:\windows\ie8updates
2012-05-20 12:46:15 -------- dc----w- c:\windows\ie8
2012-05-20 12:32:58 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-05-20 12:32:47 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-05-20 12:32:47 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-05-20 12:32:44 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-05-20 12:32:40 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-05-20 12:32:39 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-05-20 12:32:36 2000384 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-05-20 12:32:00 11082752 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-05-20 12:10:16 -------- d-----w- c:\documents and settings\steve\local settings\application data\NPE
2012-05-17 22:24:02 -------- d-sha-r- C:\cmdcons
2012-05-17 22:22:07 98816 ----a-w- c:\windows\sed.exe
2012-05-17 22:22:07 518144 ----a-w- c:\windows\SWREG.exe
2012-05-17 22:22:07 256000 ----a-w- c:\windows\PEV.exe
2012-05-17 16:53:57 -------- d-----w- c:\documents and settings\steve\Downloads
2012-05-17 16:04:32 -------- d-----w- c:\program files\UPHClean
2012-05-16 19:46:10 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-09 20:24:41 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2012-05-09 20:23:15 11352 ----a-w- c:\windows\system32\drivers\kl2.sys
2012-05-09 20:23:13 133208 ----a-w- c:\windows\system32\drivers\kl1.sys
2012-05-04 13:34:45 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-04 13:34:40 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-04 13:34:40 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-05-16 19:46:10 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 18:06:46.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 PM

Posted 26 May 2012 - 08:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 27 May 2012 - 06:16 AM

Good morning, m0le! Receiving you loud and clear! Thanks for your assistance and nice to meet you. Tropical storm Beryl will be flying over my head later today, so I will be here unless I lose power. Over!

Edited by Varnson1, 27 May 2012 - 06:18 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 PM

Posted 27 May 2012 - 07:01 PM

The information you gave actually doesn't look like anything malicious. The files are all legitimate but infected by some malware which is why you may have found some hits on Google.

Please post the aswMBR log in full and let's see what we have
Posted Image
m0le is a proud member of UNITE

#5 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 28 May 2012 - 12:09 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-20 06:57:03
-----------------------------
06:57:03.812 OS Version: Windows 5.1.2600 Service Pack 3
06:57:03.812 Number of processors: 2 586 0xE08
06:57:03.812 ComputerName: STEVE-LAPTOP UserName: Steve
06:57:05.140 Initialize success
06:57:21.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
06:57:21.515 Disk 0 Vendor: TOSHIBA_MK8009GAH BS011G Size: 76319MB BusType: 3
06:57:21.546 Disk 0 MBR read successfully
06:57:21.546 Disk 0 MBR scan
06:57:21.546 Disk 0 Windows XP default MBR code
06:57:21.546 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
06:57:21.562 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76261 MB offset 96390
06:57:21.562 Disk 0 scanning sectors +156280320
06:57:21.625 Disk 0 scanning C:\WINDOWS\system32\drivers
06:57:31.968 Service scanning
06:57:51.546 Modules scanning
06:57:57.421 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
06:57:58.593 Disk 0 trace - called modules:
06:57:58.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
06:57:58.609 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a777ab8]
06:57:58.625 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a791d98]
06:57:58.625 Scan finished successfully
06:59:21.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Steve\Desktop\MBR.dat"
06:59:21.359 The log file has been saved successfully to "C:\Documents and Settings\Steve\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 PM

Posted 28 May 2012 - 07:29 PM

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#7 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 29 May 2012 - 06:33 AM

OTL logs

Hey, m0le, just so you know - I had a network IP conflict yesterday. I think I mentioned earlier that I had edited my wireless internet connection IP address to something I knew would work. It did - until I turned on the desk top computer in the den. I have now changed my settings back to get IP and DNS automatically.

Attached Files


Edited by Varnson1, 29 May 2012 - 06:38 AM.


#8 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 29 May 2012 - 06:43 AM

In case it's helpful, here is the application and system logs from the days I knew I had some problems. I was searching the phrases "Hanging application PartyGaming.exe, version 1.0.0.151, hang module hungapp, version 0.0.0.0, hang address 0x00000000. " to try to figure out what to do.

I also remember Internet Explorer crashing every time I tried to start it up (4 or 5 times, then I gave up). I was trying to run something that would only work with IE.

Attached Files

  • Attached File  VEW.TXT   16.94KB   1 downloads

Edited by Varnson1, 29 May 2012 - 06:54 AM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 PM

Posted 29 May 2012 - 06:05 PM

If PartyGaming.exe is crashing the system then uninstall it and let me know if that eases the problem.

Not sure that malware is present yet. We will reset a few configurations and make sure the default exists. It will also give me an event viewer.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List Winsock Entries
  • List devices
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size.
  • List Minidump Files.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Posted Image
m0le is a proud member of UNITE

#10 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 30 May 2012 - 06:27 AM

It wasn't just partygaming that was hanging, any program that tried to access the internet hung also :wacko: . For example, malwarebytes hung when I tried to update definitions, Firefox also. IE was crashing on startup :thumbdown: . Just the other day, something was disconnecting my wireless connection - it would not stay connected :ranting: . I ran the combofix I had downloaded awhile back and it said it was expired, did I want to run with limited functionality or something like that and I told it I did :busy: . After that, my wireless connection would stay connected but firefox would just timeout - it couldn't/wouldn't find any website(s) :censored: .

At THAT point, :idea: I downloaded bleepingcomputer's combofix onto a usb drive using my desktop computer and was able to run it on my laptop from there :dance: . That's how I restored my internet access :bounce: and made my first response to your post (I'm pretty sure I reran roguekiller, too). I have so many files on my desktop :crazy: and I don't remember the name of the combofix output log or I would attach it in case there is something helpful there :scratchhead: .

Attached Files


Edited by Varnson1, 30 May 2012 - 06:35 AM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 PM

Posted 30 May 2012 - 05:40 PM

Let's try and find the Combofix log.

Please go to start -> Run.

Copy and paste the bold line in the run-box and click OK:

cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt

A text file opens up, copy and paste the content to your reply.
Posted Image
m0le is a proud member of UNITE

#12 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 30 May 2012 - 06:00 PM

C:\QooBox\Add-Remove Programs.txt
C:\QooBox\BackEnv
C:\QooBox\ComboFix-quarantined-files.txt
C:\QooBox\ComboFix2.txt
C:\QooBox\ComboFix3.txt
C:\QooBox\ComboFix4.txt
C:\QooBox\ComboFix5.txt
C:\QooBox\Quarantine
C:\QooBox\SnapShot@2012-05-25_19.51.14.dat
C:\QooBox\Quarantine\C
C:\QooBox\Quarantine\catchme.log
C:\QooBox\Quarantine\Registry_backups
C:\QooBox\Quarantine\C\Documents and Settings
C:\QooBox\Quarantine\C\WINDOWS
C:\QooBox\Quarantine\C\Documents and Settings\All Users
C:\QooBox\Quarantine\C\Documents and Settings\Steve
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\TEMP
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Desktop
C:\QooBox\Quarantine\C\Documents and Settings\Steve\GoToAssistDownloadHelper.exe.vir
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Microsoft
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Mozilla
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Microsoft\Internet Explorer
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk.vir
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Mozilla\Firefox
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uow8ogff.default
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uow8ogff.default\searchplugins
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uow8ogff.default\searchplugins\bing-zugo.xml.vir
C:\QooBox\Quarantine\C\Documents and Settings\Steve\Desktop\Setup.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\system32
C:\QooBox\Quarantine\C\WINDOWS\system32\default_user_class.dat.LOG.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache
C:\QooBox\Quarantine\C\WINDOWS\system32\ndisapi.dll.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\PowerToyReadme.htm.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\regobj.dll.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\test
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\dlimport.exe.vir
C:\QooBox\Quarantine\Registry_backups\HKLM-Run-ISW.reg.dat
C:\QooBox\Quarantine\Registry_backups\SafeBoot-klmdb.sys.reg.dat
C:\QooBox\Quarantine\Registry_backups\SafeBoot-mcmscsvc.reg.dat
C:\QooBox\Quarantine\Registry_backups\SafeBoot-MCODS.reg.dat
C:\QooBox\Quarantine\Registry_backups\tcpip.reg

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 PM

Posted 30 May 2012 - 06:40 PM

There isn't anything in the log that connects to the symptoms. Please run this scanner which will check for some of the telltale signs of the rootkit that your posts describe the symptoms of.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check all boxes
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#14 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 31 May 2012 - 05:48 AM

Hmmm...


Farbar Service Scanner Version: 27-05-2012
Ran by Steve (administrator) on 31-05-2012 at 06:43:18
Running from "C:\Documents and Settings\Steve\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

#15 Varnson1

Varnson1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 31 May 2012 - 02:57 PM

m0le, I was looking through the roguekiller logs (there are 11 of them). Several of the logs contain lines that read *** infection ***; would you like to see them?

This is RKreport[8], for example:

Bad processes: 0

Registry Entries: 0

Particular Files / Folders:

Driver: [LOADED]

Infection :

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: TOSHIBA MK8009GAH +++++
--- User ---
[MBR] 9cbda931e632533371e9f3839ac6d967
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 76261 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 4a296257b22c19f9bfb72764b330eeb0
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 44 | Size: 7655 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[8].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users