Jump to content

InstallShield ProgramUpdate rootkit?


jeff4ro
 Share

Recommended Posts

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-22 13:23:44

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0 WDC_WD32 rev.00.0

Running: 7jhmim4u[1].exe; Driver: C:\DOCUME~1\Jeff\LOCALS~1\Temp\uxliqpob.sys

---- System - GMER 1.0.15 ----

SSDT 8391B128 ZwConnectPort

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1080] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2160] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2784] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Please Help

I have renamed it,assasinated it, malware scanned for it, and I can't get rid of it!

DDS.zip

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/26/2010 10:27:20 AM

mbam-log-2010-11-26 (10-27-20).txt

Scan type: Full Scan (C:\|)

Objects scanned: 219930

Time elapsed: 28 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/18/2010 1:10:01 PM

mbam-log-2010-01-18 (13-10-01).txt

Scan type: Full Scan (C:\|)

Objects scanned: 216695

Time elapsed: 29 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\smss.TMP (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/21/2010 5:13:05 PM

mbam-log-2010-11-21 (17-13-05).txt

Scan type: Quick Scan

Objects scanned: 5

Time elapsed: 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/26/2010 10:27:20 AM

mbam-log-2010-11-26 (10-27-20).txt

Scan type: Full Scan (C:\|)

Objects scanned: 219930

Time elapsed: 28 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

  • 2 months later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.