Jump to content

Recommended Posts

Anti-malware just started detecting outgoing queries to ripe database servers. Do I have some kind of rootkit, malware, etc. Please help. I am a newbie so I hope I am doing this correctly.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6801

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2011 5:15:45 PM

mbam-log-2011-06-08 (17-15-45).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 420

Time elapsed: 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

06:00:00 DAVID MESSAGE Scheduled scan executed successfully

11:15:05 DAVID MESSAGE Protection started successfully

11:15:13 DAVID MESSAGE IP Protection started successfully

17:10:43 DAVID IP-BLOCK 222.71.160.84 (Type: outgoing)

17:29:17 DAVID IP-BLOCK 83.128.102.170 (Type: outgoing)

17:42:43 DAVID IP-BLOCK 77.78.216.156 (Type: outgoing)

18:29:20 DAVID IP-BLOCK 222.71.160.84 (Type: outgoing)

18:33:08 DAVID IP-BLOCK 109.86.183.208 (Type: outgoing)

18:43:09 DAVID IP-BLOCK 89.28.74.72 (Type: outgoing)

19:00:37 DAVID IP-BLOCK 222.65.207.215 (Type: outgoing)

19:00:51 DAVID IP-BLOCK 77.78.209.114 (Type: outgoing)

19:03:04 DAVID IP-BLOCK 222.71.160.84 (Type: incoming)

19:03:04 DAVID IP-BLOCK 222.71.160.84 (Type: incoming)

19:13:52 DAVID IP-BLOCK 213.186.121.131 (Type: outgoing)

19:16:02 (null) MESSAGE Protection started successfully

19:16:24 DAVID MESSAGE IP Protection started successfully

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by DAVID at 19:18:04 on 2011-06-08

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1161 [GMT -3:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Seagate\DriveSettings\Sync\SeagateDriveSettingsService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = about:blank

BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [cdloader] "c:\documents and settings\david\application data\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [VTTimer] VTTimer.exe

mRun: [VTTrayp] VTtrayp.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [soundMan] SOUNDMAN.EXE

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\david\startm~1\programs\startup\seagat~2.lnk - c:\documents and settings\david\application data\leadertech\powerregister\Seagate sn:2GHN10WL Product Registration.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255150248015

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{E9A04E39-568C-4895-8313-4162439F079D} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-9-30 56208]

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-10-10 22168]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-23 11608]

R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2009-10-10 17024]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-4 532224]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-23 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-23 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-23 61960]

R2 FreeAgentGoFlex Service;Seagate Drive Settings Service;c:\program files\seagate\drivesettings\sync\SeagateDriveSettingsService.exe [2011-2-10 91432]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-4-17 312152]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-8 366640]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2010-10-26 439632]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-8 22712]

S3 BS_Flash;BS_Flash;c:\windows\system32\drivers\BS_Flash.sys [2009-10-10 3604]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-5 14336]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-4-17 27064]

S3 TMPassthruMP;TMPassthruMP; [x]

S3 uti1odyy;AVZ Kernel Driver;\??\c:\windows\system32\drivers\uti1odyy.sys --> c:\windows\system32\drivers\uti1odyy.sys [?]

S3 viafilter;VIA USB Filter;c:\windows\system32\drivers\viausb1.sys [2009-10-10 9728]

.

=============== Created Last 30 ================

.

2011-06-07 13:37:30 266360 ----a-w- c:\windows\system32\TweakUI.exe

2011-06-02 12:42:53 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-18 21:12:03 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-05-10 09:27:01 -------- d-----w- c:\program files\WinPcap

.

==================== Find3M ====================

.

2011-05-29 12:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 12:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-09 20:55:50 14 ----a-w- c:\windows\system32\SysEngine2.SYS

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

============= FINISH: 19:18:59.53 ===============

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-08 20:28:50

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-00L9A0 rev.01.03E01

Running: w9iz28ng.exe; Driver: C:\DOCUME~1\DAVID\LOCALS~1\Temp\kxtdrpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB77A9534]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB77A3782]

SSDT BA7F5B96 ZwCreateKey

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB77A9CC0]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB77BCEB4]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB77BD2A2]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB77C6916]

SSDT BA7F5B8C ZwCreateThread

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB77A9DF6]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB77A4398]

SSDT BA7F5B9B ZwDeleteKey

SSDT BA7F5BA5 ZwDeleteValueKey

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB77BBDF0]

SSDT BA7F5BAA ZwLoadKey

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB77C4B44]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB77A3FAA]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB77BF1CE]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB77BEDF8]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB77C58D2]

SSDT BA7F5BB4 ZwReplaceKey

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB77A90F4]

SSDT BA7F5BAF ZwRestoreKey

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB77A97DC]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB77A475C]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB77C5E12]

SSDT BA7F5BA0 ZwSetValueKey

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB77BDF0A]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB77BDC86]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 243C 80501C74 12 Bytes [C0, 9C, 7A, B7, B4, CE, 7B, ...]

? C:\DOCUME~1\DAVID\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B80001

.text C:\WINDOWS\Explorer.EXE[504] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\Explorer.EXE[504] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\Explorer.EXE[504] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\Explorer.EXE[504] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\Explorer.EXE[504] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012C0001

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[976] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\WINDOWS\system32\VTTimer.exe[1156] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\VTTimer.exe[1156] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\WINDOWS\system32\VTTimer.exe[1156] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\VTTimer.exe[1156] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\WINDOWS\system32\VTTimer.exe[1156] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001

.text C:\WINDOWS\system32\VTTimer.exe[1156] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\system32\VTTimer.exe[1156] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\VTTimer.exe[1156] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\system32\VTTimer.exe[1156] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\VTTimer.exe[1156] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\WINDOWS\system32\VTTimer.exe[1156] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\WINDOWS\system32\VTTimer.exe[1156] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\WINDOWS\system32\VTtrayp.exe[1168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DD0001

.text C:\WINDOWS\system32\VTtrayp.exe[1168] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\system32\VTtrayp.exe[1168] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\WINDOWS\system32\VTtrayp.exe[1168] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\WINDOWS\SOUNDMAN.EXE[1256] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001

.text C:\WINDOWS\SOUNDMAN.EXE[1256] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\SOUNDMAN.EXE[1256] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\WINDOWS\SOUNDMAN.EXE[1256] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F90001

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe[1380] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\WINDOWS\system32\ctfmon.exe[1468] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\ctfmon.exe[1468] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\WINDOWS\system32\ctfmon.exe[1468] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\ctfmon.exe[1468] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\WINDOWS\system32\ctfmon.exe[1468] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AB0001

.text C:\WINDOWS\system32\ctfmon.exe[1468] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\WINDOWS\system32\ctfmon.exe[1468] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\ctfmon.exe[1468] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\WINDOWS\system32\ctfmon.exe[1468] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\ctfmon.exe[1468] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\WINDOWS\system32\ctfmon.exe[1468] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\WINDOWS\system32\ctfmon.exe[1468] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\Program Files\Skype\Phone\Skype.exe[1564] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02930001

.text C:\Program Files\Skype\Phone\Skype.exe[1564] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[1564] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\Program Files\Skype\Phone\Skype.exe[1564] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2388] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3160] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A

.text C:\Documents and Settings\DAVID\Desktop\w9iz28ng.exe[5572] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Files - GMER 1.0.15 ----

ADS C:\Documents and Settings\DAVID\Application Data\Leadertech\PowerRegister\Seagate sn:2GHN10WL Product Registration.exe 1731736 bytes executable

---- EOF - GMER 1.0.15 ----

Anti-Malware log files.rar

ark.rar

attach.rar

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Are you still with us?

Thank you for your concern and reply.

I apologize for the late reply. I was out of town on business. I think I have solved this problem. I ran Combo fix and then ran Gmer. Gmer found nothing suspicious. After I did this I noticed only occasionally did I get an outgoing query. I also remembered that the activity was greatest when running Utorrent. So deleted Utorrent using ZSoft uninstaller which I used when installing Utorrent. Hopefully that also removed all registry entries associated with Utorrent. So far I have had no outgoing queries at all. I will continue to watch Malwarebytes Anti- Malware for a few mores days to see if I get any outgoing queries and if not then I plan on reinstalling Utorrent and selecting a random port be used on program startup. Then I will watch again.

What is your opinion on this approach ????

Link to post
Share on other sites

  • Staff

Hi,

Should've mentioned that sooner.

This is our policy on P2P software:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

If you reinstall it, I can't offer my assistance anymore.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.