Jump to content

outgoing ip blocking to ripe query database servers. possible rootkit


Recommended Posts

Am I infected with a rootkit? How do I prevent outgoing queries to ripe database servers?

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by DAVID at 10:09:59 on 2011-06-10

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1165 [GMT -3:00]

.

AV: ZoneAlarm Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Seagate\DriveSettings\Sync\SeagateDriveSettingsService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = about:blank

BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [cdloader] "c:\documents and settings\david\application data\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [VTTimer] VTTimer.exe

mRun: [VTTrayp] VTtrayp.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [soundMan] SOUNDMAN.EXE

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"

StartupFolder: c:\docume~1\david\startm~1\programs\startup\seagat~2.lnk - c:\documents and settings\david\application data\leadertech\powerregister\Seagate sn:2GHN10WL Product Registration.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255150248015

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{E9A04E39-568C-4895-8313-4162439F079D} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-9-30 56208]

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-10-14 132184]

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-10-10 22168]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-23 11608]

R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2009-10-10 17024]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-10-14 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-9-21 327256]

R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-6-1 525840]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-23 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-23 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-23 61960]

R2 FreeAgentGoFlex Service;Seagate Drive Settings Service;c:\program files\seagate\drivesettings\sync\SeagateDriveSettingsService.exe [2011-2-10 91432]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-4-17 312152]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-5-24 27016]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-5-24 493184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-8 366640]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2010-10-26 439632]

R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-8 22712]

S3 BS_Flash;BS_Flash;c:\windows\system32\drivers\BS_Flash.sys [2009-10-10 3604]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-5 14336]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-4-17 27064]

S3 TMPassthruMP;TMPassthruMP; [x]

S3 uti1odyy;AVZ Kernel Driver;\??\c:\windows\system32\drivers\uti1odyy.sys --> c:\windows\system32\drivers\uti1odyy.sys [?]

S3 viafilter;VIA USB Filter;c:\windows\system32\drivers\viausb1.sys [2009-10-10 9728]

.

=============== Created Last 30 ================

.

2011-06-10 03:55:04 -------- d-----w- C:\New Folder 1

2011-06-09 04:57:08 -------- d-----w- c:\documents and settings\david\Downloads

2011-06-09 04:24:36 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky SDK

2011-06-09 04:23:37 -------- d-----w- c:\documents and settings\david\application data\MailFrontier

2011-06-09 04:18:41 -------- d-----w- c:\program files\zonealarm_security

2011-06-09 04:17:23 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint

2011-06-09 03:27:51 -------- d-sha-r- C:\cmdcons

2011-06-09 03:26:06 98816 ----a-w- c:\windows\sed.exe

2011-06-09 03:26:06 518144 ----a-w- c:\windows\SWREG.exe

2011-06-09 03:26:06 256512 ----a-w- c:\windows\PEV.exe

2011-06-09 03:26:06 208896 ----a-w- c:\windows\MBR.exe

2011-06-07 13:37:30 266360 ----a-w- c:\windows\system32\TweakUI.exe

2011-06-02 12:42:53 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-18 21:12:03 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

.

==================== Find3M ====================

.

2011-05-29 12:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 12:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-09 20:55:50 14 ----a-w- c:\windows\system32\SysEngine2.SYS

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

============= FINISH: 10:12:47.95 ===============

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6821

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/10/2011 7:10:10 AM

mbam-log-2011-06-10 (07-10-10).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 237154

Time elapsed: 1 hour(s), 10 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

01:15:19 DAVID MESSAGE Protection started successfully

01:15:32 DAVID MESSAGE IP Protection started successfully

06:00:00 DAVID MESSAGE Scheduled scan executed successfully

08:11:58 DAVID MESSAGE Protection started successfully

08:12:07 DAVID MESSAGE IP Protection started successfully

08:36:30 DAVID MESSAGE IP Protection stopped

08:36:46 DAVID MESSAGE Database updated successfully

08:36:50 DAVID MESSAGE IP Protection started successfully

09:57:25 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:26 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:28 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:28 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:29 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:30 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:31 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:33 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

09:57:34 DAVID IP-BLOCK 89.28.65.51 (Type: outgoing)

Attach.rar

Link to post
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.