Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

newserversearch.com yet again


  • Please log in to reply
9 replies to this topic

#1 Chris Tettamanti

Chris Tettamanti

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 28 December 2009 - 12:52 PM

I'm infected with the newserversearch.com problem as others are here. Would appreciate some help getting my browser back. Infected Firefox and IE.

Thanks in advance!
Chris

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 PM

Posted 28 December 2009 - 01:17 PM

Hello ,I'm suspecting this is a rootkit so let's get a look.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Chris Tettamanti

Chris Tettamanti
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 28 December 2009 - 03:58 PM

I haven't forgot about you.....I am running the scan and it's taking a while. I'll post the results when it's done. Partial scan was done twice but locked up the computer so it's running in safe mode now fine.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 PM

Posted 28 December 2009 - 04:06 PM

No problem, believe me I know lengthy :thumbsup: .

If I am gone I;ll bee back around 6PM eastern.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Chris Tettamanti

Chris Tettamanti
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 28 December 2009 - 04:42 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-28 13:40:51
Windows 5.1.2600 Service Pack 3
Running: 6phkvt3n.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\pglorkow.sys


---- System - GMER 1.0.15 ----

SSDT spka.sys ZwCreateKey [0xF74420E0]
SSDT spka.sys ZwEnumerateKey [0xF7460CA4]
SSDT spka.sys ZwEnumerateValueKey [0xF7461032]
SSDT spka.sys ZwOpenKey [0xF74420C0]
SSDT spka.sys ZwQueryKey [0xF746110A]
SSDT spka.sys ZwQueryValueKey [0xF7460F8A]
SSDT spka.sys ZwSetValueKey [0xF746119C]

INT 0x62 ? 86FD8BF8
INT 0x74 ? 86F66BF8
INT 0x82 ? 86FD8BF8
INT 0x84 ? 86F66BF8
INT 0xA4 ? 86F66BF8

---- Kernel code sections - GMER 1.0.15 ----

? spka.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F71A18AC 5 Bytes JMP 86F661D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F695E0
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7473C4C] spka.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7473CA0] spka.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7443042] spka.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F744313E] spka.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74430C0] spka.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7443800] spka.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74436D6] spka.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F662D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7452E9C] spka.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F651F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3E23D718-CB78-4EEA-9D05-1BEEFF842141} 86B8C1F8
Device \Driver\usbuhci \Device\USBPDO-0 86E84500
Device \Driver\usbuhci \Device\USBPDO-1 86E84500
Device \Driver\usbuhci \Device\USBPDO-2 86E84500
Device \Driver\usbuhci \Device\USBPDO-3 86E84500
Device \Driver\usbehci \Device\USBPDO-4 86E85500
Device \Driver\Ftdisk \Device\HarddiskVolume1 86F671F8
Device \Driver\Cdrom \Device\CdRom0 86E73500
Device \Driver\Cdrom \Device\CdRom1 86E73500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73BCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F73BCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F73BCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F73BCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B8C1F8
Device \Driver\NetBT \Device\NetbiosSmb 86B8C1F8
Device \Driver\USBSTOR \Device\00000087 86B4A500
Device \Driver\USBSTOR \Device\00000088 86B4A500
Device \Driver\usbuhci \Device\USBFDO-0 86E84500
Device \Driver\usbuhci \Device\USBFDO-1 86E84500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B6D500
Device \Driver\usbuhci \Device\USBFDO-2 86E84500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86B6D500
Device \Driver\usbuhci \Device\USBFDO-3 86E84500
Device \Driver\NetBT \Device\NetBT_Tcpip_{A17AEBD7-436D-4B3D-8E9C-38DCF8A06FF7} 86B8C1F8
Device \Driver\usbehci \Device\USBFDO-4 86E85500
Device \Driver\Ftdisk \Device\FtControl 86F671F8
Device \FileSystem\Cdfs \Cdfs 86B25500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x73 0xCF 0x94 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x73 0xCF 0x94 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 6074
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 6075

---- EOF - GMER 1.0.15 ----

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 PM

Posted 28 December 2009 - 07:34 PM

Hello this log ondicates malware that needs other tools to remove.
Use these instructions and include this log in that post.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Chris Tettamanti

Chris Tettamanti
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 December 2009 - 11:34 AM

The .scr program just opens up as a text doc when I click it. There isn't a "run" on the right-click menu. I tried to drop to DOS to use it and I got the same results. How can I "run" it in windows. Also, I checked the file associations for .scr and there isn't anything connected to it...in fact .scr isn't on the extensions list.

Edited by Chris Tettamanti, 29 December 2009 - 11:41 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 PM

Posted 29 December 2009 - 12:27 PM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Chris Tettamanti

Chris Tettamanti
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 December 2009 - 01:21 PM

That worked. Thanks!

Chris

#10 Chris Tettamanti

Chris Tettamanti
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 December 2009 - 02:17 PM

Nothing yet on the other board. Here is the link

http://www.bleepingcomputer.com/forums/t/282523/malware-of-unknown-name/

Any suggestions?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users