Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD in Safe Mode, Hidden Virus, Google Redirects


  • Please log in to reply
4 replies to this topic

#1 aweeks

aweeks

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 04 January 2010 - 02:33 AM

Microsoft Windows XP Professional Version 2002 Service Pack 2
Dell Latitude D520 Genuine Intel® CPU T2300 @ 1.66GHz

When I try to boot into Safe Mode (restart, f8), the drivers load all the way up to Mup.sys before freezing on a blue screen. On the blue screen is a question mark that is preceded by what looks like an L, except the L is flipped horizontally and rotated 90 degrees counter-clockwise. This problem existed before I did everything else in this post. I know because I tried to fix things in Safe Mode first.

I should note that all of the below began and usually occurs while browsing the internet in Firefox 3.5.6.

First, Security Center Alert popups informed me that I had a virus. They recommended that I download a specific anti-malware software that I can't recall the name of. This seemed to be a virus in and of itself. I ran a Quick Scan with Malwarebytes' Anti-Malware 1.43 (followed by a Full Scan that detected 0 infections):

Malwarebytes' Anti-Malware 1.43
Database version: 3460
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/31/2009 12:18:34 AM
mbam-log-2009-12-31 (00-18-34).txt

Scan type: Quick Scan
Objects scanned: 149076
Time elapsed: 16 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\H8SRTuovatsflcw.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\H8SRT3ca4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\H8SRT631d.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\dhdhtrdhdrtr5y (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\settdebugx.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTaumhhlmuvq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTfrwhwxomju.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTikampniacu.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTesvihudiuq.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\H8SRT3dfc.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\H8SRT3e0b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\ara e\Local Settings\Temp\H8SRT9592.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.


After that, the BSOD in Safe Mode persisted. Now I get "Generic Host Process for Win32 Services" errors. Immediately after said errors, this pops up (might not be exact, but the gist of it):

This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown initiated by NT AUTHORITY\SYSTEM.

Windows must now restart because the DCOM Server Process Launcher Service terminated unexpectedly.


Immediately preceding one of these shutdown notices, the following Application Error (Event ID: 1000) appeared in my Event Viewer (exact):

Faulting application svchost.exe, version 5.1.2600.2180, faulting module mshtml.dll, version 6.0.2900.3640, fault address 0x0008f510.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Windows Worms Doors Cleaner also informed me that I still have a virus.

When I search Google, I get spammy redirects. I tried updating Java to solve the redirect problem, which worked for about an hour. Now the redirects are back. Some examples:

http://soberadolescents.com/result.php?Key...f&Submit=Go

to

http://www.justclicklocal.com/citydir/Rale...4IlsuxeuEj8OQ**


http://grandmayan.com/result.php?Keywords=...6&Submit=Go

to

http://bridge1.admarketplace.net/ct?ctcook...onducive/l=COND

to

http://beta.apartmentfinder.com/search.asp...21189S114209140


I have since run several Malwarebytes' scans (both Full and Quick) to no avail. I have tried using Windows Worms Doors Cleaner to close the ports that it recommended and access Safe Mode. I have tried using Diagnostic Startup in msconfig to access Safe Mode. I am afraid to do much else out of fear of making the problem any worse.

Any help would be much appreciated. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 aweeks

aweeks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 05 January 2010 - 05:20 PM

Hi again,

My mom needs her laptop when she goes out of town on Friday because she works online. I'm hoping I can get it fixed for her before she leaves. Can anyone help?

Thanks

#3 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 06 January 2010 - 12:03 AM

Try running TDSSKILLER from kaspersky. Get it here http://support.kaspersky.com/viruses/solutions?qid=208280684
Then run malwarebytes again and make sure you update it before the scan.
Download atf cleaner from http://www.atribune.org/index.php?option=c...5&Itemid=25 and select all and also clean the items in the firefox tab.
Next run a online av scan at http://www.eset.com/onlinescan/
After your infection is gone, update the pc at windowsupdate. You are missing a lot of important updates.

Edited by trev47, 06 January 2010 - 12:05 AM.


#4 aweeks

aweeks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 14 January 2010 - 02:13 AM

Thanks, but I decided to just go ahead and reformat and reinstall Windows. Everything looks clean now.

#5 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:11:37 PM

Posted 14 January 2010 - 04:52 AM

Thanks, but I decided to just go ahead and reformat and reinstall Windows. Everything looks clean now.


A wise choice, IMHO. The rootkits out there now are MONSTERS.

BackDoor.Tdss.565 and its modifications (aka TDL3)

www.drweb.com/static/BackDoor.Tdss.565_(aka%20TDL3)_en.pdf

This piece of malware — a rootkit — presented surprises within minutes after the analysis of its anatomy got underway. For instance, its non-typical method for injection into a system process during installation was something completely unexpected. Though documented, the method has never been implemented in any known virus before and therefore it allows the rootkit to bypass most behaviour blockers, install its driver and yet remain undetected.

Now the installation continues in the kernel mode. The rootkit searches through the stack of devices responsible for interaction with the system disk to determine the driver it is going to infect, its future victim. The choice depends on the hardware configuration. If the system disk uses the IDE interface, it will pick out atapi.sys, in other cases it can be iastor.sys. There are rootkits that infect file system and network drivers or even the system kernel to ensure their automatic launch ......and this instance is not an exception. Note that the file size remains the same as the malicious code is written over a part of the resources section. In fact, the piece of code only occupies 896 bytes (in latter versions
it is reduced to 481 byte) and it loads the main body of the rootkit. At the same time it changes the entry point, sets the driver signature link to null and the file's hash sum is recalculated. Addresses of API functions used by the loader for infection are located in its body as RVAs.On one hand it makes the loader much smaller, on the other it complicates
analysis of the infected driver in the system that uses a different version of the kernel.


snip

The rootkit’s later versions (BackDoor.Tdss.1030 (Rootkit.Win32.TDSS.y)) store original resources data and their body on the hidden encrypted drive in rsrc.dat and tdl files re-spectively, which significantly simplifies its updating.

Upon completion of the installation, the driver returns a STATUS_TOO_MANY_SECRETS_(0xC0000154) error that informs user mode components that installation has completed successfully and makes the system unload the driver that is no longer used by the rootkit....

Much more in the report at link.



StealthMBR gets a makeover

http://www.avertlabs.com/research/blog/ind...ets-a-makeover/

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.

StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine.....

More at the link.


http://www.threatexpert.com/report.aspx?md...cd59aaf28308d50

New MBR rootkit goes undetected

MBR rootkit changes itself and strikes again

Edited by Union_Thug, 14 January 2010 - 05:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users