Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with HTTPS Tidserv Request


  • This topic is locked This topic is locked
19 replies to this topic

#1 AngryPants

AngryPants

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 09 April 2010 - 10:38 PM

Last night Norton stopped an attempt of the Trojan.FakeAV from being installed on my computer, however apparently something has still circumvented Norton and has made its way onto my system. Every time I open Internet Explorer I get an 'intrusion attempt was blocked' message from Norton. I have no idea where to start to stop this from happening. I also get 'cannot read' application errors from IE quite often now. As for the Norton intrusion attempt popups, they all contain something similar to:

"An intrusion attempt by <ip> was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE"
Risk Name: HTTPS Tidserv Request 2
Traffic Description: TCP, https or www-http

Sometimes it lists IEXPLORE.EXE instead of SVCHOST.EXE. In these cases the Norton report also has an Attack URL, which is usually something like lk01ha71gg1.cc/<long stream of random characters>

A scan with Norton reveals no infected files. Ran ComboFix (log avail on request), but the problem remains. DDS.txt below, ark and attach txt files attached.
DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by AngryPants at 18:16:09.71 on Fri 04/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1165 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\GM SPO\eSI\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\Program Files\GM SPO\eSI\Transbase\tbmux32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\GM SPO\eSI\Transbase\tbkern32.exe
C:\Program Files\GM SPO\eSI\Transbase\tbkern32.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\AngryPants\Local Settings\Application Data\Lexar Media\LxrAutorun.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\MCUI32.EXE
C:\Documents and Settings\AngryPants\Desktop\dds.scr
C:\WINDOWS\system32\msiexec.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = local.;*.local
uInternet Settings,ProxyServer = 212.138.64.144:80
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [LxrAutorun] c:\documents and settings\angrypants\local settings\application data\lexar media\LxrAutorun.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
mRun: [SBDrvDet] "c:\program files\creative\sb drive det\SBDrvDet.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ANIWZCS2Service] "c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [laim] "c:\program files\aim lite\aimlite.exe" -autorun
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\angrypants\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-explorer: NoNetSetup = 0 (0x0)
uPolicies-explorer: NoPrinters = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/haphazard/raptisoftgameloader.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxps://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D64CF6D4-45DF-4D8F-9F14-E65FADF2777C} - hxxp://www.dvrstation.com/pdvratl.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://63.225.131.124/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WB - c:\program files\alienguise\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angrypants\applic~1\mozilla\firefox\profiles\7reg9rn6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-1-27 310320]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-8-3 77312]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-1-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-1-27 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-5 329592]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2009-1-4 72672]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R2 SITomcat;SI Tomcat;c:\program files\gm spo\esi\apache group\tomcat 4.1\bin\tomcat.exe [2003-10-27 65536]
R2 SITransbase;SI Transbase;c:\program files\gm spo\esi\transbase\tbmux32.exe [2001-11-20 165376]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-8 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-3 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100409.039\NAVENG.SYS [2010-4-9 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100409.039\NAVEX15.SYS [2010-4-9 1324720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2003-9-2 44032]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-18 30192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-04-09 21:12:41 0 d-sha-r- C:\cmdcons
2010-04-09 21:06:46 98816 ----a-w- c:\windows\sed.exe
2010-04-09 21:06:46 77312 ----a-w- c:\windows\MBR.exe
2010-04-09 21:06:46 261632 ----a-w- c:\windows\PEV.exe
2010-04-09 21:06:46 161792 ----a-w- c:\windows\SWREG.exe
2010-04-09 20:49:59 0 d-----w- c:\program files\XP TCPIP Repair
2010-03-29 04:26:54 0 d-----w- c:\docume~1\angrypants\applic~1\Facebook
2010-03-23 18:37:01 1990 ----a-w- C:\Invitation.msrcIncident

==================== Find3M ====================

2010-04-09 21:35:09 16118 ----a-w- c:\windows\system32\tablet.dat
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
1999-04-23 22:22:22 12 -csha-w- c:\windows\system\WININETICMP32.drv
2010-01-01 16:35:10 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 18:17:29.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 10:25 AM

Please download the attached tdl3.bat file and save it to your desktop. Once downloaded, double-click on it and post the contents as a reply to this topic.

This batch file was customized for this particular computer, so other people should not use it.

Attached Files

  • Attached File  tdl3.bat   301bytes   8 downloads


#3 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 11:27 AM

QUOTE(Grinler @ Apr 12 2010, 10:25 AM) View Post
Please download the attached tdl3.bat file and save it to your desktop. Once downloaded, double-click on it and post the contents as a reply to this topic.

This batch file was customized for this particular computer, so other people should not use it.

Thanks for the response! Here is the log file:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\viaagp1
Type REG_DWORD 0x1
Start REG_DWORD 0x0
ErrorControl REG_DWORD 0x1
Tag REG_DWORD 0x4
ImagePath REG_EXPAND_SZ system32\DRIVERS\viaagp1.sys
DisplayName REG_SZ VIA AGP Filter
Group REG_SZ PnP Filter

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\viaagp1\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\viaagp1\Enum
0 REG_SZ PCI\VEN_1106&DEV_B188&SUBSYS_00000000&REV_00\3&13c0b0c5&0&08
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 11:34 AM

OK, we will need to do this the hard way unfortunately.

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#5 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 12:41 PM

Ran combofix - log attached.

The last few days I have also been getting google redirects when performining searches, and occassionally popups when browsing sites that have no popups. The popups usually redirect through directrdr.com to something annoying.

I did run the TDSSKiller app from Kaspersky and it says the viasraid.sys file is infected with the TDSS rootkit, but even though it says it will repair
the infection on reboot, it always remains. This is the only scanning tool that has ever found anything on my computer. I've even replaced the viasraid.sys file with a clean version off the XP disc and it still says it's infected though, so it might be a false positive.

Attached Files



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 01:05 PM

Nod, tdsskiller is not updated for this variant yet. I see you had already run CF. Is the recovery console installed?

#7 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 01:08 PM

QUOTE(Grinler @ Apr 12 2010, 01:05 PM) View Post
Nod, tdsskiller is not updated for this variant yet. I see you had already run CF. Is the recovery console installed?

Lucky me! Yes, it's installed.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 01:23 PM

Download the attached rc.bat file and save it to your desktop. Then double-click on it.

Then reboot your computer, and when it asks what you want to boot into, select Recovery Console.

Once in the recovery console, at the command prompt type the following and then press enter:

fix.bat

The infected driver will now be replaced with the legitimate one.

Type exit to reboot and then post a new gmer scan.

Attached Files

  • Attached File  rc.bat   183bytes   8 downloads


#9 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 01:53 PM

Ran the rc.bat, but recovery console keeps blue screening when I try to load it (tried to load it normally and in safe mode). I booted in safe mode with command prompt and ran the fix bat and it said the copy was successful. Rebooted normally and the unwanted system behaviors still persist.

Running GMER again now...
EDIT for GMER logs:

GMER is now bluescreening in a scsidriver (hard to see before it goes off) driver. I ran partial scans with System and Sections scanned and saved those logs. They are c/p'd below:


---- System - GMER 1.0.15 ----

SSDT 8A6E8D80 ZwAlertResumeThread
SSDT 8A697958 ZwAlertThread
SSDT 8A6D9450 ZwAllocateVirtualMemory
SSDT 8A6E1378 ZwAssignProcessToJobObject
SSDT 8A51D340 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAD61E130]
SSDT 8A6E9738 ZwCreateMutant
SSDT 8A6FE888 ZwCreateSymbolicLinkObject
SSDT 8A466240 ZwCreateThread
SSDT 8A6E4580 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAD61E3B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAD61E910]
SSDT 8A6E45B8 ZwDuplicateObject
SSDT spgl.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spgl.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT 8A681DE0 ZwFreeVirtualMemory
SSDT 8A697438 ZwImpersonateAnonymousToken
SSDT 8A68CD80 ZwImpersonateThread
SSDT 8A4C50B0 ZwLoadDriver
SSDT 890452E8 ZwMapViewOfSection
SSDT 8A7019E0 ZwOpenEvent
SSDT spgl.sys ZwOpenKey [0xB9EA80C0]
SSDT 8A701A18 ZwOpenProcess
SSDT 89049058 ZwOpenProcessToken
SSDT 8A6FDD80 ZwOpenSection
SSDT 8A6FDDB8 ZwOpenThread
SSDT 8A6E69C0 ZwProtectVirtualMemory
SSDT spgl.sys ZwQueryKey [0xB9EC7108]
SSDT spgl.sys ZwQueryValueKey [0xB9EC6F88]
SSDT 8A7503C8 ZwResumeThread
SSDT 8904B058 ZwSetContextThread
SSDT 89041250 ZwSetInformationProcess
SSDT 8A6CF958 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAD61EB60]
SSDT 8A702580 ZwSuspendProcess
SSDT 89052058 ZwSuspendThread
SSDT 89054058 ZwTerminateProcess
SSDT 8A565058 ZwTerminateThread
SSDT 8A719B88 ZwUnmapViewOfSection
SSDT 8A7054B0 ZwWriteVirtualMemory

INT 0x62 ? 8AA91BF8
INT 0x63 ? 8AA94BF8
INT 0x82 ? 8AA91BF8
INT 0x94 ? 8A60EBF8
INT 0x94 ? 8A60EBF8
INT 0x94 ? 8A60EBF8
INT 0x94 ? 8A60EBF8
INT 0x94 ? 8A60EBF8
INT 0x94 ? 8A60EBF8



---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2410 80501C48 2 Bytes [30, E1] {XOR CL, AH}
.text ntkrnlpa.exe!ZwCallbackReturn + 243C 80501C74 8 Bytes CALL E290A6E8
.text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501CA0 2 Bytes [B0, E3] {MOV AL, 0xe3}
.text ntkrnlpa.exe!ZwCallbackReturn + 2470 80501CA8 2 Bytes [10, E9] {ADC CL, CH}
.text ntkrnlpa.exe!ZwCallbackReturn + 251C 80501D54 4 Bytes CALL 72D921AB
.text ...
? spgl.sys The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\viaagp1.sys entry point in ".rsrc" section [0xBA33E414]
.text USBPORT.SYS!DllUnload B8AD78AC 5 Bytes JMP 8A60E1D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1068] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01B0000A
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\wuauclt.exe[2940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\wuauclt.exe[2940] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\wuauclt.exe[2940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[2940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\viaagp1.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by AngryPants, 12 April 2010 - 02:09 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 03:07 PM

Ok..we need to get into recovery mode to fix this.

Do you have a cd burner on your computer that we can create a bootable CD?

#11 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 03:15 PM

QUOTE(Grinler @ Apr 12 2010, 03:07 PM) View Post
Ok..we need to get into recovery mode to fix this.

Do you have a cd burner on your computer that we can create a bootable CD?

Sure do

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 03:52 PM

Download the attached fix.bat to your C:\ folder.

Please download ISOBurner, which will allow you to burn the OTLPE ISO image to a CD and make it bootable. Just download and install the program and follow all the default installation prompts. If you already have a program that burns ISOs to a CD then you do not need this.


Second
  • Download the OTLPE.iso to your computer and burn it to the CD using ISOBurner. Information on how to burn an ISO image using ISOBurner can be found here.

    NOTE: This file is 292Mb in size so it may take some time to download.

  • When the file has finished downloading, double-click on it and ISOBurner will automatically open and prompt you to burn the ISO image to a CD.

  • Once it has finished creating the CD, reboot your system using the boot CD you just created.

    Note:If you do not know how to set your computer to boot from CD, please follow the steps here.

  • When the CD has finished booting your computer, you should now see a REATOGO-X-PE desktop.

  • Double-click on the OTLPE icon.

  • When asked "Do you wish to load the remote registry", select No

  • OTL should now start.

  • Click the red Run Fix button.

  • You should be presented with a message "No Fix has been Provided! Do you want to load it from a file? Click Yes.

  • Browse to the fix.txt in the C:\ folder, and click Open. The fix will then appear in the Custom Scans/Fixes window.

  • Click the red Run Fix button again.

  • OTL should say the fix has been finished. Press OK and reboot the machine. Make sure you remove the OTLPE cd so you do not boot into it. Let the computer boot up normally.

  • When the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

  • Post that log as a reply to this topic.

Attached Files

  • Attached File  fix.txt   79bytes   11 downloads


#13 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 04:52 PM

========== FILES ==========
File C:\Windows\System32\Drivers\viaagp1.sys successfully replaced with C:\WINDOWS\viaagp1.sys

OTLPE by OldTimer - Version 3.1.37.1 log created on 04122010_173933


I think the fix is a success! I can perform google searches without any norton attack alerts, no more redirects, and I can use Google Chrome again (before it would just sit on ''loading" forever and time out). The "disk drives" column is back in the device manager, and I can see my c:\ partition again in the computer management tool. GMER no longer shows any suspicious modifications.

Thanks a ton!

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 12 April 2010 - 05:02 PM

Terrific. Do me a favor and run ComboFix one more time and post the resulting log.

#15 AngryPants

AngryPants
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 April 2010 - 05:44 PM

Here you go

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users