Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Popups And IP Connections


  • This topic is locked This topic is locked
19 replies to this topic

#1 stuff4096

stuff4096

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 13 June 2010 - 01:40 PM

About a month ago I started noticing tabs randomly popping up in Firefox when I browse the Internet. I usually get one or two a day, usually within the first half hour of browsing. The last thing I remember installing prior to the problems occurring are the newest version of Firefox (3.6.3) and the latest version of Java (6, update 20)

In addition to the random tabs popping up, my McAfee firewall has been displaying svchost.exe accessing random IP addresses for no apparent reason. Between these occurrences and the random popups, I began to suspect malware or other issues. Also, svchost.exe occasionally crashes when I am not connected to the Internet (the kind of crash that attempts to send a report to Microsoft with debug information)

I installed Malwarebyte's Anti-Malware and tried scanning my system. It discovered Adware.Minibug and it was able to remove the offending files. This did not stop either symptom though

I attempted to run GMER as directed, however it has failed to complete successfully. I let it run overnight for almost 14 hours and discovered my system was frozen. It appeared to complete scanning but I could not save the log. I tried running it a second time today but it seemed to stop abruptly, not listing anywhere near the amount of files as the overnight scan. On top of that, my system was unable to access the hard drives any more. I am attaching the partial log anyhow, as those results seem to show up consistently and quickly

Any help would be greatly appreciated. Thanks in advance!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:18:34.31 on Fri 06/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.283 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\System32\umonit.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\Download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://us6.hpwis.com/
uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
mSearch Bar = hxxp://srch-us6.hpwis.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\nzsearch\SearchEnh1.dll
BHO: X1IEHook Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: ZeroBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\netzero\Toolbar.dll
TB: McAfee VirusScan: {acb1e670-3217-45c4-a021-6b829a8a27cb} - c:\program files\mcafee\mcafee virusscan\VSCShellExtension.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\toolbar.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [WallPaper] c:\wallpaperchanger_v1_86\Wallpaper.exe /h
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [POINTER] point32.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [UMonit] c:\windows\system32\umonit.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [McAfee Guardian] "c:\program files\mcafee\mcafee shared components\guardian\CMGRDIAN.EXE" /SU
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Display All Images with Full Quality - c:\program files\netzero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\netzero\qsacc\appres.dll/227
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_20.dll
LSP: c:\windows\system32\CSLSP.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/2583465169aef7199522/netzip/RdxIE601.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3j3rhrrp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-11 18:25:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-06 16:08:02 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-06-06 16:07:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 16:07:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-06 16:07:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-06 16:07:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 17:28:03 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-05-28 17:28:03 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-28 17:27:57 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-28 17:27:57 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-24 01:01:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-23 15:23:42 0 d-----w- c:\program files\Microsoft Windows Malicious Software Removal Tool
2010-05-23 15:09:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-23 15:05:48 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-23 15:05:10 0 d-----w- c:\program files\Lavasoft
2010-05-21 12:18:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 21:57:55 0 d-----w- C:\eclipse_workspace

==================== Find3M ====================

2010-04-15 21:04:14 39488 ----a-w- c:\windows\system32\drivers\Pcouffin.sys
2010-04-10 20:05:11 87608 ----a-w- c:\docume~1\owner\applic~1\inst.exe
2010-04-10 20:05:11 47360 ----a-w- c:\docume~1\owner\applic~1\pcouffin.sys
2005-05-13 21:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 15:13:58 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 01:27:00 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 00:14:52 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 17:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-22 03:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 15:24:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 18:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 19:19:47.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 15 June 2010 - 08:33 PM

Just as an update:

This information was missing from the GMER log I attached in my original post

Also, after some research it seems like my symptoms match an atapi.sys rootkit. I have not tried using tdsskiller for fear it might cause other problems. I have also attempted to replace atapi.sys with one from a clean system and that did not appear to work

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-15 21:29:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxldipod.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 836CFD01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 AM

Posted 18 June 2010 - 07:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 19 June 2010 - 09:03 AM

Hi,

Thank you for replying to my request. I was about to post another updated when I saw your reply

I ran tdsskiller and it found and cleans another .sys file. As of now the symptoms seem to be gone, though I am continuing to monitor them

I read that the TDSS/TDL3 rootkit creates its own filesystem and at the end of the hard drive. While I am currently not seeing any of the original symptoms, I am still concerned if these rogue files are still on my hard drive

At this point, I would like to request your assistance in verifying that my system is really clean. I started up GMER and it no longer reports suspicious modification of atapi.sys, but I have not run a full GMER scan. As I mentioned in my original post, I have not been able to run it all the way through and it takes a very long time to run on my system

As always, I appreciate any assistance you can provide

Thanks!

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 AM

Posted 19 June 2010 - 04:27 PM

Do you still have the TDSSKiller log?
Posted Image
m0le is a proud member of UNITE

#6 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 20 June 2010 - 12:27 PM

Unfortunately I do not. I tried to look at the log file myself, but it looked like it was a binary file instead of an ASCII file. After the symptoms went away, I did not think the logs would still be useful (especially since I could not read them) so I deleted them

I can run tdsskiller again if you need, but I assume you wanted the original log file where tdsskiller cleaned my system?

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 AM

Posted 20 June 2010 - 03:47 PM

Without the original log we only have the option of the rerun. If it wasn't cleaned the first time then TDSSKiller will tell me.

Run it again and post the log. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#8 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 20 June 2010 - 04:22 PM

Here is the tdsskiller log you requested

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 AM

Posted 20 June 2010 - 05:10 PM

That's a nice clean TDSSKiller log. thumbup2.gif

Please run ESET and we'll check for bits and pieces

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#10 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 21 June 2010 - 09:37 PM

I ran ESET OnlineScan as you requested. Unfortunately, it was not as clean as I had hoped. Attached is the log I saved, per the instructions you provided

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 AM

Posted 22 June 2010 - 01:16 PM

That's not as bad as you fear.

They are legitimate program files which are infected. Most tools we are using would only read these as legitimate files but ESET and other scanners actually scan all the files looking for infections. What ESET has done has removed the files which caused the infection in the first place and that is why we use it after the main cleaning.

How is the PC now running?
Posted Image
m0le is a proud member of UNITE

#12 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 22 June 2010 - 03:53 PM

My PC seems to be running fine. As I mentioned before, the primary symptoms I observed (random popups in Firefox and svchost accessing random IP addresses) appear to have stopped. I have been carefully monitoring the random IP address access in particular and nothing out of the ordinary has occurred since running tdsskiller. I was really just concerned about things that may have been left behind. I read that tdss creates its own filesystem at the end of the hard drive so I was worried that those files were still hanging around

In your opinion, does my PC seem clean after seeing the logs from running all of these scanners? I have been avoiding updating Windows since your original post said that might interfere with the debugging effort so I would like to do that as soon as you think I am good to go

Thanks again for all of your assistance so far. I appreciate the help very much!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 AM

Posted 22 June 2010 - 06:14 PM

QUOTE
In your opinion, does my PC seem clean after seeing the logs from running all of these scanners?


In a word, yes. smile.gif There's nothing left from the TDSS threat that I can see. You are right to be cautious of this rootkit, it is nasty, so let's run a final check with Gmer. It should run much more quickly now. If it doesn't then run it with only the SECTIONS option checked
Posted Image
m0le is a proud member of UNITE

#14 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 23 June 2010 - 08:47 PM

OK, I will run GMER again. I will do it as soon as I get a chance, but it may be a couple of days before I can run it again, as I will be away tomorrow. As soon as I can run GMER, I will post the results

#15 stuff4096

stuff4096
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 26 June 2010 - 10:19 AM

I re-ran GMER and it finished (like last time) but it killed my mouse (i.e. my mouse pointer disappeared) so I could not save the log. I was able to scroll through the results and it called out a lot of programs in the Program Files directory (just like the first time, though a different set of files). I re-ran GMER with only the SECTIONS checked like you said and GMER reported no system modifications. Does GMER only report problem files or could it call out stuff that is not infected?

I also ran McAfee Rootkit Detective and I was wondering if you knew how to interpret the results. I tried posting on the McAfee forums but never got a response. The one suspicious things is the following:

Object-Type: IAT/EAT-hook
PID: 1728
Details: Import : Function : VSCShellExtensionRes.dll:KERNEL32.dll!LoadLibraryA Should be : KERNEL32.dll:7C801D7B But is : C:\WINDOWS\Explorer.EXE:000059D0
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1728
Details: Import : Function : VSCShellExtensionRes.dll:KERNEL32.dll!TerminateProcess Should be : KERNEL32.dll:7C801E1A But is : C:\WINDOWS\Explorer.EXE:0000572A
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Hooked

I could not tell if this meant something was infected or not. I attached the full log in case that is useful

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users