Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webhp virus and/or rootkit activity


  • This topic is locked This topic is locked
4 replies to this topic

#1 gambit19

gambit19

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 October 2010 - 08:16 PM

Recently I have been battling a series of viruses on my computer and thought I had them beat after downloading Malwarebytes. I had the hotfix.exe problem, and it fixed that one. Found a few trojans and the other usual suspects and thought that was it. But other problems persisted, such as redirects on google and super long shutdown cycles. I believe my rootkit problem is the same as presented in this topic: http://www.bleepingcomputer.com/forums/topic309331.html

I have already run GMER. Here is the log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-05 19:47:25
Windows 5.1.2600 Service Pack 3
Running: h3uiv36o.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdoapod.sys


---- System - GMER 1.0.15 ----

SSDT spuv.sys ZwCreateKey [0xF741C0E0]
SSDT spuv.sys ZwEnumerateKey [0xF7434DA4]
SSDT spuv.sys ZwEnumerateValueKey [0xF7435132]
SSDT spuv.sys ZwOpenKey [0xF741C0C0]
SSDT spuv.sys ZwQueryKey [0xF743520A]
SSDT spuv.sys ZwQueryValueKey [0xF743508A]
SSDT spuv.sys ZwSetValueKey [0xF743529C]

INT 0x63 ? 82FDABF8
INT 0x73 ? 82E6EF00
INT 0x82 ? 82FDABF8
INT 0x83 ? 82E6EF00
INT 0x83 ? 82E6EF00
INT 0x83 ? 82E6EF00
INT 0x83 ? 82E6EF00
INT 0xA4 ? 82E6EF00
INT 0xB4 ? 82E6EF00
INT 0xB4 ? 82E6EF00
INT 0xB4 ? 82E6EF00

---- Kernel code sections - GMER 1.0.15 ----

? spuv.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F31D18AC 5 Bytes JMP 82E6E4E0
.text aag4abxz.SYS F30D7386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aag4abxz.SYS F30D73AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aag4abxz.SYS F30D73C4 3 Bytes [00, 80, 02]
.text aag4abxz.SYS F30D73C9 1 Byte [30]
.text aag4abxz.SYS F30D73C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.rsrc C:\WINDOWS\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xF78FB814]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C
.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01C8000A
.text C:\WINDOWS\system32\svchost.exe[1180] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01C2000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01C3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01C1000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01A1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 018F000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1724] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82FD91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6ABF5AC6-69F2-4D33-B1D8-409D661D120E} 823FB1F8
Device \Driver\usbohci \Device\USBPDO-0 82E561F8
Device \Driver\usbohci \Device\USBPDO-1 82E561F8
Device \Driver\usbohci \Device\USBPDO-2 82E561F8
Device \Driver\usbehci \Device\USBPDO-3 82E751F8
Device \Driver\usbohci \Device\USBPDO-4 82E561F8
Device \Driver\usbohci \Device\USBPDO-5 82E561F8
Device \Driver\usbehci \Device\USBPDO-6 82E751F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82F6C1F8
Device \Driver\Cdrom \Device\CdRom0 82E701F8
Device \Driver\Cdrom \Device\CdRom1 82E701F8
Device \Driver\atapi \Device\Ide\IdePort0 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 823FB1F8
Device \Driver\PCI_PNP2374 \Device\0000003f spuv.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{90DF2E26-0480-4F5A-A38D-23456751C6FC} 823FB1F8
Device \Driver\NetBT \Device\NetbiosSmb 823FB1F8
Device \Driver\usbohci \Device\USBFDO-0 82E561F8
Device \Driver\usbohci \Device\USBFDO-1 82E561F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 823F71F8
Device \Driver\usbehci \Device\USBFDO-2 82E751F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 823F71F8
Device \Driver\usbohci \Device\USBFDO-3 82E561F8
Device \Driver\usbohci \Device\USBFDO-4 82E561F8
Device \Driver\Ftdisk \Device\FtControl 82F6C1F8
Device \Driver\usbehci \Device\USBFDO-5 82E751F8
Device \Driver\usbohci \Device\USBFDO-6 82E561F8
Device \Driver\sptd \Device\24462374 spuv.sys
Device \Driver\aag4abxz \Device\Scsi\aag4abxz1 82E771F8
Device \Driver\aag4abxz \Device\Scsi\aag4abxz1Port3Path0Target0Lun0 82E771F8
Device \FileSystem\Cdfs \Cdfs 823BF1F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 82D9FEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0xF5 0x6F 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xA1 0x2D 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x28 0x8C 0xBC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0xD8 0xEF 0x8C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xA1 0x2D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x28 0x8C 0xBC ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\mouclass.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:51 PM

Posted 05 October 2010 - 10:27 PM

Hi, gambit19 smile.gif

welcome.gif

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.




  • If an infected file is detected, the default action will be Cure, click on Continue.




  • If a suspicious file is detected, the default action will be Skip, click on Continue.




  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.




  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 gambit19

gambit19
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 October 2010 - 10:44 PM

It's not your fault, but I got impatient. Sorry! After doing some research about my problem and discovering how common it is, I downloaded ComboFix, ran it, and just finished reading over the report. I also ran TDSSKiller as you recommended and it didn't find anything. My ComboFix log is attached so you can see what it found.

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:51 PM

Posted 05 October 2010 - 11:22 PM

Combofix was able to handle the TDL infection.

Lets check for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:51 PM

Posted 19 October 2010 - 10:40 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users