Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Think Point + lots of residual malware

  • This topic is locked This topic is locked
2 replies to this topic

#1 Atlast


  • Members
  • 2 posts
  • Local time:01:46 AM

Posted 05 November 2010 - 01:18 AM


I was just infected by the think point & vundo malware but it seems there are additional infections. During the initial infection I foolishly allowed a malicious .exe internet access, it downloaded assorted .exe's which I blocked from accessing the internet. I then rebooted, was confronted by the fake think point virus scan offer. I clicked through it (using the fake allow unsafe mode) then used processhacker as my taskmgr was blocked to end hotfix.exe and removed hotfix.exe, I ran malwarebytes and it found & fixed other malware and vundo, the first attachment is the resulting log of this initial clean-up.

The residual malware among other things prevents internet explorer and opera from starting, the iexplorer and opera process appear in taskmgr but no gui appears. Chrome starts up but does not respond to urls typed in the address bar. Firefox detected the 'system proxy' (I never had one, suspect this might be a leftover from the infection) was unresponsive and I was able to manually select 'don't use a proxy' to render firefox usable. I then checked the internet options through control panel where a proxy at was listed. I removed that local ip and unchecked 'use proxy' but ie/opera/chrome still don't work. However using the sysinternals process monitor utility allows both internet explorer and opera to start normally while processmonitor is capturing events; chrome still does not load any url.

I believe one of the trojans also started multiple services that are not set to automatically start by default, a list of said services is attached in the first screenshot. Furthermore sometimes mshta.exe appears in taskmgr accessing an external url funnyfishshow(.)com/obana.php?rkgh=(numbers), second screenshot. I believe I have experienced 1 automatic opening of a url in firefox, something similar to childloss(.)com?xurl=h(elite speak url).com/(long series of numbers & letters)?ref=childloss.com.

System stability is compromised, random reboots occur (gmer scan was interrupted by one) and sometimes loading windows is difficult, hangs at welcome screen (hard reset required) or hangs during explorer loading (taskmgr killing explorer.exe and new task explorer recovers this)

DDS log is also attached. I will now attempt a gmer scan again (the earlier one did reveal a possible rootkit at a high sector count but virtual drive was not yet disabled).

Thanks in advance for any help.

Edit: Can't seem to reply, post.php is being blocked? I just tried pastebin.com to upload the dds and it also gives a 'connection reset' error. Also can't add the full dds log as text in here, so I pasted the rootkit info there. As I can't reply (malware blocking post.php?) using this forum will be difficult...


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-32TMA0 rev.12.01C01 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B47E446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b484504]; MOV EAX, [0x8b484580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;

1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8B529AB8]
3 CLASSPNP[0xB80F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\0000007f[0x8B52DE38]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8B506D98]
\Driver\atapi[0x8B48F9D0] -> IRP_MJ_CREATE -> 0x8B47E446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a;

ROR BYTE [BP+0x0], CL; INC BP; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD5000AAKS-32TMA0___________________12.01C01#5&32772958&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x8B47E292
user != kernel MBR !!!
sectors 976771053 (+213): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

Filesystem trace:
called modules: ntkrnlpa.exe hal.dll sr.sys Ntfs.sys
1 ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8B453A08]
3 sr[0xB7EC6870] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8B452020]
5 ntkrnlpa[0x8057F97D] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8B453A08]
7 sr[0xB7EC1453] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8B452020]

Registry trace:
called modules: ntkrnlpa.exe hal.dll

============= FINISH: 7:38:39.09 ===============

Attached Files

Edited by Atlast, 05 November 2010 - 02:08 AM.

BC AdBot (Login to Remove)


#2 Atlast

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:46 AM

Posted 05 November 2010 - 03:41 AM

Sorry, I think I fixed it myself. As I couldn't reply earlier due to the malware blocking post.php (I think) to post a full dds log combined with some time later this site actually becoming unreachable (it looked to be of malware origin again) I was afraid the malware was progressing with its disabling effect. Hitmanpro detected & removed a rootkit identified as possibly TDL3 Alureon. I guess I should've tried hitmanpro first but as mwam detected nothing I was sceptical.

I tried to delete this topic but there was no such option. I'm posting this as a reply and not an edit to the op to lower the urgency of this thread since it's fixed. Sorry for the clutter.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:11:46 AM

Posted 05 November 2010 - 02:26 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users