Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help I downloaded the koobface virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 orbiter9

orbiter9

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 05 December 2010 - 03:48 PM

Yesterday my computer was infected by what I think is the koobface virus. A friend of mine send me a link on facebook and it sent me to a site that I later realized was youtube.com not youtube.com I stupidly downloaded the fake flash update and wham, got a virus. So far I've noticed that when I do a search on google and try to open up a link with a new tab that I am redirected to some ad site. I've also noticed that svchost ris using way more memory than normal.

So far I've tried to fix the problem by using malwarebytes and combofix. Nothing has done the job. As requested you'll find the necessary logs below and attached. Thanks you so muvch for volunteering the time to address this issue. You guys and gals are true Internet hero's.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Owner at 15:15:08.15 on Sun 12/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.24 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AnVir Task Manager Pro\AnVir.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera 10.10 Beta\opera.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.emachines.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [AnVir Task Manager Pro] "c:\program files\anvir task manager pro\AnVir.exe" Minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Easy Dock]
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1iuj60o3.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-17 25608]
R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2010-12-5 278528]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2010-12-5 642432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-28 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-10-22 16512]
S3 avg9emc;AVG E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S3 avg9wd;AVG WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-17 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-17 30104]
S3 avgfws9;AVG Firewall;"c:\program files\avg\avg9\avgfws9.exe" --> c:\program files\avg\avg9\avgfws9.exe [?]
S3 AVGIDSAgent;AVG9IDSAgent;"c:\program files\avg\avg9\identity protection\agent\bin\avgidsagent.exe" avgidsagent --> c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [?]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsdriver.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsfilter.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsshim.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-12-5 50704]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 594048]

=============== Created Last 30 ================

2010-12-05 19:46:41 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-12-05 19:46:38 100880 ----a-w- c:\windows\system32\Packet.dll
2010-12-05 19:46:37 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-12-05 19:46:37 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-12-05 19:46:37 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-12-05 19:46:36 -------- d-----w- c:\program files\NETGEAR
2010-12-05 17:51:40 -------- d-----w- c:\program files\Exterminate It!
2010-12-05 16:14:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-05 15:47:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-05 11:55:43 98816 ----a-w- c:\windows\sed.exe
2010-12-05 11:55:43 89088 ----a-w- c:\windows\MBR.exe
2010-12-05 11:55:43 256512 ----a-w- c:\windows\PEV.exe
2010-12-05 11:55:43 161792 ----a-w- c:\windows\SWREG.exe
2010-12-03 17:50:35 -------- d-----w- c:\program files\Stanza
2010-11-26 03:09:10 -------- d-----w- c:\docume~1\owner\applic~1\You've Got Pictures Screensaver
2010-11-24 04:14:01 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-24 04:13:28 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-11-24 04:12:51 -------- d-----w- c:\docume~1\owner\applic~1\DAEMON Tools Pro
2010-11-24 04:12:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2010-11-22 09:51:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-22 09:51:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-22 09:49:54 -------- d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722580VLAT20 rev.V32OA6MA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81A95555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81a9b7b0]; MOV EAX, [0x81a9b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81B066F0]
3 CLASSPNP[0xF964DFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000080[0x81AF5F18]
5 ACPI[0xF9544620] -> nt!IofCallDriver[0x804E37D5] -> [0x81B00B58]
\Driver\atapi[0x81B456E0] -> IRP_MJ_CREATE -> 0x81A95555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHDS722580VLAT20_________________________V32OA6MA#5&1c482b02&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x81A9539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:17:36.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:42 AM

Posted 05 December 2010 - 04:01 PM

Good evening. :)

If you take a look in the root of your hard drive, you should find a copy of the log that ComboFix produced when it was run - C:\ComboFix.txt. Will you post that in your next reply, assuming you can find it.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:42 AM

Posted 09 December 2010 - 03:22 PM

Topic continued here, thread closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users