Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDL3+mutant / Redirect


  • This topic is locked This topic is locked
1 reply to this topic

#1 billiam864

billiam864

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 13 December 2010 - 10:13 PM

Hello,

I'm new to bleepingcomputer, as I've signed on to hopefully get some help solving a malware/rootkit/google redirect issue. I initially got a malware problem a week back with a win32/FakePAV issue. Using online forums I believe I deleted the necessary items from the registry editor and solved the problem however it didn't take long before further issues cropped up. I now have a google redirect problem, where after a search when I click on a link I'm redirected to different ad website. Additionally it seems to slow the computer and occasionally give website loading errors, etc. I have since then downloaded Lavasoft Ad Adware, Malwarebytes Anti-malware, Spybot, unhackme, Hijackthis, and combofix in an attempt to identify and cure the issue. My computer's normal anti virus is Microsoft Forefront Client Security. After many scans and attempts using the forums, I am now asking for help as nothing has yet fixed my problem. I did run Combofix using the forum, and identified that a TDL3+mutant is probably a major cause of the problem.

Additionally, I now receive an internet explorer unresponsive error when trying to post on this forum. I've copied the files and information below to a different computer in order to post my problem. I attempted Chrome and IE and same problem occurred.

Thank you,

Bill Derocha

DDS (Ver_10-12-12.02) - NTFSx86
Run by DerochaWS1 at 20:21:41.26 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1289 [GMT -5:00]

AV: Microsoft Forefront Client Security *Enabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\DerochaWS1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://my.gcc.edu/ics
uInternet Settings,ProxyServer = isa01:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\derochaws1\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GCC_Settings] c:\gcc\tools\GCC_Settings.vbs
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265638856453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266413219979
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-7-20 16896]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-12-6 1238408]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-2-8 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-2-17 71424]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2007-1-22 34736]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-12-11 35816]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-12-11 24416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-1-6 14336]

=============== Created Last 30 ================

2010-12-13 03:00:48 388096 ----a-r- c:\docume~1\deroch~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-13 03:00:45 -------- d-----w- c:\program files\Trend Micro
2010-12-12 18:37:24 -------- d-----w- c:\program files\Veetle
2010-12-12 05:15:16 -------- d-sha-r- C:\cmdcons
2010-12-12 05:09:57 89088 ----a-w- c:\windows\MBR.exe
2010-12-12 05:09:56 98816 ----a-w- c:\windows\sed.exe
2010-12-12 05:09:56 256512 ----a-w- c:\windows\PEV.exe
2010-12-12 05:09:56 161792 ----a-w- c:\windows\SWREG.exe
2010-12-12 05:01:42 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-12 04:58:23 -------- d-----w- c:\windows\system32\appmgmt
2010-12-12 04:38:26 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-12-12 04:16:46 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-12-12 04:16:46 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-12-12 04:16:39 2 --shatr- c:\windows\winstart.bat
2010-12-12 04:16:28 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-12-12 04:16:04 -------- d-----w- c:\program files\UnHackMe
2010-12-12 01:32:55 -------- d-----w- c:\docume~1\deroch~1\applic~1\Malwarebytes
2010-12-12 01:32:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 01:32:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-12 01:32:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 01:32:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 21:38:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-11 21:35:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-11 00:56:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-11 00:56:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-10 21:49:31 26176 ---ha-w- c:\windows\system32\hamachi.sys
2010-12-09 23:15:46 -------- d-----w- c:\program files\Condition Zero
2010-12-08 00:01:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-07 23:39:13 -------- d-----w- c:\docume~1\deroch~1\locals~1\applic~1\Sunbelt Software
2010-12-07 22:32:38 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-07 22:32:31 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2010-12-07 12:18:08 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{85804d8b-1637-44c6-938a-afa812f6309a}\mpengine.dll
2010-12-04 00:11:49 -------- d-----w- c:\docume~1\deroch~1\applic~1\Windows Search
2010-12-03 23:37:43 -------- d-----w- c:\docume~1\deroch~1\locals~1\applic~1\Sony

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
1999-06-01 06:23:00 571847688 ----a-w- c:\program files\INSTALL.EXE
1998-11-03 03:07:26 95232 ----a-w- c:\program files\SMACKW32.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2080AH rev.00830096 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D16555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d1c7b0]; MOV EAX, [0x89d1c82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89D7BAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008b[0x89D261A8]
5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89E37940]
\Driver\atapi[0x89D81428] -> IRP_MJ_CREATE -> 0x89D16555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2080AH_______________________00830096#5&392b7317&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D1639B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 20:23:50.32 ===============

BC AdBot (Login to Remove)

 


#2 billiam864

billiam864
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 21 December 2010 - 04:33 PM

I have re-posted my message in a new thread, as I don't believe my attachments came through onto this one. As such this thread may be closed. Please help me based upon the information in my other thread.

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users