Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspicious modification TDL3


  • This topic is locked This topic is locked
2 replies to this topic

#1 stopmalware

stopmalware

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 18 December 2010 - 02:18 AM

Internet Explorer 8 began re-routing and would jump to unknown websites. It is difficult to go to the website addresses entered without re-routing or jumping to unknown site.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 22:29:11.95 on Fri 12/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.336 [GMT -8:00]

AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Downloads\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [<NO NAME>]
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Atari Launcher] c:\program files\hasbro interactive\atari arcade hits 1\Atari icon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\downloads\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-9-10 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239240]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1901056]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2010-12-16 05:05:44 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\COMODO
2010-12-15 06:08:11 42240 ----a-w- c:\windows\system32\drivers\ydloqgev.sys
2010-12-15 03:11:04 -------- d-----w- c:\windows\system32\MpEngineStore
2010-12-13 07:28:49 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-13 07:28:45 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-13 07:28:44 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-12-13 07:28:40 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-13 07:28:36 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-13 07:28:16 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-12-13 07:28:13 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-12-13 07:28:11 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-12-13 07:28:07 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-12-13 07:28:06 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-12-13 07:28:04 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-12-13 07:26:57 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2010-12-13 07:25:57 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-12-13 07:24:59 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys
2010-12-13 07:23:58 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-12-13 07:22:56 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-12-13 07:21:56 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2010-12-13 07:20:59 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-12-13 07:19:58 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-12-13 07:18:57 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-12-13 07:18:53 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-12-13 07:18:49 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-12-13 07:18:46 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-12-13 07:18:42 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-12-13 07:18:39 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-12-13 07:18:35 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-12-13 07:18:34 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2010-12-13 07:09:38 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2010-12-13 07:09:30 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-12-13 07:09:25 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-12-13 07:09:20 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-12-13 07:09:17 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-12-13 07:09:14 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-12-13 07:09:13 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
2010-12-13 07:09:13 16384 -c--a-w- c:\windows\system32\dllcache\quser.exe
2010-12-13 07:09:04 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2010-12-13 07:07:59 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2010-12-13 07:06:59 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2010-12-13 07:05:58 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-12-13 07:04:58 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-12-13 07:04:56 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-12-13 07:04:51 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-12-13 07:04:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-12-13 07:04:38 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-12-13 07:04:33 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-12-13 07:04:26 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-12-13 07:04:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-12-13 07:04:12 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-12-13 07:04:08 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-12-13 07:04:08 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-13 07:02:59 802683 -c--a-w- c:\windows\system32\dllcache\ltsm.sys
2010-12-13 07:01:57 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-12-13 07:00:59 26624 -c--a-w- c:\windows\system32\dllcache\icam3ext.dll
2010-12-13 06:59:58 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2010-12-13 06:58:59 17408 -c--a-w- c:\windows\system32\dllcache\gpr400.sys
2010-12-13 06:57:58 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2010-12-13 06:56:59 66591 -c--a-w- c:\windows\system32\dllcache\el90xbc5.sys
2010-12-13 06:55:59 131156 -c--a-w- c:\windows\system32\dllcache\digidbp.dll
2010-12-13 06:54:58 20736 -c--a-w- c:\windows\system32\dllcache\cmbp0wdm.sys
2010-12-13 06:53:58 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll
2010-12-13 06:52:57 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-12-13 06:51:51 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-12-13 06:51:50 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-12-13 06:51:49 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-12-13 06:51:48 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-12-13 06:51:47 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-12-13 06:51:47 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-12-12 23:26:13 -------- d--h--w- C:\VritualRoot
2010-12-12 23:25:19 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-12-12 23:22:55 -------- d-----w- c:\program files\COMODO
2010-12-12 23:22:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-12-12 21:57:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-12 07:06:13 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-12-12 07:05:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-12 07:04:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 05:21:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-12 05:21:48 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-12-12 05:21:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-12 04:56:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-12-12 04:24:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-12 04:24:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-11 23:41:27 -------- d-----w- C:\spoolerlogs
2010-12-03 17:46:02 -------- d-----w- c:\program files\iPod
2010-12-03 17:42:05 -------- d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 20:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 20:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 20:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDT722516DLA380 rev.V43OA80A -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EB5EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85da5872; SUB DWORD [EBP-0x4], 0x85da512e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F30AB8]
3 CLASSPNP[0xF7602FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008f[0x86F789E8]
5 ACPI[0xF7419620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F3FB00]
[0x86E8E218] -> IRP_MJ_CREATE -> 0x86EB5EC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskHDT722516DLA380_________________________V43OA80A#5&1eef789c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EB5AEA
user & kernel MBR OK
sectors 321672958 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 22:31:45.33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:25 AM

Posted 18 December 2010 - 09:19 PM

Hello stopmalware ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to stopmalware.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:25 AM

Posted 27 December 2010 - 12:02 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users