Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Dropper Trojan.Agent hyperlink hijacking


  • This topic is locked This topic is locked
11 replies to this topic

#1 Cathy in St Lou

Cathy in St Lou

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 30 December 2010 - 01:34 PM

I work for a guy that gets an infection about twice a month. he got email from client with link to: hxxp://hotfile.com/dl/92330091/c24b4c7/Xmas.exe.html

I was suspicious but since he wants to open all client email I (long story short) clicked on the link, downloaded rather than ran the executable, ran symantec antivirus and malwarebytes scans on it, then foolishly executed it. The downloaded file then disappeared (don't recall the name of it now) and nothing appeared to happen.

But obviously, I got hosed. I have tried restoring to 12/22, running full viruscans and malwarebyte scans (which have successfully found and deleted/quarantined 14 infections -- 11 in symantec, 3 in malwarebytes, but I still have the hijacking problem, even in safe mode). It is more annoying than anything, but my fear is that I have more/bigger problems like key loggers or something that is going to launch and infect my internal company network. I am also getting a lot of weird application errors:
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 12/27/2010
Time: 5:06:01 PM
User: N/A
Computer: CEL
Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 75 6e 6b 6e 6f 77 6e unknown
0028: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0030: 20 61 74 20 6f 66 66 73 at offs
0038: 65 74 20 30 30 30 30 30 et 00000
0040: 30 30 30 000
------------------------------------------------
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 12/28/2010
Time: 7:13:11 PM
User: N/A
Computer: CEL
Description:
Faulting application 1.4399489948848424E7.exe, version 1.1.0.47, faulting module 1.4399489948848424E7.exe, version 1.1.0.47, fault address 0x000043ef.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 31 2e 34 ure 1.4
0018: 33 39 39 34 38 39 39 34 39948994
0020: 38 38 34 38 34 32 34 45 8848424E
0028: 37 2e 65 78 65 20 31 2e 7.exe 1.
0030: 31 2e 30 2e 34 37 20 69 1.0.47 i
0038: 6e 20 31 2e 34 33 39 39 n 1.4399
0040: 34 38 39 39 34 38 38 34 48994884
0048: 38 34 32 34 45 37 2e 65 8424E7.e
0050: 78 65 20 31 2e 31 2e 30 xe 1.1.0
0058: 2e 34 37 20 61 74 20 6f .47 at o
0060: 66 66 73 65 74 20 30 30 ffset 00
0068: 30 30 34 33 65 66 0043ef
----------------------------------------
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 12/28/2010
Time: 7:14:19 PM
User: N/A
Computer: CEL
Description:
Faulting application 0.8999303163673155.exe, version 1.1.0.47, faulting module 0.8999303163673155.exe, version 1.1.0.47, fault address 0x000043ef.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 30 2e 38 ure 0.8
0018: 39 39 39 33 30 33 31 36 99930316
0020: 33 36 37 33 31 35 35 2e 3673155.
0028: 65 78 65 20 31 2e 31 2e exe 1.1.
0030: 30 2e 34 37 20 69 6e 20 0.47 in
0038: 30 2e 38 39 39 39 33 30 0.899930
0040: 33 31 36 33 36 37 33 31 31636731
0048: 35 35 2e 65 78 65 20 31 55.exe 1
0050: 2e 31 2e 30 2e 34 37 20 .1.0.47
0058: 61 74 20 6f 66 66 73 65 at offse
0060: 74 20 30 30 30 30 34 33 t 000043
0068: 65 66 ef
-----------------------------------------
THERE ARE A TOTAL 13 OF THEM SINCE I GOT INFECTED, THESE ARE JUST SOME SAMPLES.

ANYWAY, HERE IS MY INFO, IF YOU CAN HELP ME AT ALL I WOULD SURE APPRECIATE:

DDS (Ver_10-12-12.02) - NTFSx86
Run by cathyl at 17:41:40.32 on Wed 12/29/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1204 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Acer\eProtection\Service\eProtectionServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\LANScope Agent\awtray.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Laser App Enterprise\laupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
\\SBSERVER\Users\cathyl\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [LaserAppUpdate] "c:\program files\laser app enterprise\laupdate.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [eLockMonitor] c:\acer\empowering technology\elock\monitor\LaunchMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 1
mRun: [installnet.exe] "c:\acer\lanscope agent\installnet.exe" "c:\acer\lanscope agent\
mRun: [AdminWorks Tray] "c:\acer\lanscope agent\awtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: advisor-connection.com
Trusted Zone: bonddesk.com
Trusted Zone: firstclearing.com
Trusted Zone: group.cim\*.bonddesk
Trusted Zone: i-deal.com
Trusted Zone: unionbank.com\sso
Trusted Zone: wallst.com\*.irp
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://edhelp.wachovia.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://nc-fdc-sa1.advisor-connection.com/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {0CF3CAE6-C07C-4F6E-8219-80089FD0309A} - c:\program files\pdfcamp\PDFcampCUCheck.vbs

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-2-27 68096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-12-6 140184]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-6-8 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-6-6 90112]
R2 eProtection;eProtection Service;c:\program files\acer\eprotection\service\eProtectionServ.exe [2006-11-15 24576]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-2-5 10384]
R2 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2006-12-11 7680]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101228.002\naveng.sys [2010-12-29 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101228.002\navex15.sys [2010-12-29 1360760]
S0 sstosem;sstosem;c:\windows\system32\drivers\jiyn.sys --> c:\windows\system32\drivers\jiyn.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-2-15 18424]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-2-15 17828]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-14 1087680]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-2-15 26964]

=============== Created Last 30 ================

2010-12-29 22:15:31 398704 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2010-12-29 22:15:31 345456 ----a-w- c:\windows\system32\dsNcCredProv.dll
2010-12-28 23:17:45 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-28 23:17:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-28 00:54:01 -------- d-----w- c:\program files\Secunia
2010-12-09 15:37:40 127076366 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2010-12-09 00:41:31 0 ----a-w- c:\windows\Nruxo.bin
2010-12-09 00:41:30 -------- d-----w- c:\docume~1\cathyl\locals~1\applic~1\{3529039D-B46D-429C-8A3E-ADA464CDAAE8}
2010-12-08 17:07:34 176128 ----a-r- c:\windows\system32\ftd2xx.dll
2010-12-08 17:07:33 106496 ----a-r- c:\windows\system32\ftbusui.dll
2010-12-08 17:07:32 47249 ----a-r- c:\windows\system32\drivers\ftdibus.sys
2010-12-08 17:07:32 188416 ----a-r- c:\windows\system32\ftdiunin.exe
2010-12-08 17:05:50 -------- d-----w- c:\program files\43-127 FMS
2010-12-01 17:13:39 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-12-01 15:54:58 -------- d-----w- c:\program files\SPUDownloadManager

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
1993-12-28 21:37:08 93184 ----a-w- c:\program files\CARDFILE.EXE

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721616PLA380 rev.P22OAB3A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6AD555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6b37b0]; MOV EAX, [0x8a6b382c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6E3AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8A6F6AF0]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A74E848]
\Driver\atapi[0x8A6CA9D0] -> IRP_MJ_CREATE -> 0x8A6AD555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721616PLA380_________________P22OAB3A#5&23a8183c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A6AD39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:43:16.79 ===============
Attached File  Attach.txt   17.67KB   0 downloads

Attached Files

  • Attached File  ark.txt   10.34KB   2 downloads

Edited by Orange Blossom, 30 December 2010 - 07:30 PM.
Deactivate link. ~ OB

Cathy
St. Louis, MO

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:51 AM

Posted 06 January 2011 - 03:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Cathy in St Lou

Cathy in St Lou
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 07 January 2011 - 11:25 AM

thanks for the reply Shannon, I did get a reply from boopme who moved me to an 'am I infected' forum entry --

I had not had a chance to gather all the info since I was out of town yesterday, but now that I am back I need to know which instructions to follow.

Since I have not yet posted anything there, should I start on this thread or have you close this one and continue with him?

the other item is titled "Redirect also in Google", dated 1/5/11, and in the 'am I infected' forum.

(he had suggested a different course, run rkill, run superantispyware, run malwarebytes)
Cathy
St. Louis, MO

#4 Cathy in St Lou

Cathy in St Lou
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 07 January 2011 - 02:37 PM

thanks for the help. since I had not heard from anyone on which forum to follow, I proceeded with the steps instructed in the "am I infected" forum entry.
1 rebooted safe mode
2 ran rkill
3 downloaded, setup, ran superantispyware
(had to leave computer, stopped process and had it fix what it had found)
(out of town on business 1 day)
4 restarted in safe mode
5 updated rkill
6 reran rkill (no processes stopped)
7 reran superantispyware (only 6 adware)
8 rebooted in regular mode - net cable disconnected
9 connected net cable / updated malwarebytes / disconnected net cable
10 ran malwarebytes quick scan - nothing found
11 reconnected net cable, opened internet explorer, entered bleeping computer URL
12 another IEXPLORER window lauched with the following address:
pcspeedmaximizer.s3.amazonaws.com/index.html tab is named "Registry Virus Scanner" and tells me (I know, it is bogus) I have a bunch of corrupt registry entries.
13 at this point I received msg from Shannon here that I should stay on this thread and follow the steps she outlined 1/5.

I have everything to post from the steps above, if anyone is interested.

Otherwise, here is the DDS log. directions say not to send the ATTACH.TXT unless instructed. I will run the GMER tool and post that in a minute. I am going to run it in safe mode, hopefully that is the recommended way, or will provide legit info.

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by cathyl at 13:05:43.09 on Fri 01/07/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1767 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cathyl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://edhelp.wachovia.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://nc-fdc-sa1.advisor-connection.com/dana-cached/sc/JuniperSetupClient.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {0CF3CAE6-C07C-4F6E-8219-80089FD0309A} - c:\program files\pdfcamp\PDFcampCUCheck.vbs

============= SERVICES / DRIVERS ===============

S0 sstosem;sstosem;c:\windows\system32\drivers\jiyn.sys --> c:\windows\system32\drivers\jiyn.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
S2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-12-6 140184]
S2 eProtection;eProtection Service;c:\program files\acer\eprotection\service\eProtectionServ.exe [2006-11-15 24576]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-2-5 10384]
S2 netlimiter;netlimiter;\??\c:\windows\system32\drivers\netlimiter.sys --> c:\windows\system32\drivers\netlimiter.sys [?]
S2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-2-15 18424]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110106.003\naveng.sys [2011-1-7 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110106.003\navex15.sys [2011-1-7 1360760]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-2-15 17828]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-14 1087680]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-2-15 26964]

=============== Created Last 30 ================

2011-01-06 00:36:29 -------- d-----w- c:\docume~1\cathyl\applic~1\SUPERAntiSpyware.com
2011-01-06 00:36:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-06 00:35:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-03 23:25:36 -------- d-----w- c:\docume~1\cathyl\applic~1\Windows Search
2011-01-03 21:52:24 -------- d-----w- c:\docume~1\cathyl\applic~1\PrimoPDF
2011-01-03 21:52:09 -------- d-----w- c:\docume~1\cathyl\applic~1\FileOpen
2011-01-03 15:58:25 -------- d-----w- c:\docume~1\cathyl\applic~1\Malwarebytes
2011-01-03 15:57:18 -------- d-----w- c:\docume~1\cathyl\locals~1\applic~1\Adobe
2010-12-31 20:50:00 -------- d-----w- c:\docume~1\cathyl\locals~1\applic~1\Laser App Software
2010-12-29 22:15:31 398704 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2010-12-29 22:15:31 345456 ----a-w- c:\windows\system32\dsNcCredProv.dll
2010-12-28 23:17:45 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-28 23:17:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-28 00:54:01 -------- d-----w- c:\program files\Secunia
2010-12-09 15:37:40 127076366 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2010-12-09 00:41:31 0 ----a-w- c:\windows\Nruxo.bin

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
1993-12-28 21:37:08 93184 ----a-w- c:\program files\CARDFILE.EXE

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721616PLA380 rev.P22OAB3A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A688555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a68e7b0]; MOV EAX, [0x8a68e82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A63CAB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000072[0x8A704238]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A705A30]
\Driver\atapi[0x8A685750] -> IRP_MJ_CREATE -> 0x8A688555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721616PLA380_________________P22OAB3A#5&23a8183c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A68839B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:07:09.78 ===============


*ONE QUESTION: can I run the GMER log creation in safe mode?
Cathy
St. Louis, MO

#5 Cathy in St Lou

Cathy in St Lou
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 07 January 2011 - 03:02 PM

attaching gmer log (ark.txt)
and detailed attach file from dds scan (attach.txt)

Attached Files


Cathy
St. Louis, MO

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:51 AM

Posted 08 January 2011 - 05:52 PM

Cathy-

I have sent you a couple of PM's.

Have you decided which forum you wish to use?
Shannon

#7 Cathy in St Lou

Cathy in St Lou
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 09 January 2011 - 07:22 PM

Shannon, I am a bit confused. I thought I had followed your instructions to the letter to inform boopme in the 'am I infected' item he had created that I "needed to be here, possible TDL3".

I then attempted to collect ALL the information as instructed in your update on 1/6 2:52 pm. I posted everything I had here and was waiting patiently, yet anxiously, for a reply from *someone else* as you indicated in your message (I assumed you were on some other topic or leaving the office).

That is the last status -- I am not even aware what happened to my other forum entry, I gather from your question that something was updated there?

I am still hopelessly messed up and not wanting to TOUCH ANYTHING awaiting someone's analysis here, so if it is not forthcoming, I would appreciate knowing it so that I can take other measures. I have already been 'down' for 2 weeks (not your fault, I am not complaining as I am very appreciative that this site exists and you folks get so much good info out there), but I *do* need to get it resolved, even if it means rebuilding from scratch, I cannot be down forever.

Hope that answers your question, I will go to my other post immediately and see if I was unclear there...
Cathy
St. Louis, MO

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:51 AM

Posted 09 January 2011 - 08:04 PM

Hi-

Maybe I am the one who is confused. I'll look at what you sent and see what we can do about fixing your computer. Ok?
Shannon

#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:51 AM

Posted 10 January 2011 - 07:53 AM

Hi-

Sorry for the delay. Thank for all the reports. They did show some problems and one was backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Next, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

In your reply, please copy in the TDSSKiller and the MBRCheck reports, and let me know how your computer is running.

Thanks,
Shannon

#10 Cathy in St Lou

Cathy in St Lou
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 10 January 2011 - 10:59 AM

Thank you so much for your response. I have pretty much been disconnected throughout and using another PC since I could not assess the risks myself.

Based on your analysis, I am going to immediately rebuild my system, just to be safe.

You can close this topic.

I do have one question though... is there a post here somewhere discussing copying files from the infected computer to the new one? I am now (obviously) very paranoid. I have a lot of data I would like to "take with me" before reformatting and rebuilding. Am I risking future infection on the rebuilt computer? The files are just documents (word and PDF), spreadsheets and the like. I know you have more pressing issues with other members, I was just hoping you could point me in the right direction in case I do not construct the search string well enough to pull up the right post...

I REALLY DO THANK YOU FOR ALL YOUR HELP, btw. It is not the answer I was hoping for, but knowing for certain what one is up against is half the battle.

Edited by Cathy in St Lou, 10 January 2011 - 01:49 PM.

Cathy
St. Louis, MO

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:51 AM

Posted 10 January 2011 - 02:21 PM

Hi-

Since you have decided to reformat your hard drive and reinstall, in your backup of your current files, you should not backup files with the following extensions:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php

as these might harbor infections.

For the future, please take the time to read below to secure your machine and take the necessary steps to keep it clean.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a pop up appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop ups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a pop up that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period. Another excellent free one is Malwarebytes' Anti-Malware (MBAM) .

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Update your Java runtimes regularly

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Download the latest version here - http://java.sun.com/javase/downloads/index.jsp. You want to select the JRE version.
Follow this list and your potential for being infected again will reduce dramatically.

Good Luck!!

Shannon

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:51 AM

Posted 18 January 2011 - 02:59 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users