Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Virus Trojan.Downloader


  • This topic is locked This topic is locked
2 replies to this topic

#1 kennycab

kennycab

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 11 January 2011 - 05:28 PM

My virus seems to be the Win32/Genetik trojan. I have run a number of malware programs and many show initial virus and then they become stealth with future scans.

The list includes:
Win32/Genetik
Win32/FakeSpypro
Trojan.Dropper
Trojan.Downloader
Vundo

Logs follow:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Amanda Vickers at 16:26:43.98 on Tue 01/11/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2003.1386 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

============== Running Processes ===============

C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Computer Tools\Setup Programs\Defogger.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Amanda Vickers\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} - hxxp://onesite.realpage.com/coreglobal/RealpageCab/Realpage.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-27 1664248]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-3-1 77824]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-4 112512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-4 109568]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-6-4 232744]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2010-4-8 642432]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\dm150drv.sys --> c:\windows\system32\drivers\DM150Drv.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-4-8 50704]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

=============== File Associations ===============

scrfile="%1" /S

=============== Created Last 30 ================

2011-01-11 18:41:11 -------- d-----w- c:\program files\ESET
2011-01-11 18:08:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeReturner
2011-01-11 18:05:27 -------- d-----w- c:\docume~1\amanda~1\applic~1\SafeReturner
2011-01-11 18:05:07 -------- d-----w- c:\program files\Safe Returner
2011-01-11 17:57:57 -------- d-----w- c:\documents and settings\amanda vickers\Pavark
2011-01-11 14:30:15 -------- d-----w- c:\program files\Lavasoft
2011-01-11 13:56:32 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8938dcad-6e8f-4dff-9a81-f782339a47d9}\mpengine.dll
2011-01-11 13:47:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-11 13:44:17 -------- d-----w- c:\windows\system32\LogFiles
2011-01-11 13:00:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-01-07 17:08:17 -------- d-----w- c:\windows\system32\appmgmt
2011-01-07 16:57:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-07 16:47:10 -------- d-----w- C:\b4983055ebc5d4c9b61aecd888
2011-01-07 09:20:05 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-01-07 09:20:05 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-01-07 09:20:04 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2011-01-07 09:20:04 76800 -c--a-w- c:\windows\system32\dllcache\wam51.dll
2011-01-07 09:20:04 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll
2011-01-07 09:20:04 5632 -c--a-w- c:\windows\system32\dllcache\w3svapi.dll
2011-01-07 09:20:04 53248 -c--a-w- c:\windows\system32\dllcache\wamreg51.dll
2011-01-07 09:20:04 363520 -c--a-w- c:\windows\system32\dllcache\w3svc.dll
2011-01-07 09:20:03 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2011-01-07 09:20:03 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2011-01-07 09:20:03 4608 -c--a-w- c:\windows\system32\dllcache\w3ctrs51.dll
2011-01-07 09:20:03 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2011-01-07 09:18:59 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2011-01-07 09:17:59 108544 -c--a-w- c:\windows\system32\dllcache\appconf.dll
2011-01-07 09:15:13 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-01-07 09:15:13 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-01-07 09:14:34 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2011-01-07 09:14:34 32768 ----a-w- c:\program files\internet explorer\connection wizard\icwdl.dll
2011-01-07 09:14:33 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2011-01-07 09:14:33 86016 ----a-w- c:\program files\internet explorer\connection wizard\icwconn2.exe
2011-01-07 09:14:33 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2011-01-07 09:14:33 20480 ----a-w- c:\program files\internet explorer\connection wizard\inetwiz.exe
2011-01-07 09:14:32 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2011-01-07 09:14:32 214528 ----a-w- c:\program files\internet explorer\connection wizard\icwconn1.exe
2011-01-07 09:12:18 44544 -c--a-w- c:\windows\system32\dllcache\tscupgrd.exe
2011-01-07 09:12:18 44544 ----a-w- c:\windows\system32\tscupgrd.exe
2011-01-07 08:57:30 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-01-07 08:57:30 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-01-07 08:57:30 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-01-07 08:57:30 13312 ----a-w- c:\windows\system32\irclass.dll
2011-01-07 08:57:04 13753 ----a-r- c:\windows\SETB8.tmp
2011-01-07 08:57:01 1086058 ----a-r- c:\windows\SETAC.tmp
2011-01-07 08:56:59 1042903 ----a-r- c:\windows\SETAB.tmp
2011-01-07 03:46:37 -------- d-----w- c:\windows\dell
2011-01-07 02:56:14 -------- d-----w- c:\windows\Cookies
2011-01-07 02:55:53 -------- d-----w- c:\windows\Recent

==================== Find3M ====================

2010-10-24 19:20:54 98304 ----a-w- c:\windows\system32\realpage.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST980310AS rev.DE06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D41555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d477b0]; MOV EAX, [0x89d4782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDFBA] -> \Device\Harddisk0\DR0[0x89DB12F8]
3 CLASSPNP[0xBA10905B] -> ntkrnlpa!IofCallDriver[0x804EDFBA] -> [0x89C97F18]
\Driver\atapi[0x89D69518] -> IRP_MJ_CREATE -> 0x89D41555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980310AS______________________________DE06____#5&3975e6b1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D4139B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:27:47.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kennycab

kennycab
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 12 January 2011 - 01:12 AM

Based on seeing this warning in the dds report.

Warning: possible TDL3 rootkit infection

I followed instructions to remove the TDL3 rootkit

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

This worked it appears my computer is clean.

Thanks Bleeping Computer.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:51 AM

Posted 12 January 2011 - 04:40 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users