Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Alert / Packer / Downloader / TDL4 Assistance


  • This topic is locked This topic is locked
2 replies to this topic

#1 NodTerrorist

NodTerrorist

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 12 January 2011 - 10:13 AM

Yesterday, I installed some bad software, and began encountering blue screens with errors like "IRQ_NOT_LESS_THAN_OR_EQUAL" and "SYSTEM_SERVICE_EXCEPTION"

I am pretty savvy, and do Help Desk assistance for my job, so I took this upon myself as a challenge. I started out by entering Safe Mode w/ Networking, updated Malwarebytes, and did a full scan on my drive. Once completed, I removed the items and restarted into Windows normally.

I was still encountering the Blue Screens, so I decided that I needed to take this to the next level. I attempted to run DDS to see what was running, but every time DDS would nearly reach completion, it would blue screen. Next, I decided to run tdsskiller and it detected TDL4 rootkit was currently in use. Once removed and restarted, I no longer get blue screens, and no longer have any indications of an infection.

I was finally able to run DDS and do not see anything that appears to be malicious, but I wanted to seek a second opinion and assistance with removing or viewing anything else that might have been missed or overlooked. I have included my MBAM log and DDS Log.

-- DDS Log goes from here on --

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/25/2009 1:29:42 PM
System Uptime: 1/12/2011 7:49:16 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5B-Premium
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz | LGA 775 | 2400/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 564.144 GiB free.
D: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP316: 12/23/2010 9:49:30 AM - Scheduled Checkpoint
RP317: 12/31/2010 11:55:12 AM - Scheduled Checkpoint
RP318: 1/2/2011 12:16:09 AM - Installed DirectX
RP319: 1/5/2011 10:14:51 PM - Windows Update
RP320: 1/11/2011 6:07:35 PM - Windows Update
RP321: 1/11/2011 6:14:40 PM - Configured Bully Scholarship Edition
RP322: 1/11/2011 10:06:51 PM - Windows Update
RP323: 1/12/2011 7:45:13 AM - RESIDENT EVIL 5 を削除しました。

==== Installed Programs ======================

オTorrent
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Creative Suite 5 Master Collection
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader X
Age of Empires III: Complete Collection
Amnesia - The Dark Descent
Apple Application Support
Apple Software Update
Aquaria
Audacity 1.2.6
Avi2Dvd 0.5
AviSynth 2.5
Battlefield Play4Free
Borderlands
Braid
Braid (Version 1.015)
Call of Duty® - World at War™
Call of Duty® - World at War™ 1.2 Patch
CCleaner
CDisplay 1.8
Combined Community Codec Pack 2009-09-09
Company of Heroes
Curse Client
D3DX10
DAEMON Tools Toolbar
Definition update for Microsoft Office 2010 (KB982726)
Dropbox
erLT
Feedback Tool
ffdshow [rev 2844] [2009-03-30]
FileZilla Client 3.3.2
Free Sound Recorder 2010 v9.2.1
GIMP 2.6.7
Gish
Gmask 1.70 English
Google Chrome
GoToMeeting 4.5.0.456
Grand Theft Auto IV
Grand Theft Auto: Episodes from Liberty City
Guild Wars
Host OpenAL (ADI)
ImgBurn
iPhone Configuration Utility
J2SE Runtime Environment 5.0 Update 15
Java Auto Updater
Java™ 6 Update 23
Java™ SE Development Kit 6 Update 20
JPEG Recovery Pro 5.0
KB905474 (1.5.708)
LAME v3.98.2 for Audacity
LogMeIn
Lugaru HD
Machinarium
Malwarebytes' Anti-Malware
Mass Effect 2
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Outlook Web Access S/MIME
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WSE 3.0 Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
mIRC
Mount & Blade
Mount and Blade: Warband
Mozilla Firefox (3.6.10)
MP3MyMP3 3.0
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetBeans IDE 6.8
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Octoshape add-in for Adobe Flash Player
OpenAL
OpenOffice.org 3.2
Opera 10.10
Osmos
PDF Settings CS5
Penumbra: Overture
PhotoRescue Advanced PC 2.1.706
PhotoRescue Wizard PC 3.2.0.12789
Picasa 3
PS3 Media Server
PunkBuster Services
PxMergeModule
QuickPar 0.9
QuickTime
RecordPad Sound Recorder
S.T.A.L.K.E.R.: Shadow of Chernobyl
Safari
SAMSUNG PC Share Manager
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Sid Meier's Civilization V
SoulSeek 157 NS 13e
SoundMAX
Source SDK Base
Spelling Dictionaries Support For Adobe Reader 9
StarCraft II
Steam
Super Meat Boy
System Requirements Lab
Titan Quest
Titan Quest: Immortal Throne
Torchlight
TreeSize Free V2.3.3
Unlocker 1.8.9
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft OneNote 2010 (KB2433299)
Update for Microsoft Outlook Social Connector (KB2289116)
Winamp
Windows Installer Clean Up
Windows Live Communications Platform
Windows Live Device Manager
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
WinRAR archiver
World of Goo
Xvid 1.2.1 final uninstall

==== Event Viewer Messages From Past Week ========

1/12/2011 7:48:45 AM, Error: Service Control Manager [7024] - The PS3 Media Server service terminated with service-specific error The system cannot join or substitute a drive to or for a directory on the same drive..
1/11/2011 6:07:07 PM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
1/11/2011 6:00:29 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 6:00:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/11/2011 6:00:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/11/2011 6:00:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/11/2011 6:00:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/11/2011 6:00:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/11/2011 6:00:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/11/2011 5:53:19 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/11/2011 5:51:19 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/11/2011 5:51:18 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800020b45a1, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011111-26956-01.
1/11/2011 5:45:29 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Defender service to connect.
1/11/2011 5:45:29 PM, Error: Service Control Manager [7000] - The Windows Defender service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/11/2011 5:44:57 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:42:43 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
1/11/2011 5:42:05 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr sptd Wanarpv6
1/11/2011 5:41:58 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000008, 0x0000000000000002, 0x0000000000000000, 0xfffff80002c98d29). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011111-30591-01.
1/11/2011 5:41:29 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
1/11/2011 5:28:54 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800020b25a1, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011111-30076-01.
1/11/2011 5:06:02 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx vwififlt Wanarpv6 WfpLwf
1/11/2011 5:06:01 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff800020de448, 0xfffff880046f8b10, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011111-29374-01.
1/11/2011 3:54:12 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f7 (0x00002b99088ea420, 0x00002b992ddfa232, 0xffffd466d2205dcd, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011111-34304-01.
1/11/2011 3:51:45 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000008, 0x0000000000000002, 0x0000000000000000, 0xfffff80002c54d29). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011111-19640-01.

==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:56 PM

Posted 18 January 2011 - 03:48 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 25 January 2011 - 09:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users