Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tricky Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 that1120

that1120

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 06 February 2011 - 12:36 AM

Hey everyone, I have a problem on my desktop that I cannot solve. I have a Dell desktop running Windows XP. Usually, I would use Malwarebytes, SuperAntiSpyware, and CCleaner to solve my viral infestations. This time, even running all three programs, the problems still exist.

To begin, I receive an error message saying "Generic Host Win32 has crashed and needs to close" or something, which causes the audio to stop working and the graphics to turn old-school. When I reboot, the same problem occurs again and again.

I also get pop-ups (not on my Internet) saying something like "Invalid Password, Try Again". After this appears, more of the pop-ups with similar message come. This slows down my computer--causing my to run rkill.

Finally, whenever I use Google search engine, any link I click redirects me to the original search page. Occasionally, it would redirect me to an unknown search engine covered in ads.

Thank you for your time in helping me with my problems. Attached are dds and gmer logs.
that1120

DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 23:45:39.65 on Sat 02/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.695 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Tunngle\TnglCtrl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tunngle\Tunngle.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by MSN & Bing
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3h7seu20.default\
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-12-13 718072]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-12-13 27136]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-2-5 312152]
S3 apf001;apf001;\??\c:\game\softnyxgame\gunboundis\apf001.sys --> c:\game\softnyxgame\gunboundis\apf001.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2011-02-06 03:49:52 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-02-06 03:49:29 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-02-06 03:08:39 -------- d-----w- c:\docume~1\owner\applic~1\IObit
2011-02-06 03:08:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-02-06 03:08:25 -------- d-----w- c:\program files\IObit
2011-02-05 16:38:33 -------- d-----w- c:\docume~1\owner\applic~1\ElevatedDiagnostics
2011-02-05 02:44:40 -------- d-----w- c:\windows\system32\NtmsData
2011-02-02 21:34:32 -------- d-----w- c:\program files\LittleFighter2
2011-01-30 20:35:24 -------- d-----w- C:\spoolerlogs
2011-01-30 20:12:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\hMiFdLl06504
2011-01-24 20:42:32 -------- d-----w- c:\program files\YouTube Downloader
2011-01-22 19:39:55 12920 ----a-w- c:\windows\system32\apl001.sys
2011-01-22 19:39:55 10872 ----a-w- c:\windows\system32\apf001.sys
2011-01-09 03:28:26 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-01-09 03:27:20 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-01-09 03:27:20 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-01-09 03:24:36 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-01-09 03:21:17 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-01-09 03:20:11 -------- d-----w- c:\windows\SHELLNEW
2011-01-08 23:04:06 -------- d-----w- c:\docume~1\owner\applic~1\SynthMaker
2011-01-08 23:00:37 -------- d-----w- c:\docume~1\owner\applic~1\Acoustica
2011-01-08 23:00:35 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2011-01-08 22:56:07 348160 ----a-w- c:\windows\system32\~GLH0001.TMP
2011-01-07 05:06:41 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-07 05:06:19 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-07 05:05:52 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-01-07 05:05:52 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-01-07 05:05:32 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y080L0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x899CBEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88f9e872; SUB DWORD [EBP-0x4], 0x88f9e12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A1CFAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x89C77030]
[0x8A0D1030] -> IRP_MJ_CREATE -> 0x899CBEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y080L0__________________________YAR41BW0#3259343742324352202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x899CBAEA
user & kernel MBR OK
sectors 156249998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:05:52.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 06 February 2011 - 08:15 PM

Problem Solved, using TDDSKiller.

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:51 AM

Posted 06 February 2011 - 08:21 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users