Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new malware keeps popping up - iExplore and more?


  • This topic is locked This topic is locked
26 replies to this topic

#1 fmac43

fmac43

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 16 February 2011 - 01:21 PM

I've been trying to clean up my computer for a month or two and it seems like new things keep popping up all the time. I've run MalwareBytes today and it didn't find anything; I ran SuperAntiSpyware and it found 300 items, including about 20 Trojans. Ran it again, new Trojans found. Originally, new Internet windows popped up (initially with p0rn sites). That doesn't seem to happen any more, but we get a lot of messages saying Internet Explorer is having a problem and needs to shut down, even if we're not online. Today I've been bombarded with popups saying "The app or DLL C;\Windows\system32\CHKNlreg.dll is not a valid Windows image. Please check your installation diskette." This appears after booting up, both before and after the Welcome screen, and also when the desktop appears.

I ran DDS, which is below. I had a problem with GMER, though. I saved and extracted the file and when I was at the screen in image 13 of the "Preparation" page (http://www.bleepingcomputer.com/forums/topic34773.html), my computer went to the blue screen and I got the following error message: "a problem as been detected and Windows has been shut down to precent damage to your computer." The error was: page_fault_in_nonpaged_area

Here's the DDS.

DDS (Ver_10-12-12.02) - NTFSx86
Run by JPediting at 12:55:49.01 on Wed 02/16/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.464 [GMT -5:00]

FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Documents and Settings\JPediting\Desktop\queen.com
C:\DOCUME~1\JPEDIT~1\LOCALS~1\Temp\RarSFX13\h\iexplore.exe
C:\Documents and Settings\JPediting\Desktop\queen.com
C:\Documents and Settings\JPediting\Desktop\queen.com
C:\Documents and Settings\JPediting\Desktop\queen.com
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\JPEDIT~1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.earthlink.net
uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uDefault_Page_URL = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: {3E41A58E-99BE-4964-BED2-B1FD11B4ECDD} = 192.168.2.1,207.69.188.186,207.69.188.187
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-6-2 1247600]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]

=============== Created Last 30 ================

2011-02-16 13:38:05 -------- d-----w- c:\docume~1\jpedit~1\applic~1\SUPERAntiSpyware.com
2011-02-16 13:37:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-14 02:01:00 58368 ------w- c:\windows\system32\CHKNlreg.dll
2011-01-27 15:10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-23 23:44:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-23 23:44:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-23 23:44:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2011-01-27 15:09:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-22 13:58:13 0 ----a-w- c:\windows\Ovonute.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F3F555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f457b0]; MOV EAX, [0x86f4582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F9CAB8]
3 CLASSPNP[0xF7557FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86FC91C0]
\Driver\atapi[0x86FA73A8] -> IRP_MJ_CREATE -> 0x86F3F555
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a3544564d515653202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3F39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:57:56.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 20 February 2011 - 12:26 PM

Hello fmac43 ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 20 February 2011 - 02:01 PM

Hi, Tea.

No problem, you guys seem swamped. I'll run a new log and post it in a few hours.

A wierd thing today -- the defogger program started running two separate times on its own. I ended up deleting it because that made me nervous. But I'll reinstall and run it.

Thanks!

(ETA: by "Defogger" I mean the DDS.)

Edited by fmac43, 20 February 2011 - 02:02 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 20 February 2011 - 02:05 PM

Post when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 20 February 2011 - 04:48 PM

Hi, Tea.

Here's the log that I just ran.

FYI, two "Bad Image" errors popped up when I clicked on the DDS icon to launch it, and one popped up when the scan was about half-way through. The last one said "cmd.exe Bad Image."

And here's the log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by JPediting at 16:42:04.85 on Sun 02/20/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.537 [GMT -5:00]

FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JPediting\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.earthlink.net
uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uDefault_Page_URL = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [exikheyf] c:\windows\temp\kteophdtn\pelbkybsikk.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: {3E41A58E-99BE-4964-BED2-B1FD11B4ECDD} = 192.168.2.1,207.69.188.186,207.69.188.187
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-6-2 1247600]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]

=============== Created Last 30 ================

2011-02-17 02:53:30 1409 ----a-w- c:\windows\QTFont.for
2011-02-16 13:38:05 -------- d-----w- c:\docume~1\jpedit~1\applic~1\SUPERAntiSpyware.com
2011-02-16 13:37:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-14 02:01:00 58368 ------w- c:\windows\system32\CHKNlreg.dll
2011-01-27 15:10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-23 23:44:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-23 23:44:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-23 23:44:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2011-01-27 15:09:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-22 13:58:13 0 ----a-w- c:\windows\Ovonute.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F3D555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f437b0]; MOV EAX, [0x86f4382c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F99AB8]
3 CLASSPNP[0xF7557FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86F96030]
\Driver\atapi[0x86FA73A8] -> IRP_MJ_CREATE -> 0x86F3D555
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a3544564d515653202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3D39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:44:20.70 ===============

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 20 February 2011 - 05:11 PM

Hello there,

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 20 February 2011 - 05:27 PM

Hi, Tea.

Thank you very much for the quick reply! Okay, ran and the log follows. I am still getting the "Bad Image" error messages; when the computer reboots, five come up. First, winlogon.exe is the header, then userinit.exe, brctrcen.exe, and finally SuperAntiSpyware.

Log:

2011/02/20 17:23:59.0531 2300 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/20 17:23:59.0640 2300 ================================================================================
2011/02/20 17:23:59.0640 2300 SystemInfo:
2011/02/20 17:23:59.0640 2300
2011/02/20 17:23:59.0640 2300 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/20 17:23:59.0640 2300 Product type: Workstation
2011/02/20 17:23:59.0640 2300 ComputerName: DG7HJM51
2011/02/20 17:23:59.0640 2300 UserName: JPediting
2011/02/20 17:23:59.0640 2300 Windows directory: C:\WINDOWS
2011/02/20 17:23:59.0640 2300 System windows directory: C:\WINDOWS
2011/02/20 17:23:59.0640 2300 Processor architecture: Intel x86
2011/02/20 17:23:59.0640 2300 Number of processors: 2
2011/02/20 17:23:59.0640 2300 Page size: 0x1000
2011/02/20 17:23:59.0640 2300 Boot type: Normal boot
2011/02/20 17:23:59.0640 2300 ================================================================================
2011/02/20 17:23:59.0843 2300 Initialize success

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 21 February 2011 - 05:20 PM

Hi there,

Could you please try to post the same log again? That one got cut off, and what I need to see is at the very bottom. :)

Thank you,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 21 February 2011 - 06:26 PM

Here you go, but it looks the same to me. I might have messed up -- this is the report after rebooting. The program found and cured a rootkit problem but I was flustered so okay'd it rebooting before I thought to click on the "report" button. :huh:

2011/02/21 18:22:36.0750 3228 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/21 18:22:46.0187 3228 ================================================================================
2011/02/21 18:22:46.0187 3228 SystemInfo:
2011/02/21 18:22:46.0187 3228
2011/02/21 18:22:46.0187 3228 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/21 18:22:46.0187 3228 Product type: Workstation
2011/02/21 18:22:46.0187 3228 ComputerName: DG7HJM51
2011/02/21 18:22:46.0187 3228 UserName: JPediting
2011/02/21 18:22:46.0187 3228 Windows directory: C:\WINDOWS
2011/02/21 18:22:46.0187 3228 System windows directory: C:\WINDOWS
2011/02/21 18:22:46.0187 3228 Processor architecture: Intel x86
2011/02/21 18:22:46.0187 3228 Number of processors: 2
2011/02/21 18:22:46.0187 3228 Page size: 0x1000
2011/02/21 18:22:46.0187 3228 Boot type: Normal boot
2011/02/21 18:22:46.0187 3228 ================================================================================
2011/02/21 18:22:46.0515 3228 Initialize success

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 21 February 2011 - 06:33 PM

I see.....no problem since you're sure it was cured. :) How is it running now please?

I see you have MBAM.....could you please be sure it's updated and have a scan with it? Post the report, if there is anything to post. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 21 February 2011 - 06:40 PM

Seems to be running okay, apart from those weird "Bad Image" errors I'm still getting. Should I run a quick scan or full scan with mbam?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 21 February 2011 - 06:58 PM

Quick scan should be good. If the errors don't stop after this, then we'll run one more program that will make them stop. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 21 February 2011 - 06:59 PM

I'm running a full scan, and it's found 2 threats so far.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:28 AM

Posted 21 February 2011 - 07:02 PM

no need to worry yet.....at this stage, with you, it could be those bad image errors being caught. :wink:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 fmac43

fmac43
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 21 February 2011 - 07:08 PM

Oh, good, I hope so! DDS just tried to start running as well. I'm not using that computer right now, so it's launching itself. Aah! I will post the malwarebytes log when the scan is done.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users