Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Windows 10 Screen Sketch Update Fixes Blurry Screenshots For Insiders

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Photo

Stumped by IE hijacking

Started by yj777 , Mar 03 2011 07:47 PM

  • Please log in to reply
13 replies to this topic

#1 yj777

yj777

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 03 March 2011 - 07:47 PM

Hi.

I am stumped by the following:

In one of my Win XP SP2 computers, when i run IE8 and go into Ebay, and try to login, use a fake username and password, i get taken into a screen demanding my full name, card number pin, etc.. (see attached)
Obviously some kind of BHO has hijacked IE..

sounds easy, but...the problem is that i can't seem to get rid of it!
I have done the following so far.

1-Hijack this 2.04 & 2.05 beta scans
2-ran Latest version of combo fix
3-Malwarebytes full scan
4-used microsoft IE reset tool
5-I uninstalled IE8.. but the problem still remains in IE6!!!
6-Checked hosts ip redirection, but can't find anything.

there are no other obvious symptoms or strange things running on the system.

When I run Opera 9.6, i don't have any problems accessing Ebay.
I should note that Adobe Flash doesn't seem to work on IE8 or IE6..
i've read about a fake flash plugin hijacking IE.. but the flash plugin i have installed checks ok and doesn't scan.. and it works fine in opera.

At this point i give up.. i need help
please let me know what scans i should provide first.
Thanks

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by yj777, 03 March 2011 - 09:10 PM.

BC AdBot (Login to Remove)

 

#2 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 03 March 2011 - 07:50 PM

oops sorry,
here is the screenshot..

Attached Files


#3 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 03 March 2011 - 09:07 PM

could someone help me out, please?
Thanks

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 AM

Posted 03 March 2011 - 09:39 PM

Hello,I am a bit confused by this,sorry.

go into Ebay, and try to login, use a fake username and password, i get taken into a screen demanding my full name, card number pin, etc.. (see attached)

Why are you using fakes? That would seem to trigger a checking page/ Although I do not agree that Ebay should ask for that Credit Card info first.

Lets run these scans also.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 03 March 2011 - 09:56 PM

Thank you for your reply.
Quick note:
Not many malware programs make the news.. but this one did, at least back in 2007
http://www.theregister.co.uk/2007/05/25/strange_spoofing_technique/

not sure if this is the same old one, or an updated version, but it is pretty amazing and seamless.. if such thing is possible. It uses some kind of html injection and a proxy that hijacks any html requests to ebay / paypal and changes the results on the fly.

Hello,I am a bit confused by this,sorry.

go into Ebay, and try to login, use a fake username and password, i get taken into a screen demanding my full name, card number pin, etc.. (see attached)

Why are you using fakes? That would seem to trigger a checking page/ Although I do not agree that Ebay should ask for that Credit Card info first.


because when i did it the first time i was infected, i actually entered my real info.. and i had to change the password for obvious reasons.
After playing around with the malware, i realized that it doesn't actually check if my id / pw combo are correct with the real ebay system.. it just goes into the phishing page.. so to test whether the malware is still present or not, i enter a fake a id and password.. and if it goes through to the second "phishing" page, it means it is still present.


let me try the rest of the instructions and get back to you.
thx

Edited by yj777, 03 March 2011 - 10:00 PM.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 AM

Posted 03 March 2011 - 10:18 PM

Ok I see,thanks.
This is possibly a backdoor infection ...If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In the event I am gone before you post back I will look in tomorrow morning.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 03 March 2011 - 10:26 PM

Thank for your help.
TSSKiller found http://en.wikipedia.org/wiki/Alureon (the world's most advanced toolkit http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/) and Backdoor.Win32.Sinowal.knf
Here is the log.
That seems to have cleared the html injection / IE hijacking.
I am doing the ESET scan now.

2011/03/03 22:08:57.0171 1488 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/03 22:08:57.0281 1488 ================================================================================
2011/03/03 22:08:57.0281 1488 SystemInfo:
2011/03/03 22:08:57.0281 1488
2011/03/03 22:08:57.0281 1488 OS Version: 5.1.2600 ServicePack: 2.0
2011/03/03 22:08:57.0281 1488 Product type: Workstation
2011/03/03 22:08:57.0281 1488 ComputerName: NCORE2
2011/03/03 22:08:57.0281 1488 UserName: xxxxxx
2011/03/03 22:08:57.0281 1488 Windows directory: C:\WINDOWS
2011/03/03 22:08:57.0281 1488 System windows directory: C:\WINDOWS
2011/03/03 22:08:57.0281 1488 Processor architecture: Intel x86
2011/03/03 22:08:57.0281 1488 Number of processors: 2
2011/03/03 22:08:57.0281 1488 Page size: 0x1000
2011/03/03 22:08:57.0281 1488 Boot type: Normal boot
2011/03/03 22:08:57.0281 1488 ================================================================================
2011/03/03 22:08:57.0562 1488 Initialize success
2011/03/03 22:09:04.0812 3644 ================================================================================
2011/03/03 22:09:04.0812 3644 Scan started
2011/03/03 22:09:04.0812 3644 Mode: Manual;
2011/03/03 22:09:04.0812 3644 ================================================================================
2011/03/03 22:09:06.0390 3644 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/03 22:09:06.0421 3644 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/03 22:09:06.0484 3644 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/03/03 22:09:06.0515 3644 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/03/03 22:09:06.0656 3644 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/03/03 22:09:06.0750 3644 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/03/03 22:09:06.0796 3644 AmdLLD (10224efdadfab5abd2d9177bf14428d2) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
2011/03/03 22:09:06.0828 3644 APLMp50 (1bf91f352d746ad7469fa71783b5fae8) C:\WINDOWS\system32\Drivers\APLMp50.sys
2011/03/03 22:09:06.0859 3644 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/03 22:09:06.0921 3644 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/03 22:09:06.0937 3644 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/03 22:09:06.0968 3644 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/03 22:09:07.0000 3644 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/03 22:09:07.0015 3644 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/03 22:09:07.0093 3644 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/03 22:09:07.0140 3644 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/03 22:09:07.0156 3644 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/03 22:09:07.0171 3644 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/03 22:09:07.0312 3644 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/03 22:09:07.0375 3644 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/03 22:09:07.0406 3644 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/03 22:09:07.0421 3644 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/03 22:09:07.0453 3644 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/03 22:09:07.0484 3644 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/03 22:09:07.0515 3644 ElbyCDIO (44996a2addd2db7454f2ca40b67d8941) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/03/03 22:09:07.0546 3644 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/03 22:09:07.0562 3644 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/03 22:09:07.0593 3644 FET5X86V (92cbce0913661ff966f9fb696a1775a5) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2011/03/03 22:09:07.0609 3644 FETND5BV (92cbce0913661ff966f9fb696a1775a5) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2011/03/03 22:09:07.0640 3644 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/03/03 22:09:07.0656 3644 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/03 22:09:07.0671 3644 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/03 22:09:07.0687 3644 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/03 22:09:07.0718 3644 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/03 22:09:07.0718 3644 Ftdisk (0f4e230782e5577509b8780e64dc2866) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/03 22:09:07.0734 3644 Ftdisk - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/03/03 22:09:07.0750 3644 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2011/03/03 22:09:07.0765 3644 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/03 22:09:07.0796 3644 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/03 22:09:07.0812 3644 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/03 22:09:07.0859 3644 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/03 22:09:07.0921 3644 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/03 22:09:07.0953 3644 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/03 22:09:08.0000 3644 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/03 22:09:08.0046 3644 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/03 22:09:08.0062 3644 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/03 22:09:08.0093 3644 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/03 22:09:08.0109 3644 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/03 22:09:08.0140 3644 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/03 22:09:08.0171 3644 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/03 22:09:08.0187 3644 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/03 22:09:08.0203 3644 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/03 22:09:08.0234 3644 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/03 22:09:08.0250 3644 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/03 22:09:08.0328 3644 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/03 22:09:08.0359 3644 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/03 22:09:08.0375 3644 motmodem (37e5a8c7f9a3b38f113b71ec7ce34f92) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/03/03 22:09:08.0390 3644 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/03 22:09:08.0406 3644 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/03 22:09:08.0421 3644 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/03 22:09:08.0468 3644 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/03 22:09:08.0515 3644 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/03 22:09:08.0546 3644 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/03 22:09:08.0562 3644 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/03 22:09:08.0578 3644 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/03 22:09:08.0593 3644 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/03 22:09:08.0609 3644 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/03 22:09:08.0625 3644 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/03 22:09:08.0656 3644 N100 (c7eb926899ff4575b630087ea4c7af61) C:\WINDOWS\system32\DRIVERS\n100325.sys
2011/03/03 22:09:08.0687 3644 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/03 22:09:08.0703 3644 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/03 22:09:08.0718 3644 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/03 22:09:08.0734 3644 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/03 22:09:08.0750 3644 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/03 22:09:08.0781 3644 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/03 22:09:08.0796 3644 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/03 22:09:08.0843 3644 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/03 22:09:08.0875 3644 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/03/03 22:09:08.0890 3644 NPF (b15e0180c43d8b5219196d76878cc2dd) C:\WINDOWS\system32\drivers\npf.sys
2011/03/03 22:09:08.0906 3644 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/03 22:09:08.0953 3644 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/03 22:09:08.0984 3644 nuke (75679ffd4f8de53fc4caaa522438015b) C:\WINDOWS\system32\DRIVERS\nuke.sys
2011/03/03 22:09:09.0015 3644 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/03 22:09:09.0031 3644 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/03 22:09:09.0062 3644 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/03 22:09:09.0078 3644 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/03 22:09:09.0109 3644 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/03 22:09:09.0125 3644 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/03 22:09:09.0140 3644 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/03 22:09:09.0156 3644 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/03 22:09:09.0187 3644 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/03 22:09:09.0218 3644 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/03 22:09:09.0390 3644 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/03 22:09:09.0406 3644 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/03/03 22:09:09.0437 3644 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/03 22:09:09.0468 3644 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/03 22:09:09.0546 3644 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/03 22:09:09.0562 3644 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/03 22:09:09.0593 3644 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/03 22:09:09.0609 3644 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/03 22:09:09.0640 3644 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/03 22:09:09.0656 3644 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/03 22:09:09.0703 3644 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/03 22:09:09.0734 3644 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/03 22:09:09.0765 3644 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/03 22:09:09.0828 3644 S3GIGP (1c0ca1dc8b2e2a576e4be89ad1ccf4bf) C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys
2011/03/03 22:09:09.0875 3644 sbp2port (3e2c3b180872be4120f246d85560b734) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/03/03 22:09:09.0906 3644 scsiscan (4acfb25ecc8dd21707f747b28216cea1) C:\WINDOWS\system32\DRIVERS\scsiscan.sys
2011/03/03 22:09:09.0937 3644 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/03 22:09:09.0968 3644 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/03 22:09:09.0984 3644 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/03 22:09:10.0062 3644 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/03 22:09:10.0109 3644 sptd (4e3c4ffcb2c95c2ec1fa04a6f4531533) C:\WINDOWS\system32\Drivers\sptd.sys
2011/03/03 22:09:10.0125 3644 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/03 22:09:10.0156 3644 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/03 22:09:10.0187 3644 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/03 22:09:10.0203 3644 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/03 22:09:10.0296 3644 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/03 22:09:10.0328 3644 Tcpip (3adce4790f591bf160a94f6f08039577) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/03 22:09:10.0375 3644 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/03 22:09:10.0406 3644 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/03 22:09:10.0421 3644 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/03 22:09:10.0484 3644 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/03 22:09:10.0531 3644 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/03 22:09:10.0562 3644 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/03 22:09:10.0593 3644 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/03 22:09:10.0609 3644 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/03 22:09:10.0640 3644 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/03 22:09:10.0671 3644 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/03 22:09:10.0687 3644 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/03 22:09:10.0718 3644 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/03 22:09:10.0734 3644 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/03 22:09:10.0781 3644 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
2011/03/03 22:09:10.0796 3644 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/03/03 22:09:10.0812 3644 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/03 22:09:10.0828 3644 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/03 22:09:10.0859 3644 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/03 22:09:10.0890 3644 wdccnv (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cxsipud.sys
2011/03/03 22:09:10.0937 3644 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/03/03 22:09:10.0984 3644 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/03 22:09:11.0031 3644 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/03 22:09:11.0078 3644 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/03 22:09:11.0093 3644 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/03 22:09:11.0140 3644 \HardDisk0 - detected Backdoor.Win32.Sinowal.knf (0)
2011/03/03 22:09:11.0156 3644 ================================================================================
2011/03/03 22:09:11.0156 3644 Scan finished
2011/03/03 22:09:11.0156 3644 ================================================================================
2011/03/03 22:09:11.0156 4072 Detected object count: 2
2011/03/03 22:10:27.0296 4072 Ftdisk (0f4e230782e5577509b8780e64dc2866) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/03 22:10:28.0296 4072 Backup copy found, using it..
2011/03/03 22:10:28.0296 4072 C:\WINDOWS\system32\DRIVERS\ftdisk.sys - will be cured after reboot
2011/03/03 22:10:28.0296 4072 Rootkit.Win32.TDSS.tdl3(Ftdisk) - User select action: Cure
2011/03/03 22:10:28.0328 4072 \HardDisk0 - will be cured after reboot
2011/03/03 22:10:28.0328 4072 Backdoor.Win32.Sinowal.knf(\HardDisk0) - User select action: Cure
2011/03/03 22:10:32.0281 0548 Deinitialize success

Edited by yj777, 03 March 2011 - 10:43 PM.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 AM

Posted 03 March 2011 - 10:39 PM

You're welcome!!
You did the needed reboot?
You had a badass infection. When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.

Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.

Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

Let's see what ESET says.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 03 March 2011 - 11:31 PM

You're welcome!!
You did the needed reboot?



Thank you again.. fellow New Jerseyan
yes i did need a reboot to clean the MBR infections.

You had a badass infection. When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.

Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.

Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

Let's see what ESET says.


Thanks for the info.
ESET is still running.
I've been using Combofix to fix the nastiest infections for years..
in the worse cases i had to slave my hardrive to another PC to get it cleaned..

but this is the first time i've seen malware getting past Combofix or Malwarebytes like if they were some pathetic AV program like Symantec Antivirus..
I haven't used any active antivirus software for years, because it provides a false sense of security and most malware gets past it without a hitch

Obviously malware writers have reached professional status by coding in assembly, doing MBR infections, intercepting OS calls, like in the good old virus days...

luckily i don't run IE too often and don't use Mozilla or Firefox either.
I use lesser known browsers that are less subceptible to attacks.
Still i am changing all my login ids and passwords just in case..

Edited by yj777, 03 March 2011 - 11:42 PM.

#10 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 04 March 2011 - 01:26 AM

ESET found a couple of things i had already found myself or with combofix, but it also found a few things that had been missed by ComboFix or Malwarebytes.
I will be doing scans using ESET more often.

Thanks for all your help, and i hope this thread helps someone having similar problems!


C:\Documents and Settings\Ncore\Application Data\Sun\Java\Deployment\cache\6.0\41\3aa0eaa9-26ac19b6 Java/Hoax.BlueScreen.A application
C:\Qoobox\Quarantine\C\asr_gwiz.dl Win32/PSW.Papras.AW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\tnfnagpdpyke.dll.vir a variant of Win32/Adware.GooochiBiz.AM application
C:\System Volume Information\_restore{C0CCF1FA-EAC7-445E-ACC5-BCF77EB06BAA}\RP499\A0068326.dll a variant of Win32/Adware.GooochiBiz.AL application
C:\System Volume Information\_restore{C0CCF1FA-EAC7-445E-ACC5-BCF77EB06BAA}\RP501\A0068931.dll Win32/PSW.Papras.AW trojan
D:\xxxx.com\forum2\readme.php probably a variant of PHP/Rst.R trojan
D:\xxxx.com\forum2\users.php PHP/Kryptik.AB trojan

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 AM

Posted 04 March 2011 - 01:30 PM

Ok,this looks good now. a couple new ones ,some in the ComboFix quarantine and some in the System Restore files we should remove.
I did notice you never installed SP3(Service pack 3 for XP),I guess because you do not use it often.

What version of JAVA,if any, is running? Check to see if its outdated.
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).


If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 05 March 2011 - 01:51 AM

Hi
thanks for the reply and for the info.
I never installed SP3 for fear it may mess up any of the many sensitive apps i have installed on my system. you know the saying.. if it ain't broke...

I have the latest version of Java installed, Java 6 update 24.

I am rescanning the computer with ESET again. All TDSSKiller rescans come back clean.
However, i am having some very strange problems with Adobe Flash video no playing on certain sites, such as www.bloomberg.com/tv or watch.thirteen.org
No errors come up.. the video just never plays.
The strange thing is that i can play video from sites such as youtube.com without any problems.
I have the latest version of flash installed.

I tried three different browsers and all of them exhibit the same flash problem with the same sites, so the problem has something to do with flash.
I have tried the Adobe flash uninstaller and uninstalled / reinstalled Flash several times, but the problem is still there.
I have also installed / uninstalled chrome, but the problem is still there.

I believe my infection got started after i started looking for a fix for adobe flash crashing occasionally when watching videos.. I somehow downloaded and ran a flash update that didn't pass the crc test and got infected.

Edited by yj777, 05 March 2011 - 02:09 AM.

#13 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 05 March 2011 - 10:25 AM

The ESET scan can back clean.
I did a Combofix scan just now and found nothing out of the ordinary, no quarantined files.

Edited by yj777, 05 March 2011 - 10:35 AM.

#14 yj777

yj777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:01:20 AM

Posted 05 March 2011 - 01:37 PM

I discovered that all the problems i was having with Flash working only on certain sites went away if i ran the browsers from a different account on the same computer, so there must be something installed in the Win XP profile settings that was causing the problems.
I am manually migrating all links / settings from my previous Win XP profile to a new one i will be using from now on.
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·