Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDLR4, google keeps redirecting and norton reports regular attacks


  • This topic is locked This topic is locked
2 replies to this topic

#1 jackson31

jackson31

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 01 April 2011 - 10:57 PM

Every time i open the internet, change page or even just leave my computer connected to the internet, Norton comes up every few seconds with 'Norton has resisted an attack on your computer'. In the log these are listed as coming from a number of sites ad somewhere in the name, none of which i've visited. Google keeps redirecting webpages to unrelated ad sites, and often the computer suddenly changes screens so the start bar is pre-xp style and the computer audio stops working till i restart the computer. i've done full norton and malwarebytes scans, and they no longer come up with anything.
The GMER and dds logs say i've got a rootkit called TDLR4, and i don't know how to remove it. i've attached the files I was told to.
Some help would be greatly appreciated, thank you :)


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-02 13:41:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD080HJ/P rev.ZH100-34
Running: gmer.exe; Driver: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\kgtyapoc.sys


---- System - GMER 1.0.15 ----

SSDT 849056C0 ZwAlertResumeThread
SSDT 849046E0 ZwAlertThread
SSDT 84903EC8 ZwAllocateVirtualMemory
SSDT 8488F898 ZwAssignProcessToJobObject
SSDT 8493AC00 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEB863720]
SSDT 84906F38 ZwCreateMutant
SSDT 8488C5E0 ZwCreateSymbolicLinkObject
SSDT 84A552D0 ZwCreateThread
SSDT 8488F978 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEB8639A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEB863F00]
SSDT 84902E70 ZwDuplicateObject
SSDT 84903A88 ZwFreeVirtualMemory
SSDT 84905500 ZwImpersonateAnonymousToken
SSDT 849055E0 ZwImpersonateThread
SSDT 84951438 ZwLoadDriver
SSDT 84A7EFB0 ZwMapViewOfSection
SSDT 84906E58 ZwOpenEvent
SSDT 84873DC8 ZwOpenProcess
SSDT 84902D90 ZwOpenProcessToken
SSDT 849F11D8 ZwOpenSection
SSDT 84902F60 ZwOpenThread
SSDT 8488F7A8 ZwProtectVirtualMemory
SSDT 849047C0 ZwResumeThread
SSDT 84904330 ZwSetContextThread
SSDT 84904410 ZwSetInformationProcess
SSDT 849F1090 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEB864150]
SSDT 849F1008 ZwSuspendProcess
SSDT 849048A0 ZwSuspendThread
SSDT 8495A050 ZwTerminateProcess
SSDT 84904250 ZwTerminateThread
SSDT 84903900 ZwUnmapViewOfSection
SSDT 84903DD8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5407360, 0x2456AE, 0xE8000020]
? C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[180] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0275003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013F000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0140000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 013E000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[180] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1364] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0068000A
.text C:\WINDOWS\System32\svchost.exe[1364] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FF000A
.text C:\WINDOWS\Explorer.EXE[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\Explorer.EXE[1940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 84CC227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 84CC227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 84CC227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 84CC227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 84CC227F

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD080HJ#P_______________________ZH100-34#5&1c6638a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OPKUAKOM\flb[1].cfm 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:21 AM

Posted 05 April 2011 - 06:35 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:21 AM

Posted 07 April 2011 - 05:32 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users