Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit issue - google redirect, TDSS won't run, GMER freezes computer


  • This topic is locked This topic is locked
3 replies to this topic

#1 rotatinringking

rotatinringking

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 April 2011 - 08:36 AM

Hello,
I have a probable rootkit issue that I am looking for some help with. I have been getting redirects to ads from google and yahoo searches for the last couple days, and my system seems to be running generally slower. I've run AVG and Malwarebytes, which sporadically have found some issues, but the problems persist with my system.

I read that TDSS Killer was a good option for fixing this issue, but when I attempt to run this it reaches 80% on the initialization screen then fails to open.

Regrettably, I found a yahoo answers post about running combofix to fix this issue (and the post didn't provide the warning I've seen on this site and elsewhere), so I ended up running that as well. The issue is still around after comobofix.

I attached my DDS logs, as well as my combofix log (note that I ran combofix BEFORE I created the DDS log in preparation for this post). I haven't been able to complete GMER correctly, so that is not attached - the first time I tried, my computer crashed after about 5 hours of running it. I also tried over night, and when I woke up my computer was locked. When I tried to log in, my computer froze and I had to restart.

Also of note - when I tried to complete this post on my computer, it kept saying I was offline, so I had to email the files to myself and post this on a different computer.

Any input would be great. Thanks so much!

DDS.txt:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by TreemanK at 16:30:26.20 on Fri 04/22/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1291 [GMT -5:00]
.
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Blaze Media Pro\NMSAccess32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TreemanK\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276310351115
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\treemank\applic~1\mozilla\firefox\profiles\y43l85vl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\treemank\application data\mozilla\firefox\profiles\y43l85vl.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-11 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-5-7 1051976]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-11 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26.tmp --> c:\windows\system32\26.tmp [?]
.
=============== Created Last 30 ================
.
2011-04-22 21:04:28 -------- d-sha-r- C:\cmdcons
2011-04-22 20:49:51 98816 ----a-w- c:\windows\sed.exe
2011-04-22 20:49:51 89088 ----a-w- c:\windows\MBR.exe
2011-04-22 20:49:51 256512 ----a-w- c:\windows\PEV.exe
2011-04-22 20:49:51 161792 ----a-w- c:\windows\SWREG.exe
2011-04-22 06:51:22 -------- d-----w- c:\program files\Sophos
2011-04-22 04:53:32 -------- d-----w- c:\docume~1\treemank\locals~1\applic~1\AVG Security Toolbar
2011-04-22 04:36:39 -------- d-----w- C:\$AVG
2011-04-22 04:16:52 -------- d-----w- c:\docume~1\treemank\applic~1\AVG10
2011-04-22 04:16:00 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-22 04:14:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-04-22 04:14:16 -------- d-----w- c:\program files\AVG
2011-04-22 04:10:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-22 04:07:27 -------- d-----w- c:\docume~1\treemank\applic~1\GetRightToGo
2011-04-22 03:30:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 03:30:52 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 22:31:45 0 ----a-w- c:\windows\Wzogequpaliri.bin
2011-04-14 08:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 08:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-06 00:41:50 -------- d-----w- c:\program files\StreamTorrent 1.0
2011-04-06 00:41:50 -------- d-----w- c:\docume~1\treemank\applic~1\StreamTorrent
2011-04-04 22:07:11 -------- d-----w- c:\program files\Amazon
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD753LJ rev.1AA01117 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-14
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x884B2570]<<
c:\docume~1\treemank\locals~1\temp\catchme.sys
_asm { PUSH EBP; CALL 0x6; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DDCAB8]
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D4D33B
user & kernel MBR OK
.
============= FINISH: 16:31:29.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rotatinringking

rotatinringking
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 28 April 2011 - 10:49 PM

Got it working, feel free to delete my topic. Thanks!

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 AM

Posted 29 April 2011 - 12:57 PM

Thank you for letting us know.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 AM

Posted 29 April 2011 - 12:57 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users