Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Tanzinga redirect virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 scifijunkie

scifijunkie

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 16 May 2011 - 10:32 PM

I'm trying to help another user with this apparent virus. I don't know if it's connected, but icons are missing from several folders. The Accessories>System Tools folder is empty, but the programs exist on the drive. When I first started looking at the machine, the task bar would spontaneously switch from Classic to XP Theme. Programs still do not run correctly. The PC was running AVG antivirus. I believe it is uninstalled, but it gave me a lot of trouble and a lot of errors while trying to get rid of it during repairs. Since it is now gone, I do not have that error message to post. However, I see right off the bat in the log below that it is still listed. I appreciate any suggestions you can give me.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Front Desk at 21:08:08.29 on Mon 05/16/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1673 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Front Desk\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261449017376
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://traxsolutions.nfocus.com/AppSupport/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 siigpar;SIIG Parallel port driver;c:\windows\system32\drivers\siigpar.sys [2007-6-25 81920]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
R2 MSSQL$TRAXDESKTOP;SQL Server (TRAXDESKTOP);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 n5lpt.sys;N5 Print Device;c:\windows\system32\drivers\n5lpt.sys [2009-12-22 21132]
R2 Stld;Stld;c:\windows\system32\drivers\STLD.SYS [2009-12-22 10240]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg10\avgwdsvc.exe" --> c:\program files\avg\avg10\avgwdsvc.exe [?]
S2 gupdate1ca88e52bd7d91f;Google Update Service (gupdate1ca88e52bd7d91f);c:\program files\google\update\GoogleUpdate.exe [2009-12-29 133104]
S2 key5usb;KeyFive USB Reader;c:\windows\system32\drivers\key5usb.sys [2009-12-22 17652]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-22 1684736]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 B-Service;B-Service;c:\documents and settings\front desk\local settings\temporary internet files\content.ie5\0dzcd6ik\b-service.exe --> c:\documents and settings\front desk\local settings\temporary internet files\content.ie5\0dzcd6ik\B-Service.exe [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
=============== Created Last 30 ================
.
2011-05-12 06:03:33 -------- d-----w- c:\docume~1\frontd~1\applic~1\GetRightToGo
2011-05-12 05:30:38 581418 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-05-12 04:53:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-12 04:53:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-12 02:34:00 -------- d-sha-r- C:\cmdcons
2011-05-12 02:30:52 98816 ----a-w- c:\windows\sed.exe
2011-05-12 02:30:52 89088 ----a-w- c:\windows\MBR.exe
2011-05-12 02:30:52 256512 ----a-w- c:\windows\PEV.exe
2011-05-12 02:30:52 161792 ----a-w- c:\windows\SWREG.exe
2011-05-11 23:11:43 -------- d-----w- c:\windows\pss
2011-05-11 22:42:45 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-05-11 22:42:45 -------- d-----w- c:\program files\Belarc
2011-05-11 21:03:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-11 21:03:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 21:03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-06 14:21:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-06 14:21:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ---ha-w- c:\windows\system32\win32k.sys
2011-02-24 18:54:59 73728 ---ha-w- c:\windows\system32\javacpl.cpl
2011-02-24 18:54:59 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ---ha-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ---ha-w- c:\windows\system32\xpsp4res.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-00A7B2 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D986F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d9ea10]; MOV EAX, [0x89d9ea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DE3AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D4BF18]
\Driver\atapi[0x89E0CD50] -> IRP_MJ_CREATE -> 0x89D986F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D9853B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:09:11.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:25 AM

Posted 17 May 2011 - 03:36 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 scifijunkie

scifijunkie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 17 May 2011 - 05:23 PM

Thank you for helping. Here is the log:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-17 16:20:48
-----------------------------
16:20:48.484 OS Version: Windows 5.1.2600 Service Pack 3
16:20:48.484 Number of processors: 2 586 0x170A
16:20:48.484 ComputerName: BBGC46 UserName:
16:20:49.468 Initialize success
16:21:07.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
16:21:07.671 Disk 0 Vendor: WDC_WD5000AAKS-00A7B2 01.03B01 Size: 476940MB BusType: 3
16:21:07.671 Device \Driver\atapi -> DriverStartIo 89d8253b
16:21:09.671 Disk 0 MBR read successfully
16:21:09.671 Disk 0 MBR scan
16:21:09.671 Disk 0 TDL4@MBR code has been found
16:21:09.671 Disk 0 Windows XP default MBR code found via API
16:21:09.671 Disk 0 MBR hidden
16:21:09.671 Disk 0 MBR [TDL4] **ROOTKIT**
16:21:09.671 Disk 0 trace - called modules:
16:21:09.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89d826f0]<<
16:21:09.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89de0ab8]
16:21:09.671 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x89d42e10]
16:21:09.671 \Driver\atapi[0x89e22908] -> IRP_MJ_CREATE -> 0x89d826f0
16:21:09.671 Scan finished successfully
16:22:09.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Front Desk\Desktop\MBR.dat"
16:22:09.265 The log file has been saved successfully to "C:\Documents and Settings\Front Desk\Desktop\aswMBR.txt"

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:25 AM

Posted 18 May 2011 - 01:32 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#5 scifijunkie

scifijunkie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 18 May 2011 - 09:12 PM

That appeared to work. However, the Windows system is so damaged that I have decided to wipe the drive and reinstall Windows. Thank you very much for your help. I think too much had been done to the system before I got to it to be able to save it. Thank you, again.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:25 AM

Posted 19 May 2011 - 04:43 AM

Thanks for letting me know. :)

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users