Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser keeps redirecting, TDL4@MBR has been found.


  • This topic is locked This topic is locked
2 replies to this topic

#1 buggler

buggler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 18 May 2011 - 05:14 PM

PC was infected with multiple fake antiviruses. Once they were gone the machine seems clean but the browser keeps redirecting after i visit my 2nd or 3rd page. Avast detects a rootkit and does a scan on boot, it will delete some files and then when I get to the desktop it does the same thing - detects a rootkit, and asks to do a boot scan. I've ran Malwarebytes, Superantispyware, and Combofix. they helped but something is still in the system. here's the logs and stuff.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Bill at 16:59:11.85 on Wed 05/18/2011
Internet Explorer: 7.0.5730.13
.
============== Running Processes ===============
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\slserv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Bill\My Documents\Downloads\dds.scr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-3e8f9418-cdf1-0093-0000-408000004080&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-AY4f%2boAM9qVmtCXMu9cje61N%2b7kGroh2jUcHu%2fVBbhZOM%2f6%2f6IhSptTIYVsOHDBr&TARGET=-SM-https%3a%2f%2feagent%2efarmersinsurance%2ecom%2findex%2ehtml
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [combofix] "c:\combofix\cf20517.cfxxe" /c "c:\combofix\C.bat"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/ImgXTwain61.cab
DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/icms/viewers/crystalreportviewers11/ActiveXControls/PrintControl.cab
DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} - hxxp://www2.mastervoip.us/commpilot/customcontrols/BwOutlook.CAB
DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/ImgXDialog61.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226970948963
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226976888203
DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/ImgX61.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1244666182106&h=ed20919c1e34abdec4137600375b3e11/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www1.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {B2D168E0-5597-101D-843A-DA16297B4C87} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/rm2.cab
DPF: {BE8EEE38-A7C5-4674-A6C4-C2D7421FDD10} - hxxps://bie.farmersinsurance.com/prweb/PRServletLDAP1/8gYJ4DHQrCXUTefMjim_tw%5B%5B*/prvisiointerface.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} - hxxp://mobius.farmersinsurance.com/Agent/content/iejpwenu.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://calsurance.webex.com/client/T27L/nbr/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {4000D573-1E11-4F16-9FA8-5C6E0903DAA2} - msiexec /fpu {4000D573-1E11-4F16-9FA8-5C6E0903DAA2} /qb
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\bill\applic~1\mozilla\firefox\profiles\ldoytnlx.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
.
============= SERVICES / DRIVERS ===============
.
R? MEMSWEEP2;MEMSWEEP2
R? nosGetPlusHelper;getPlus® Helper 3004
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? MSSQL$COSSNET8082;SQL Server (COSSNET8082)
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? SAVRKBootTasks;Boot Tasks Driver
.
=============== Created Last 30 ================
.
2011-05-18 19:43:29 -------- d-sha-r- C:\cmdcons
2011-05-18 19:39:57 -------- d-s---w- C:\ComboFix
2011-05-18 19:28:28 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-05-18 19:02:29 -------- d-----w- c:\program files\Sophos
2011-05-18 15:30:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-18 15:30:02 40112 ----a-w- c:\windows\avastSS.scr
2011-05-18 15:29:53 -------- d-----w- c:\program files\AVAST Software
2011-05-18 15:29:53 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\AVAST Software
2011-05-18 04:49:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-18 03:24:31 -------- d-----w- c:\program files\CCleaner
2011-05-18 02:53:58 -------- d-----w- c:\docume~1\bill\applic~1\SUPERAntiSpyware.com
2011-05-17 21:28:46 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2011-05-17 21:28:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-17 16:41:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 16:41:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 16:40:58 -------- d-----w- C:\drivers
2011-05-17 15:15:22 98816 ----a-w- c:\windows\sed.exe
2011-05-17 15:15:22 89088 ----a-w- c:\windows\MBR.exe
2011-05-17 15:15:22 256512 ----a-w- c:\windows\PEV.exe
2011-05-17 15:15:22 161792 ----a-w- c:\windows\SWREG.exe
2011-05-17 14:22:07 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-05-10 22:14:00 -------- d--h--w- c:\docume~1\bill\locals~1\applic~1\Temp
2011-05-10 21:09:36 -------- d--h--w- c:\docume~1\bill\applic~1\SpaceMonger
2011-05-10 21:09:35 -------- d-----w- c:\program files\SpaceMonger
2011-05-10 19:20:13 -------- d-----w- C:\reset
2011-05-10 19:19:07 -------- d-----w- c:\program files\Windows Resource Kits
2011-05-05 00:53:45 -------- d--h--w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2011-05-05 00:52:28 -------- d--h--w- c:\docume~1\bill\applic~1\Malwarebytes
2011-05-05 00:52:20 -------- d--h--w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-05-05 00:52:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 00:36:38 -------- d-----w- C:\~ErdUserProfile.$$$
2011-04-26 17:58:24 -------- d--h--w- c:\docume~1\alluse~1.win\applic~1\MFAData
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ---ha-w- c:\windows\system32\win32k.sys
2008-11-12 20:51:07 19685 -c--a-w- c:\program files\common files\akaty.bat
2008-11-12 20:51:07 18198 -c--a-w- c:\program files\common files\anemyg.bin
2008-11-12 20:51:07 15618 -c--a-w- c:\program files\common files\dihytag.sys
2008-11-12 20:51:07 15053 -c--a-w- c:\program files\common files\yxuzobegy.bat
2008-11-12 20:51:07 14500 -c--a-w- c:\program files\common files\ypicubo.scr
2008-11-12 00:03:37 18556 -c--a-w- c:\program files\common files\yqoparupok.dll
2008-11-12 00:03:37 17529 -c--a-w- c:\program files\common files\acegute.scr
2007-11-28 23:44:38 774144 -c--a-w- c:\program files\RngInterstitial.dll
2001-09-29 00:00:28 164864 ----a-w- c:\program files\UNWISE.EXE
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380819AS rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B454D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b4b7f0]; MOV EAX, [0x89b4b86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89B62AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000006a[0x89BAF9E8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x89B66D98]
\Driver\atapi[0x89BF9030] -> IRP_MJ_CREATE -> 0x89B454D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B4531B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:03:13.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 19 May 2011 - 06:46 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image I'd like to see the ComboFix log. Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt

That should open the log. Please post it in your next reply.

Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 24 May 2011 - 07:56 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users