Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fixed: Security 2012, no exe, ping, hoax links, popups


  • Please log in to reply
4 replies to this topic

#1 islandgal

islandgal

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 18 December 2011 - 11:11 PM

Hi,

I've spent better part of four days on this, reading every similar thread and running LOTS of utils and av/as programs.

XP/Pro/SP3 computer with latest firefox. SuperAntiSpyware Pro lifetime subscription, with real-time protection, latest updates.

During click on a Google result in Firefox (get the noscript addon, to mimic protection IE gives with zone/trusted sites settings) I got the Security 2012 screen popped up. Having had it last year while running SASPro, I knew just how to kill it. Found the xow.exe file and deleted from computer, using CCleaner to clean all history, recent, cache and temp files. That got rid of the popups, but corrupted rundll32 and could not run .exe files.

Downloaded rkill and malwarebytes and ran in safe mode as admin, which fixed the exe file problem.

But was still seeing ping.exe loaded and using up all the resources, and when on internet, clicking a link in search, either Firefox or IE, took me to other sites. I had to type in every site I wanted in the search bar.

Then ran GMER in safe mode (which took 4 hours and then hung the computer), but not before I discovered in the results that I had afd.sys rootkit infection. Ran TDSKiller, which removed it. So far, every looks fine now. I rebooted and ran TDSKiller again, and nothing found.

I'm disappointed my SASPro, which is supposed to be good at rootkits, did not protect me. Below is the GMER log listing the infection.

By the way, you might be interested to know, I called my credit card company last night to try and pay by phone, because I didn't want to login online while infected. Their systems were down, and the customer service agent, upon hearing why I was late paying bill, told me to go online and find a tool called gmer. It seems even the big guys get infected, they just won't usually admit it to their customers.

Best wishes to you all in becoming CLEAN again!

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-18 21:06:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541080G9SA00 rev.MB4OC60R
Running: y2sk43t1.exe; Driver: C:\DOCUME~1\Lynn\LOCALS~1\Temp\kgtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA92B7640]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7F9CEBF]
.text afd.sys A92D0000 125 Bytes [2D, A9, 6A, 00, FF, 73, 0C, ...]
.text afd.sys A92D007F 4 Bytes CALL A92D6BCC \SystemRoot\System32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation)
.text afd.sys A92D0085 61 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
.text afd.sys A92D00C3 41 Bytes [83, C8, FF, 83, C1, 40, 87, ...]
.text afd.sys A92D00ED 44 Bytes [43, 18, 8B, 78, 0C, 66, 81, ...]
.text ...
? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A7000A
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01A8000A
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0169000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!MmSizeOfMdl] 8908890E
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlInitString] 568B0441
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!_wcsupr] 044A8B08
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlEqualString] 83084A2B
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlAddAccessAllowedAceEx] 5589A8C6
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoRequestDeviceEject] 18538BE8
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlMultiByteToUnicodeN] 4D89CA3B
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoBuildPartialMdl] 92820FF8
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlEqualSid] 8B000001
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlEqualUnicodeString] 498BE84D
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!KeReleaseMutex] 0FC9840C
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlInitUnicodeString] 00018488
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlCompareString] 20C1F600
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!KeInitializeTimerEx] 017B840F
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlFindSetBits] C0330000
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlUpperChar] 87384E8D
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!RtlHashUnicodeString] 75C08501

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fastfat \Fat A7A9ED20
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A942E000-A9448000 (106496 bytes)

Edited by islandgal, 18 December 2011 - 11:43 PM.


BC AdBot (Login to Remove)

 


#2 islandgal

islandgal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 18 December 2011 - 11:32 PM

I did not include all the steps I took which had no result, and scans run with nothing found, even though I was still infected.

For a while I even stopped the ping so i could get online and access more tools by going in safe mode and renaming all the ping locations in sys32 and i386 and prefetch. That actually worked, but I was still being redirected in the browsers. Later, I named them back once i was unplugged from internet.

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:29 PM

Posted 19 December 2011 - 09:26 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#4 islandgal

islandgal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 20 December 2011 - 12:05 PM

Broni, I posted Friday in another thread, same issues I was having. There YOU told me to open a new thread, so I did.

I didn't ask you to help, so per the forum rules, was not required to post logs. I didn't recommend to any other person what they should do on their computer. From what I can tell, I was completely within your rules.

The purpose was to share some knowledge with other users who might, like me, not wish to go through the post 10 pages of log and wait for reply next morning, and take step 2 and post more logs and wait hours for another reply, but rather get some ideas of what might work and try them.

Because of the infection, I did not want to be online AT ALL. What I posted was what I wished I could have found when I first got infected. So this isn't a forum, this is a teacher/student type setup. We can't talk to each other, only report to teachers and then listen to their advice? I've been using this site for years, and recommending it to colleagues. I have been an IT professionial since I bet you were in diapers. ;-)

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:29 PM

Posted 20 December 2011 - 08:33 PM

I don't see your topic in malware removal forum.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users