-
Need help with malware removal
The malware was installed 9th January 2011, and started with a redirection to system tools. After removing the directory manually and also a vbs script l.vbs in ..\local settings\temp i have observed the following:-
(1) google searches are redirected
(2) a svchost process takes all available cpu (98%)
(3) my sd download will not install with a connection with the server could not be established.
Please help me with removing this malware.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Robert Prinsen at 13:39:05.29 on 16/01/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.447.124 [GMT 0:00]
AV: Norton 360 *Disabled/Outdated* {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *Disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\NetScaler\NetScaler Secure Remote Access\nsverctl.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Robert Prinsen.TOSHA60RPP\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: RadioBar Toolbar: {5b291e6c-9a74-4034-971b-a4b007a0b315} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [txhavqfy] c:\docume~1\robert~1.tos\locals~1\temp\pqwrumgxq\annitgjlajb.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt broadband\help\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} - hxxp://support.informatica.com/atlas/19227/applets/SiebelAx_OutBound_mail.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxp://support.informatica.com/atlas/19227/applets/SiebelAx_Desktop_Integration.cab
DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} - hxxp://support.informatica.com/atlas/19227/applets/SiebelAx_HI_Client.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.1.65 POETJE
============= SERVICES / DRIVERS ===============
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2004-8-24 5632]
R2 ns80503;ns80503;c:\windows\system32\ns80503.sys [2009-2-18 42296]
R2 nsverctl;NetScaler SSL VPN Version Control;c:\program files\netscaler\netscaler secure remote access\nsverctl.exe [2009-2-18 53248]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-2-18 43640]
R3 WPC54GSv1;Linksys Wireless Notebook Adapter WPC54GSv1 Driver;c:\windows\system32\drivers\WPC54GSv1.SYS [2006-11-30 610816]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S3 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 cpuz132;cpuz132;\??\c:\docume~1\robert~1.tos\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\robert~1.tos\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091031.004\NAVENG.SYS [2009-10-31 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091031.004\NAVEX15.SYS [2009-10-31 1323568]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-12-30 1245064]
=============== Created Last 30 ================
2011-01-09 04:16:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-09 04:16:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-09 03:38:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\gCkNc07000
2010-12-19 20:28:10 -------- d-----w- c:\program files\iPod
2010-12-19 20:27:55 -------- d-----w- c:\program files\iTunes
2010-12-19 20:27:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-19 20:27:13 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-19 20:25:52 -------- d-----w- c:\docume~1\robert~1.tos\locals~1\applic~1\Apple
2010-12-19 20:25:29 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-12-19 20:25:29 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-19 20:24:49 -------- d-----w- c:\program files\Bonjour
2010-12-19 20:23:08 -------- d-----w- c:\docume~1\robert~1.tos\locals~1\applic~1\Apple Computer
==================== Find3M ====================
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GAX rev.AD002D -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85330555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x853367b0]; MOV EAX, [0x8533682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x85372AB8]
3 CLASSPNP[0xF7808FD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\00000093[0x85375F18]
5 ACPI[0xF775F620] -> nt!IofCallDriver[0x804E37C5] -> [0x85374B58]
\Driver\atapi[0x852FDBF8] -> IRP_MJ_CREATE -> 0x85330555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8032GAX_______________________AD002D__#5&1c50b25f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8533039B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 13:40:45.62 ===============
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
