PDA

View Full Version : Incomplete Malware download not detecting on Spybot



SirRunOn
2006-02-25, 18:17
I have an irksome piece of malware, which I can see but doesn't detect on any spyware removal program.

The annoying thing crashed out my explorer.exe while it was merrily uploading itself to me off the net, and isn't fully there. I'm getting wonderous stack overflow errors and all sorts of nice stuff.

I can't even find where the darn thing is calling itself in the regestry. Or stop it's exe file from loading.

I've logged the errors(at the end of this post) and found a few of the files.

The names are ibm00011.dll ibm00012.dll and ibm00011.exe

I'm of course not sure if this was the place to put this, being very new here so my appoligies for any miscommunication.

SRO

edit:
Possibly may have come from here : hxxx://wxxx.nn.iij4u.or.jp/~exup/island/main.html
yeah yeah, I know, anime
Disabled url -tashi
Stack dump:
8004038a 006beeac 619a6f11 0084bc04 0099eac0 0099eac0 006beebc 619a3b48 8004038a 800400c0 006beed0 619af34f 800400c0 00000000 009a0ef0 006beee4
**********************************************************************
Date 02/25/2006 Time 07:19
EXPLORER caused an invalid page fault in
module IBM00003.DLL at 0187:1000b4df.
Registers:
EAX=ffff2c20 CS=0187 EIP=1000b4df EFLGS=00010283
EBX=01d06c1c SS=018f ESP=00c9ff64 EBP=00c9ff98
ECX=006d1544 DS=018f ESI=01d14000 FS=6467
EDX=79fb402f ES=018f EDI=00000004 GS=1826
Bytes at CS:EIP:
38 16 75 fa 38 56 01 75 f5 8b 4d f8 46 46 48 89
Stack dump:
819f5194 00000008 81916e58 00c9fde0 00000000 00c9ffbc bffb1b20 bff69198 ffffffff 00c9ffcc 00000050 01dd0b60 bff78147 00c9ffcc bff79391 00000240
**********************************************************************
Date 02/25/2006 Time 09:36
TAPISRV caused an invalid page fault in
module <unknown> at dff7:01e039ae.
Registers:
EAX=00000102 CS=0187 EIP=01e039ae EFLGS=00010206
EBX=000003e8 SS=018f ESP=01f2ff74 EBP=01f2ff98
ECX=dff365b0 DS=018f ESI=bff6c90d FS=310f
EDX=bffbb490 ES=018f EDI=81993c10 GS=0000
Bytes at CS:EIP:

Stack dump:
81993c10 00000008 8197fd10 01e0e284 01e0ee5c 01e0e2a4 01e0ee44 00000130 0000012c 01f2ffcc bff79391 01e0efec 81993c10 00000008 8197fd10 00000007
**********************************************************************
Date 02/25/2006 Time 09:36
TAPISRV caused an invalid page fault in
module <unknown> at dfe7:01e039ae.
Registers:
EAX=00000102 CS=0187 EIP=01e039ae EFLGS=00010206
EBX=000003e8 SS=018f ESP=0216ff74 EBP=0216ff98
ECX=de81b650 DS=018f ESI=bff6c90d FS=3267
EDX=bffbb490 ES=018f EDI=81998dbc GS=0000
Bytes at CS:EIP:

Stack dump:
81998dbc 00000008 8197fd10 01e0e2e4 01e0efb0 01e0e304 01e0ee78 00000130 00000138 0216ffcc bff79391 01e0ee2c 81998dbc 00000008 8197fd10 00000007

tashi
2006-02-25, 19:19
Hi there.
Please go here and read the instructions.
(If able please do an on-line anti virus scan)
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Then start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

Let us know if you have any problems getting a hjt log.

Cheers. :)