Jump to content

Recommended Posts

Machine I am working with a malware infection that is not detected by malwarebytes.

The symptom is that both IE8 and FF4 redirect search results and clicks on search results. The domain lakyclktolakylock.com can be seen when the redirect occurs.

thanks in advance

dds.txt:

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by sunny at 14:48:56 on 2011-06-05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1470 [GMT -7:00]

.

AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe

C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [skyTel] SkyTel.EXE

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194586176734

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2411D552-2EFA-4BB0-8DB1-9DFD1AF59E14} : DhcpNameServer = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2006-2-23 11264]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-5 20968]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-3-30 1523008]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2011-2-10 10064]

S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]

S3 cpuz134;cpuz134;\??\c:\docume~1\sunny\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\sunny\locals~1\temp\cpuz134\cpuz134_x32.sys [?]

S3 dump_wmimmc;dump_wmimmc;\??\c:\karosonline\gameguard\dump_wmimmc.sys --> c:\karosonline\gameguard\dump_wmimmc.sys [?]

S3 edxapi;edxapi;\??\c:\docume~1\sunny\locals~1\temp\edxapi.sys --> c:\docume~1\sunny\locals~1\temp\edxapi.sys [?]

S3 gbthport;gbthport;\??\c:\docume~1\sunny\locals~1\temp\gbthport.sys --> c:\docume~1\sunny\locals~1\temp\gbthport.sys [?]

S3 hfdc;hfdc;\??\c:\docume~1\sunny\locals~1\temp\hfdc.sys --> c:\docume~1\sunny\locals~1\temp\hfdc.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]

.

=============== Created Last 30 ================

.

2011-06-05 20:19:01 388096 ----a-r- c:\documents and settings\sunny\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-06-05 20:19:01 -------- d-----w- c:\program files\Trend Micro

2011-06-05 18:48:00 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2011-06-05 18:47:57 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2011-06-05 18:47:40 -------- d-----w- c:\documents and settings\sunny\application data\TuneUp Software

2011-06-05 18:47:31 -------- d-----w- c:\program files\TuneUp Utilities 2011

2011-06-05 18:47:25 -------- d-----w- c:\documents and settings\all users\application data\TuneUp Software

2011-06-05 18:24:40 -------- d-sh--w- c:\documents and settings\all users\application data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}

2011-06-02 01:17:05 -------- d-----w- c:\program files\AVG Anti-Virus

2011-06-02 01:08:24 -------- d-----w- C:\MGtools

2011-06-01 23:23:34 -------- d-sha-r- C:\cmdcons

2011-06-01 23:20:18 98816 ----a-w- c:\windows\sed.exe

2011-06-01 23:20:18 518144 ----a-w- c:\windows\SWREG.exe

2011-06-01 23:20:18 256512 ----a-w- c:\windows\PEV.exe

2011-06-01 23:20:18 208896 ----a-w- c:\windows\MBR.exe

2011-06-01 23:00:04 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-01 23:00:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-01 23:00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-01 22:13:18 -------- d-----w- c:\documents and settings\sunny\application data\SUPERAntiSpyware.com

2011-06-01 22:13:18 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-06-01 22:13:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-01 16:42:05 -------- d-sh--w- c:\documents and settings\sunny\IECompatCache

2011-05-31 02:42:55 -------- d-----w- c:\program files\common files\Steam

2011-05-30 21:37:32 -------- d-----w- c:\documents and settings\all users\application data\Alawar

2011-05-30 20:31:07 -------- d-----w- c:\program files\Supermarket Management 2

2011-05-30 20:30:11 -------- d-----w- c:\program files\Hotel Mogul - Las Vegas

2011-05-30 02:50:59 -------- d-----w- c:\documents and settings\sunny\application data\Malwarebytes

2011-05-30 02:50:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-30 02:49:05 -------- d-----w- c:\program files\Lavasoft

2011-05-30 02:25:30 0 ----a-w- c:\windows\Eniduwaruyumoga.bin

2011-05-23 17:08:58 -------- d-----w- c:\documents and settings\sunny\application data\Ph03nixNewMedia

2011-05-23 03:29:57 -------- d-----w- c:\program files\Jet Set Go

2011-05-20 14:53:37 -------- d-----w- c:\documents and settings\sunny\application data\thejoyoffarming

2011-05-19 23:42:55 -------- d-----w- c:\documents and settings\sunny\application data\Settlement. Colossus

2011-05-19 23:00:23 -------- d-----w- c:\documents and settings\all users\application data\Gogii

2011-05-19 06:22:44 -------- d-----w- c:\program files\e-Sword

2011-05-19 06:16:18 -------- d-----w- c:\documents and settings\sunny\local settings\application data\Downloaded Installations

2011-05-18 05:40:29 -------- d-----w- c:\program files\Mystery Trackers - Raincliff Collector's Edition

2011-05-18 01:04:40 -------- d-----w- c:\documents and settings\sunny\application data\blg

2011-05-18 01:04:40 -------- d-----w- c:\documents and settings\all users\application data\blg

2011-05-18 00:09:33 -------- d-----w- c:\documents and settings\sunny\application data\Manifesto Games

2011-05-17 22:50:02 -------- d-----w- c:\documents and settings\sunny\application data\Jumb-O-Fun Games

2011-05-17 16:33:26 -------- d-----w- c:\documents and settings\sunny\application data\GoldSunGames

2011-05-17 06:09:09 -------- d-----w- c:\documents and settings\sunny\application data\Elephant Games

2011-05-17 06:09:09 -------- d-----w- c:\documents and settings\all users\application data\Elephant Games

2011-05-17 06:06:14 -------- d-----w- c:\program files\Spa Mania 2

2011-05-11 17:51:00 -------- d-----w- c:\documents and settings\sunny\application data\playmink

2011-05-10 22:22:36 -------- d-----w- c:\program files\Vesuvia

2011-05-10 22:16:56 -------- d-----w- c:\program files\Build-a-Lot - The Elizabethan Era

2011-05-10 22:15:43 -------- d-----w- c:\program files\Gemini Lost

.

==================== Find3M ====================

.

2011-05-31 22:17:28 26112 ----a-w- c:\windows\system32\userinit.exe

2011-05-30 02:51:41 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-04-14 12:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 09:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1500ADFD-00NLR5 rev.21.07QR5 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys xfilt.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7CF4D0]<<

c:\windows\system32\drivers\xfilt.sys VIA Technologies,Inc VIA filter driver

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7d57f0]; MOV EAX, [0x8a7d586c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A882AB8]

3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A7F4ED0]

5 xfilt[0xF7720026] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000007b[0x8A8D85F8]

7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A7F1940]

\Driver\atapi[0x8A838358] -> IRP_MJ_CREATE -> 0x8A7CF4D0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A7CF31B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 14:50:21.70 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.