Author Topic: think it was think point...  (Read 19044 times)

0 Members and 1 Guest are viewing this topic.

B_in Ohio

  • Guest
think it was think point...
« on: November 13, 2010, 02:08:33 AM »
Hello all. I am under the belief that the think point worm/virus (?) got a bit further than we thought.  was running 4.8 and I think someone here clicked a 'bogus' survey on face_ook, and the rest is unfortunate history.  
occasional redirect of websites and 5.0 is blocking malicious url_rootkit?

Anyway, now on 5.0 and MBAM, and ccleaner.  at least 3 full boat scans and still from time to time with just firefox open 5.0 will give me the pop up window that states, "malicious url blocked"..(I will try and attach a pic for this).


Also a lot less now, but still an occasional redirect when I want to google certain websites..So of course I used another machine and have driven myself crazy trying to figure this thing out...so all I can come up with is a rootkit? virus? How can I get rid of this without reformating (not an option anywhere near the top of my list).  I wanted to ask the experts because there are no less than 6 solutions on utube (using other programs)and who knows if those are any good...Thanks in advance.

machine is hp mini with xp home, sp3
« Last Edit: November 13, 2010, 03:44:53 AM by B_in Ohio »

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: think it was think point...
« Reply #1 on: November 13, 2010, 11:23:27 AM »
1.Do dr.web cure it! scan
http://www.freedrweb.com/cureit/?lng=en
2.Do mbam scan
http://www.malwarebytes.org/mbam.php
3.Do super anti spyware scan
http://www.superantispyware.com/download.html
4.Do scan with radix anti rootkit MAY THIS LEAD TO BSoD SO SAVE YOUR WORK BEFOR DOING SCAN
http://www.usec.at/rootkit.html
5.Post a hijack hunter log here after doing 1. 2 .3 .4 steps
http://www.novirusthanks.org/products/hijack-hunter/
6.May be further steps will come after telling us about results for your scans
Dreams don't die, they just fall asleep.

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: think it was think point...
« Reply #2 on: November 13, 2010, 12:12:30 PM »
B_in Ohio
The stat you say above, give me 2 idea, your windows WinSock is hijacked or your Windows HOSTS file.

If you did a full scan with MBAM and avast! and still no luck. Do this:
in CCleaner (make sure you always use latest version) check 'DNS Cache' too and let it clean up everything.
now go to: http://www.omidfarhang.com/computer/security/virus-removing and follow number #4 and #6 for a quick action, if no luck yet, start from number one to the end.
Twitter: OmidFarhangEn - OS: Manjaro KDE

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #3 on: November 13, 2010, 01:28:38 PM »
last night (early this morning) ran avast, super anti spyware and mbam again) neither pick up anything. i also did ccleaner. I will try ccleaner again jsut now with the specifics listed from Omid.

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #4 on: November 13, 2010, 02:06:19 PM »
well if true hitman pro already found stuff that others did not...
"possible variant of the TDL3 rootkit",;;;it also says master boot record (sector 0)..C$MBR  is this windows or malicious? it is program flagged for delete.  I will wait to hear on that master boot record find before i delete....

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: think it was think point...
« Reply #5 on: November 13, 2010, 02:06:48 PM »
Thinkpoint sometimes brings along the TDL4 bootkit for company - to check that out

DO NOT LET HITMANPRO DELETE THE MBR

Please read carefully and follow these steps.  
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #6 on: November 13, 2010, 02:11:10 PM »
i thought mbr was windows...i not delete....i will modify and then finis hit man

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: think it was think point...
« Reply #7 on: November 13, 2010, 03:07:03 PM »
That is why i ask for an anti rootkit log Omid since the redirections may be a cause of a tdl rootkit ;)
Dreams don't die, they just fall asleep.

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #8 on: November 13, 2010, 03:59:00 PM »
ok Omid I am done with your recommendations...i am restarting comp now.  BTW since previous posts..MBAM did not find anything and i ran the hitman and hosts pro...

what is good way to check system now, the only thing i can think of is to try and open firefox, and see if i get redirected....

superhacker i am also going to read your recommendations next....

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: think it was think point...
« Reply #9 on: November 13, 2010, 04:03:12 PM »
No problem all helper here care about your system not the order of following ;)
Dreams don't die, they just fall asleep.

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #10 on: November 13, 2010, 04:11:11 PM »
reboot and firefox will not start...ie8 seems to load pages without redirects...(i tried going to some of the same websites that it redirected me from, google, search for cnet, major geeks, etc.  well about 3 mins elapsed and a threat was just blocked...(a redirect)aaaaaaaaarrrrrrrgh!

how else can i check and see if my system is clean?  will tdss killer find issue with outher programs installed> or just give it a go? and where do i get the tdss prog, from your link or cnet>>>?

coolsilver

  • Guest
Re: think it was think point...
« Reply #11 on: November 13, 2010, 04:13:32 PM »
This is the same malware I have been fighting for two weeks on multiple customer machines.

System scans ends up clean but TDSSKiller shows infection. Remove the MBR infection and 30 minutes later is infected again.

Only F-Secure seems to detect a single file tempb.exe in network and local service profiles other than that it's about as worthless.
« Last Edit: November 13, 2010, 04:16:48 PM by coolsilver »

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #12 on: November 13, 2010, 04:17:00 PM »
i did a restore to a restore point a couple of days ago and that did not help.l, seemed to still be locked up etc. maybe i did not go back far enough.

coolsilver

  • Guest
Re: think it was think point...
« Reply #13 on: November 13, 2010, 04:22:46 PM »
Most viruses and malware infect the system restore points. It may have helped some damaged system files.

B_in Ohio

  • Guest
Re: think it was think point...
« Reply #14 on: November 13, 2010, 04:31:08 PM »
here is the tdss log...

2010/11/13 10:18:55.0453   TDSS rootkit removing tool 2.4.7.0 Nov  8 2010 10:52:22
2010/11/13 10:18:55.0453   ================================================================================
2010/11/13 10:18:55.0453   SystemInfo:
2010/11/13 10:18:55.0453   
2010/11/13 10:18:55.0453   OS Version: 5.1.2600 ServicePack: 3.0
2010/11/13 10:18:55.0453   Product type: Workstation
2010/11/13 10:18:55.0453   ComputerName: ALESIA
2010/11/13 10:18:55.0453   UserName: hp
2010/11/13 10:18:55.0453   Windows directory: C:\WINDOWS
2010/11/13 10:18:55.0453   System windows directory: C:\WINDOWS
2010/11/13 10:18:55.0453   Processor architecture: Intel x86
2010/11/13 10:18:55.0453   Number of processors: 2
2010/11/13 10:18:55.0453   Page size: 0x1000
2010/11/13 10:18:55.0453   Boot type: Normal boot
2010/11/13 10:18:55.0453   ================================================================================
2010/11/13 10:18:55.0921   Initialize success
2010/11/13 10:19:14.0843   ================================================================================
2010/11/13 10:19:14.0843   Scan started
2010/11/13 10:19:14.0843   Mode: Manual;
2010/11/13 10:19:14.0843   ================================================================================
2010/11/13 10:19:15.0578   Accelerometer   (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2010/11/13 10:19:15.0656   ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/13 10:19:15.0718   ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/11/13 10:19:15.0812   ADIHdAudAddService (fcc90e9aeb5aaa1fc39ab4d7ff163e39) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/11/13 10:19:15.0890   AEAudio         (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/11/13 10:19:15.0953   aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/13 10:19:16.0031   AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/13 10:19:16.0375   AliIde          (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/11/13 10:19:16.0500   Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/13 10:19:16.0843   AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/13 10:19:16.0890   atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/13 10:19:16.0984   Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/13 10:19:17.0062   audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/13 10:19:17.0140   Avgfwdx         (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/11/13 10:19:17.0156   Avgfwfd         (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/11/13 10:19:17.0250   AVGIDSDriver    (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2010/11/13 10:19:17.0359   AVGIDSEH        (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/11/13 10:19:17.0421   AVGIDSFilter    (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2010/11/13 10:19:17.0453   AVGIDSShim      (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2010/11/13 10:19:17.0515   Avgldx86        (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2010/11/13 10:19:17.0578   Avgmfx86        (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2010/11/13 10:19:17.0640   Avgrkx86        (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2010/11/13 10:19:17.0703   Avgtdix         (2fd3e3a57fb90679a3a83eeed0360cfd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2010/11/13 10:19:17.0890   BCM43XX         (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/11/13 10:19:17.0984   Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/13 10:19:18.0171   btaudio         (5bcf6090b825def29065bdbd59691dbe) C:\WINDOWS\system32\drivers\btaudio.sys
2010/11/13 10:19:18.0250   BTDriver        (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/11/13 10:19:18.0359   BTKRNL          (ef5e0de0a7ca2977a9255f36f4d915ab) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/11/13 10:19:18.0437   BTWUSB          (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/11/13 10:19:18.0500   cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/13 10:19:18.0562   CCDECODE        (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/13 10:19:18.0734   Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/13 10:19:18.0765   Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/13 10:19:18.0828   Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/13 10:19:18.0937   CmBatt          (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/13 10:19:19.0015   Compbatt        (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/13 10:19:19.0234   Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/13 10:19:19.0343   dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/13 10:19:19.0406   dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/13 10:19:19.0453   dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/13 10:19:19.0531   DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/13 10:19:19.0687   drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/13 10:19:19.0796   Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/13 10:19:19.0859   Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/13 10:19:19.0921   Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/13 10:19:19.0984   Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/13 10:19:20.0046   FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/13 10:19:20.0171   Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/13 10:19:20.0234   Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/13 10:19:20.0390   Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/13 10:19:20.0546   HBtnKey         (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/11/13 10:19:20.0609   HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/13 10:19:20.0718   HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/13 10:19:20.0812   hpdskflt        (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2010/11/13 10:19:20.0984   HpqKbFiltr      (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
2010/11/13 10:19:21.0078   HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/13 10:19:21.0203   i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/13 10:19:21.0484   ialm            (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/11/13 10:19:21.0781   iaStor          (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/11/13 10:19:21.0968   Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/13 10:19:22.0171   IntelIde        (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/13 10:19:22.0265   intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/13 10:19:22.0312   Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/13 10:19:22.0375   IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/13 10:19:22.0421   IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/13 10:19:22.0484   IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/13 10:19:22.0531   IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/13 10:19:22.0578   IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/13 10:19:22.0734   isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/13 10:19:22.0796   Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/13 10:19:22.0843   kbdhid          (9ef487a186dea361aa06913a75b3fa99)

continued...